计算机科学 ›› 2016, Vol. 43 ›› Issue (3): 1-7, 43.doi: 10.11896/j.issn.1002-137X.2016.03.001

• 目次 •    下一篇

云环境下APT攻击的防御方法综述

张浩,王丽娜,谈诚,刘维杰   

  1. 国家数字化学习工程技术研究中心华中师范大学 武汉430072,武汉大学计算机学院 武汉430072,武汉大学计算机学院 武汉430072,武汉大学计算机学院 武汉430072
  • 出版日期:2018-12-01 发布日期:2018-12-01
  • 基金资助:
    本文受国家自然科学基金项目(61373169,9,61303213),国家发改委重大专项(发改办高技[2013]1309),教育部博士点基金优先发展领域基金项目(20110141130006),华中师范大学中央高校基本科研业务费项目(CCNU15GF001,CCNU15A05010)资助

Review of Defense Methods Against Advanced Persistent Threat in Cloud Environment

ZHANG Hao, WANG Li-na, TAN Cheng and LIU Wei-jie   

  • Online:2018-12-01 Published:2018-12-01

摘要: 云计算以其快速部署、弹性配置等特性吸引了大量的组织和机构使用,然而近期出现的高级可持续性威胁(Advanced Persistent Threat,APT)相比传统的网络攻击具有攻击持续性、高隐蔽性、长期潜伏等特性,为实现云平台的信息资产的安全与隐私保护带来了极大的冲击和挑战。因此,如何有效地防护APT对云平台的攻击成为云安全领域亟待解决的问题。在阐述APT攻击的基本概念、攻击流程与攻击方法的基础之上,分析了APT新特性带来的多重安全挑战,并介绍了国内外在APT防护方面的研究进展。随后针对APT的安全挑战,提出了云平台下APT防护的建议框架,该框架融入了事前和事中防御策略,同时利用大数据挖掘综合分析可能存在的APT攻击以及用于事中的威胁定位与追踪。最后,介绍了安全框架中的关键技术的研究进展,分析了现有技术的优势与不足之处,并探讨了未来的研究方向。

关键词: 云计算,高级可持续性威胁,大数据挖掘,威胁定位

Abstract: A large number of organizations and institutions have been attracted to use the cloud platform for its features,such as rapid deployment,flexible configurations.However,compared to traditional network attack persistent,the emerging attack mode advanced persistent threat(APT for short) is more persistent,high hidden and long-term buried,which makes the protection to protect security and privacy challenging.Therefore,how to protect the cloud platform from APT effectively becomes an urgent problem.The basic concepts,attack procedures and attack methods of APT were introduced ,and then we analyzed the multiple security challenges brought by APT new features,and introduced the research progress in APT protection aspects.To address the security challenges,we presented a proposal framework to protect cloud platform from APT,which includes the strategies before attack and during attack,and takes advantage of the data mining of big data to analyze the potential APT attack comprehensively and to position and track the threats.Finally,the research progress of some key technologies in our framework was introduced,the advantages and disadvantages were pointed out respectively,and some future research directions were given at the end.

Key words: Cloud computing,Advanced persistent threat,Data mining of big data,Positioning threat

[1] Toosi A N,Calheiros R N,Buyya R.Interconnected Cloud Computing Environments:Challenges,Taxonomy,and Survey[J].ACM Computing Surveys (CSUR),2014,47(1):1-47
[2] Bencsáth B,Pék G,Buttyán L,et al.Duqu:Analysis,detection,and lessons learned[C]∥ACM European Workshop on System Security (EuroSec 2012).2012
[3] Zeng Jin,Sun Hai-long,Liu Xu-dong,et al.Dynamic Evolution Mechanism for Trustworthy Software Based on Service Composition[J].Journal of Software,2010,21(2):261-276 (in Chinese) 曾晋,孙海龙,刘旭东,等.基于服务组合的可信软件动态演化机制[J].软件学报,2010,21(2):261-276
[4] Wen Jing,Wang Huai-min,Ying Shi,et al.Toward a Software Architectural Design Approach for Trusted Software Based on Monitoring[J].Chinese Journal of Computers,2010,3(12):2321-2334(in Chinese) 文静,王怀民,应时,等.支持运行监控的可信软件体系结构设计方法[J].计算机学报,2010,33(12):2321-2334
[5] Xiang Guo-fu,Jin Hai,Zou De-qing,et al.Virtualization-Based Security Monitoring[J].Journal of Software,2012,3(8):2173-2187(in Chinese) 项国富,金海,邹德清,等.基于虚拟化的安全监控[J].软件学报,2012,23(8):2173-2187
[6] Sharif M,Lee W,Cui W,et al.Secure In-VM Monitoring Using Hardware Virtualization[C]∥Proceedings of the 16th ACM Conference on Computer and Communications Security.2009:477-487
[7] Payne B,Carbone M,Sharif M,et al.Lares:An architecture for secure active monitoring using virtualization[C]∥Proceedings of the IEEE Symposium on Security and Privacy.2008:233-247
[8] Butler J.DKOM (Direct Kernel Object Manipulation)[EB/OL].http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf
[9] Payne B D,Carbone M A,Lee W.Secure and flexible monitoring of virtual machines[C]∥ The 23rd Annual Computer Security Applications Conf.New York:ACM Press,2007:385-397
[10] Xiang G,Jin H,Zou D,et al.VMDriver:A driver-based monitoring mechanism for virtualization[C]∥Proc.of the 29th Int’l Symp on Reliable Distributed Systems.Washington:IEEE Computer Society,2010:72-81
[11] Team P X.Documentation for the PaX project-overall description[EB/OL].http://pax.Grsecurity.net/docs/pax.txt
[12] Microsoft.A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2.http://support.microsoft.com/kb/875352
[13] Riley R,Jiang Xu-xian,Xu Dong-yan.Guest-Transparent Pre-vention of Kernel Rootkits with VMM-Based Memory Sha-dowing[C]∥Proceedings of the 11th Symposium on Recent Advances in Intrusion Detection (RAID).2008:1-20
[14] Seshadri A,Luk M,Qu Ning,et al.SecVisor:A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes[C]∥Proceedings of 21st ACM SIGOPS Symposium on Opera-ting Systems Principles.2007:335-350
[15] Riley R,Jiang Xu-xian,Xu Dong-yan.An Architectural Ap-proach to Preventing Code Injection Attacks[C]∥DSN.2007:30-40
[16] Crandau J,Chon F.Minos:Control Data Attack Prevention Orthogonal to Memory Model[C]∥ 37th International Sympcsium on Microarchitecture.2004:221-232
[17] Suh G,Lee J,Zhang D,et al.Secure Program Execution via Dynamic Information flow Tracking[C]∥Proceeding of International Conference on Architectural Support for Programming Languages and Operating Systems.2004:85-96
[18] Chen H,Wu X,Yuan L,et al.From Speculation to Security:Practical and Efficient Information Flow Tracking Using Speculative Hardware[C]∥Proceeding of the 35th International Symposium on Computer Architecture(ISCA’08).Washington DC,USA: IEEE Computer Society,2008:401-412
[19] Chen H,Wu X,Yuan L,et al.Binary Obfuscation Using Taint Tracking[C]∥International Conference on Architectural Support on Programming Language and Operating System.2008
[20] Petroni N L,Hicks M .Automated Detection of Persistent Kernel Control-Flow Attacks[C]∥Proceedings of the 14th ACM Conference on Computer and Communications Security.2007:103-115
[21] Wang Z,Jiang X,Cui W,et al.Countering Kernel Rootkits with Lightweight Hook Protection[C]∥Proceedings of the 16th ACM Conference on Computer and Communications Security.2009:545-554
[22] Joyce R,et al.MEGA:A tool for Mac OS X operating system and application forensics[J].Digital Investigation,2008,5(suppl):83-90
[23] Roussev V,et al.A cloud computing platform for large-scale forensic computing[M]∥Advances in Digital Forensics V.2009:201-214
[24] Wang Li-na,Gao Han-jun,et al.Detecting and Managing Hidden Processvia Hypervisor[J].Journal of Computer Research and Development,2011,8(8):1534-1541(in Chinese) 王丽娜,高汉军,等.利用虚拟机监视器检测及管理隐藏进程[J].计算机研究及发展,2011,8(8):1534-1541
[25] Pollitt M,et al.Virtualization and digital forensics:A research and teaching agenda[J].Journal of Digital Forensic Practice,2008,2(2):66-73
[26] Beebe N,et al.Clark.Dealing with terabyte data sets in digital investigations[M]∥Advances in Digital Forensics.2006:3-16
[27] Mell P,Grance T.Draft nist workingd efinition of cloud computing[EB/OL].(2009-4-24)[2011-09-10].www.csrc.nist.gov/groups/SNS/cloud-computing/index.html
[28] Solomon J,et al.User data persistence in physical memory[J].Digital Investigation,2007,4(2):199-211
[29] Dorn G,et al.Analyzing the impact of a virtual machine on a host machine[M]∥Advances in Digital Forensics V.2009:69-82
[30] Lin Chuang,Su Wen-bo,Meng Kun,et al.Cloud Computing Security:Architecture,Mechanism and Modeling[J].Chinese Journal of Computers,2013,6(9):32-37(in Chinese) 林闯,苏文博,孟坤,等.云计算安全:架构、机制与模型评价[J].计算机学报,2013,6(9):32-37
[31] Lu Dun.Modeling and Reasoning of the Software Component Based System Recovery Basedon Survivability Specfication[J].Journal of Software,2007,8(12):3031-3047(in Chinese) 卢暾.基于可生存性规范的软件构建系统恢复的建模与推理[J].软件学报,2007,8(12):3031-3047
[32] Qin F,Tucek J,Sundaresan J,et al.Rx:treating bugs as allergies-A safe method to survive software failures[J].ACMSIGOPS,2005,9(5):235-248
[33] Srinivasan S M,Kandula S,Andrews C R,et al.Flashback:Alightweight extension for rollback and deterministic replay for software debugging[D].USA:University of Illinois at Urbana,Champaign,2004
[34] Dunlap G W,King S T,Cinar S,et al.ReVirt:enabling intrusion analysis through virtual-machine logging and replay[J].ACM Sigops Operating System Review,2002,6(S1):211-224
[35] Prabhakaran V,Arpaci-Dusseau A C,Arpaci-Dusseau R H.Analysis and evolution of journaling file system[C]∥USENIX.Anaheim,USA,2005:105-120
[36] Grizzard J B,Gardner R W.Analysis of Virtual Machine Record and Replay for Trustworthy Computing[J].Johns Hopkins APL Technical Digest,2013,2(2):528-535
[37] Xu M,Malyugin V,Sheldon J,et al.ReTrace:Collecting execution trace with virtual machine deterministic replay[C]∥Proceedings of the Third Annual Workshop on Modeling,Benchmarking and Simulation(MoBS’07).California,USA,2007
[38] de Oliveira D A S,Crandall J R,Wassermann G,et al.ExecRecorder:VM-based full-system replay for attack analysis and system recovery[C]∥Proceedings of the First Workshopon Architectural and System Support for Improving Software Dependability(ASID’06).SanJose,Caiifornia,ACM Press,2006:66-71
[39] Barham P,Dragovic B,Fraser K,et al.Xen and the art of vir-tuaiization[C]∥Proceedings of the 19th ACM Symposium on Operating Systems Principies(SOSP’03).LakeGeorge,NewYork,USA:ACM Press,2003:164-177
[40] Cui Y,Widom J,Wiener J L.Tracing the lineage of view data in a warehousing environment[J].ACM Transactions on Database System(TODS),2000,5(2):179-227
[41] Cui Y,Widom J.Practical lineage tracing in data warehouses[C]∥International Conference on Data Engineering(ICDE).SanDiego,USA,2000:367-378
[42] Cui Y,Widom J.Lineage tracing for general data warehousetransformation[J].The International Journal on Very Large Data Bases,2003,2(1):41-58
[43] Buneman P,Khanna S, Tan W C.Why and where:A characterization of data provenance[C]∥8th International Conference on Database Theory(ICDT).London,UK,2001:316-330
[44] Muniswamy-Reddy K K,Holland D A,Braun U,et al.Provenance-aware storage systems[C]∥USENIX Annual Technical Conference.Boston,USA,2006:43-56
[45] Muniswamy-Reddy K K,Macko P,Seltzer M.Provenance forthe cloud[C]∥The 8th USENIX Conference on Fileand Storage Technologies.SanJose,USA,2010:15-28
[46] Gao Ming,Jin Che-qing,Wang Xiao-ling,et al.A Survey onManagement of Data Provenance[J].Chinese Journal of Computers,2010,3(3):374-389(in Chinese) 高明,金澈清,王晓玲,等.数据世系管理技术研究综述[J].计算机学报,2010,3(3):374-389
[47] Asrigo K,Litty L,Lie D.Using VMM-based sensors to monitor honeypots[C]∥Proceedings of the 2nd International Conference on Virtual Execution Environments(VEE’06).2006:13-23
[48] Phua C,Lee V,Smith K,et al.A comprehensive survey of data mining-based fraud detection research[J].arXivpreprintarXiv:1009.6119,0
[49] Schultz M G,Eskin E,Zadok E,et al.Data mining methods for detection of new malicious executables[C]∥ Proceedings of 2001 IEEE Symposium on Security and Privacy(S&P2001).IEEE,2001:38-49
[50] He Y,Lee R,Huai Y,et al.RCFile:A fast and space-efficient data placement structure in MapReduce-based warehouse systems[C]∥2011 IEEE 27th International Conference on Data Engineering(ICDE).IEEE,2011:1199-1208
[51] Floratou A,Patel J M,Shekita E J,et al.Column-oriented sto-rage techniques for MapReduce[J].Proceedings of the VLDB Endowment,2011,4(7):419-429
[52] Li Bo-duo,Edward M,Diao Yan-lei,et al.A platformf or scalable one-pass analytics using MapReduce[C]∥Proceedings of the ACM SIGMOD International Conference on Management of Data(SIGMOD’11).Athens,Greece,2011:985-996
[53] Blanas S,Jignesh P,Ercegovac V,et al.A comparison of join algorithms for log processing in MaPreduce[C]∥Proceedings of the ACMSIGMOD International Conferenceon Management of Data(SIGMOD’10).Indianapolis,Indiana,USA,2010:975-986
[54] Qin Xiong-pai,Wang Hui-ju,Du Xiao-yong,et al.Big Data Ana-lysis-Competition and Symbiosis of RDBMS and MapReduce[J].Journal of Software,2012,3(1):32-45(in Chinese) 覃雄派,王会举,杜小勇,等.大数据分析-RDBMS与MapReduce的竞争与共生[J].软件学报,2012,3(1):32-45
[55] Meng Xiao-feng,Ci Xiang.Big Data Management:Concepts,Techniques and Challenges[J].Journal of Computer Research and Development,2013,0(1):146-169(in Chinese) 孟小峰,慈祥.大数据管理:概念,技术与挑战[J].计算机研究与发展,2013,0(1):146-169
[56] Guo J,Li Y,Du L,et al.Research on Distributed Data Mining System Based on Hadoop Platform[C]∥Proceedings of International Conference on Computer Science and Information Technology.SpringerIndia,2014:629-636
[57] Skillicorn D,Talia D.Mining large data sets on grids:Issues and prospects[J].Computing and Informatics,2012,1(4):347-362
[58] Sakaeda T,Kadoyama K,Yabuuchi H,et al.Data mining of the public version of the FDA adverse event reporting system [J].International Journal of Medicalsciences,2013,0(7):796-803
[59] Tong Y,Chen L,Yu P S.UFIMT:an uncertain frequent itemsetmining toolbox[C]∥Proceedings of the 18th ACMSIGKDD International Conferenceon Knowledge Discovery and Datamining.ACM,2012:1508-1511
[60] Weisrock D W,Smith S D,Chan L M,et al.Concatenation and concordance in the reconstruction of mouse lemur phylogeny:an empirical demonstration of the effect of allele sampling in phylogenetics[J].Molecular Biology and Evolution,2012,9(6):1615-1630
[61] Koren Y.Collaborative filtering with temporaldynamics[J].Communications of the ACM,2010,3(4):89-97
[62] Feng Deng-guo,Zhang Min,Li Hao,et al.Big Data Security and Privacy Protection[J].Chinese Journal of Computers,2014,7(1):246-258(in Chinese) 冯登国,张敏,李昊,等.大数据安全与隐私保护[J].计算机学报,2014,7(1):246-258

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] 雷丽晖,王静. 可能性测度下的LTL模型检测并行化研究[J]. 计算机科学, 2018, 45(4): 71 -75, 88 .
[2] 夏庆勋,庄毅. 一种基于局部性原理的远程验证机制[J]. 计算机科学, 2018, 45(4): 148 -151, 162 .
[3] 厉柏伸,李领治,孙涌,朱艳琴. 基于伪梯度提升决策树的内网防御算法[J]. 计算机科学, 2018, 45(4): 157 -162 .
[4] 王欢,张云峰,张艳. 一种基于CFDs规则的修复序列快速判定方法[J]. 计算机科学, 2018, 45(3): 311 -316 .
[5] 孙启,金燕,何琨,徐凌轩. 用于求解混合车辆路径问题的混合进化算法[J]. 计算机科学, 2018, 45(4): 76 -82 .
[6] 张佳男,肖鸣宇. 带权混合支配问题的近似算法研究[J]. 计算机科学, 2018, 45(4): 83 -88 .
[7] 伍建辉,黄中祥,李武,吴健辉,彭鑫,张生. 城市道路建设时序决策的鲁棒优化[J]. 计算机科学, 2018, 45(4): 89 -93 .
[8] 刘琴. 计算机取证过程中基于约束的数据质量问题研究[J]. 计算机科学, 2018, 45(4): 169 -172 .
[9] 钟菲,杨斌. 基于主成分分析网络的车牌检测方法[J]. 计算机科学, 2018, 45(3): 268 -273 .
[10] 史雯隽,武继刚,罗裕春. 针对移动云计算任务迁移的快速高效调度算法[J]. 计算机科学, 2018, 45(4): 94 -99, 116 .