面向零日攻击检测的APT攻击活动辨识研究  

作　　者：成翔 匡苗苗 严莉萍 张佳乐 杨宏宇 CHENG Xiang;KUANG Miaomiao;YAN Liping;ZHANG Jiale;YANG Hongyu(College of Information Engineering,Yangzhou University,Yangzhou 225127,China;Key Laboratory of Flying Internet,Civil Aviation University of China,Tianjin 300300,China;Civil Aviation Airport Chengdu Electronic Engineering Design Co.,Ltd.,Chengdu 610042,China;School of Safety Science and Engineering,Civil Aviation University of China,Tianjin 300300,China)

机构地区：[1]扬州大学信息工程学院,江苏扬州225127 [2]中国民航大学民航飞联网重点实验室,天津300300 [3]民航机场成都电子工程设计有限责任公司,四川成都610042 [4]中国民航大学安全科学与工程学院,天津300300

出　　处：《湖南大学学报（自然科学版）》2024年第12期153-164,共12页Journal of Hunan University:Natural Sciences

基　　金：江苏省基础研究计划青年基金项目(BK20230558);新疆维吾尔自治区自然科学基金项目(2024D01A40);民航机场工程技术研究中心开放课题(ERCAOTP20230301);中国民航大学民航飞联网重点实验室开放基金(MHFLW202304)。

摘　　要：传统的攻击检测方法很难辨识出利用零日漏洞发起的高级持续性威胁(advanced persistent threat,APT)攻击活动.为此提出一种面向零日攻击检测的APT攻击活动辨识方法(APTIZDM),该方法由三个主要部分组成.第一部分态势觉察本体构建(CSPOC)方法进行物联网(IoT)系统中关键活动属性及特征的形式化描述.第二部分恶意C&C(command and control)DNS响应活动挖掘(MCCDRM)方法用于辨识APT攻击情境中的恶意C&C通信活动,并可有效控制活动辨识过程的范围与起始时间,从而减小计算开销.第三部分APT攻击情境中零日攻击活动辨识(ZDAARA)方法,其基于贝叶斯网络和安全风险传播理论,对系统调用信息进行关联分析,计算出各系统调用实例的恶意概率,可有效辨识出被入侵检测系统漏报的零日攻击活动.仿真实验结果表明,作为APTIZDM的核心内容,MCCDRM方法和ZDAARA方法都实现了较高的准确率和较低的误报率,协同完成了对APT攻击活动有效辨识.The traditional attack detection methods struggle to identify advanced persistent threat(APT)attacks launched using zero-day vulnerabilities.To address this issue,this paper proposes an APT attack activity identification for zero-day attack method(APTIZDM),which consists of three key components.The first component is the cyber situation perception ontology construction(CSPOC)method,which provides a formal description of critical activity attributes and features in IoT systems.The second component is the malicious command&control(C&C)DNS response activity mining(MCCDRM)method,which identifies malicious C&C communication activities in APT attack scenarios while effectively controlling the scope and starting time of the identification process,thereby reducing computational overhead.The third component is the zero-day attack activity recognition method in APT attack(ZDAARA)scenarios,which utilizes Bayesian networks and security risk propagation theory to perform correlation analysis on system call information.It calculates the malicious probability of each system call instance and effectively identifies zero-day attack activities missed by intrusion detection systems.Simulation experiment results demonstrate that MCCDRM and ZDAARA,as the core components of the APTIZDM,achieve high accuracy and low false positive rates,effectively collaborating to identify APT attack activities.

关 键 词：零日攻击 边缘计算 贝叶斯网络 C&C 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]