计算机科学 ›› 2021, Vol. 48 ›› Issue (6A): 448-458.doi: 10.11896/jsjkx.201100074

• 信息安全 • 上一篇    下一篇

一种基于语义分析的恶意代码攻击图生成方法

杨萍, 舒辉, 康绯, 卜文娟, 黄宇垚   

  1. 信息工程大学数学工程与先进计算国家重点实验室 郑州450001
  • 出版日期:2021-06-10 发布日期:2021-06-17
  • 通讯作者: 舒辉(shuhui123@126.com)
  • 作者简介:yp_xd@hotmail.com
  • 基金资助:
    国家重点研发计划项目(2019QY1300)

Generating Malicious Code Attack Graph Using Semantic Analysis

YANG Ping, SHU Hui, KANG Fei, BU Wen-juan, HUANG Yu-yao   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing,Information Engineering University,Zhengzhou 450001,China
  • Online:2021-06-10 Published:2021-06-17
  • About author:YANG Ping,born in 1995,master candidate.Her main research interests include cyber security and reverse engineering.
    SHU Hui,born in 1974,postgraduate,Ph.D,professor,Ph.D supervisor.His main research interests include cyber security and reverse engineering.
  • Supported by:
    National Key R&D Program of China(2019QY1300).

摘要: 为深入分析恶意代码高层行为之间的逻辑关系,剖析恶意代码的工作机制,针对现有的基于语义的行为分析方法无法进一步抽象出更高层语义行为以及挖掘之间逻辑关系的缺陷,文中以行为事件为研究对象,提出了一种基于语义分析的恶意代码攻击图生成方法。首先,借助MITRE ATT&CK模型,设计了一种新的恶意代码行为分析模型——m-ATT&CK(Malware-Adversarial Tactics,Techniques,and Common Knowledges),该模型由恶意代码、行为事件、攻击战术及其之间的联系构成;然后,提出了基于F-MWTO(Fuzzy Method of Window Then Occurrence)的近似模式匹配行为映射算法,实现了恶意代码行为信息到m-ATT&CK模型的映射,并构建了隐马尔可夫模型挖掘攻击战术序列;最后,定义了恶意代码语义级攻击图并设计了其生成算法,结合已识别出的行为事件,还原恶意代码高层行为的上下文语义信息,生成恶意代码语义级攻击图。实验结果表明,基于以上方法得到的语义级攻击图能够清晰地展现恶意代码的工作机制以及攻击意图。

关键词: m-ATT&CK, 高层行为提取, 攻击战术序列挖掘, 行为映射, 语义级攻击图

Abstract: In order to deeply analyze the logical relationship between malicious code high-level behaviors and analyze the working mechanism of malicious code,this paper takes behavior events as the research object and proposes a method for generating malicious code attack graphs based on semantic analysis.First of all,with the help of the MITRE ATT&CK model,a m-ATT&CK(Malware-Adversarial Tactics,Techniques,and Common Knowledges) model which is more suitable for malicious code behavior analysis is established.This model is composed of malware,behavior events,attack tactics and relationships between them.Then,an approximate pattern matching behavior mapping algorithm based on F-MWTO (Fuzzy Method of Window Then Occurrence) is proposed to realize the mapping of malicious code behavior information to m-ATT&CK model,and a Hidden Markov Model is constructed to mine the sequences of attack tactics.Semantic-level malicious code attack graph is defined and designed semantic-level attack graph generation algorithm,combing with identified behavior events to restore the contextual semantic information of the malicious code high-level behaviors and generating the semantic-level malicious code attack graph.Experimental results show that the semantic-level attack graph obtained based on the proposed methods can clearly show the working mechanism and attack intention of malicious code.

Key words: Behavior mapping, High-level behavior extraction, m-ATT&CK, Semantic-level attack graph, Sequences of attack tactics mining

中图分类号: 

  • TP393.08
[1] YU B,FANG Y,YANG Q,et al.A survey of malware behavior description and analysis[J].Frontiers of Information and Electronic Engineering (English),2018,19(5):583-603.
[2] https://attack.mitre.org/versions/v6/techniques/T1020/.
[3] DAS S,LIU Y,ZHANG W,et al.Semantics-based online malware detection:towards efficient real-time protection against malware[J].IEEE Transactions on Information Forensics and Security,2016,11(2):289-302.
[4] NAVAL S,LAXMI V,RAJARAJAN M,et al.Employing Program Semantics for Malware Detection[J].IEEE Transactions on Information Forensics and Security,2017,10(12):2591-2604.
[5] COVER,THOMAS M,THOMAS,et al.Asymptotic Equipartition Property[M]//Elements of Information Theory.John Wiley & Sons,Inc.2001.
[6] ALAZAB M,VENKATARAMAN S,WATTERS P.TowardsUnderstanding malware behaviour by the extraction of API calls[C]//Proc 2nd Cybercrime and Trustworthy Computing Workshop.2010:52-59.
[7] GUPTA S,SHARMA H,KAUR S.Malware Characterization Using Windows API Call Sequences[C]//International Conference on Security,Privacy,and Applied Cryptography Engineering.Springer,Cham,2016.
[8] LI Z L,SHU H,KANG F,et al.Hierarchical analysis method of malicious behavior based on API correlation[J].Computer Engineering and Design,2014,35(11):3730-3735.
[9] NING P,REEVES D,CUI Y.Correlating Alerts Using Prerequisites of Intrusions:Towards Reducing False Alerts and Uncovering High Level Attack Strategies[R].North Carolina State University,Department of Computer Science,2001.
[10] WANG X S,ZHANG Y,LI Y H.Development and Improve-ment of an Intrusion Detection System Based on Correlation Analysis[C]//Proceedings of 2006 National Theoretical Computer Science Conference.2006:169-171.
[11] CUPPENS F,MIEGE A.Alert correlation in a cooperative intrusion detection framework[C]//Proceedings 2002 IEEE Symposium on Security and Privacy.Berkeley,CA,USA,2002:202-215.
[12] CHEN X S,YIN H B.The analysis of event correlation in intrusion detection[J].Journal of Huazhong University of Science and Technology,2003,31(4):30-33.
[13] AGRAWAL R,IMIELINSKI T,SWAMI A.Mining association rules between sets of items in large database[C]//Washington DC:Procedings of the ACM SIGMOD Conference on Management of Data.1993:207-216.
[14] AGRAWAL R,SRIKANT R.Fast Algorithms for mining association rules[C]//Proc 1994 Int'l Conf Very Large Database.Santiago,Chile,1994:487-499.
[15] LIANG J S,ZHENG T.The Application of the AssociationRules in Intrusion Detection System[C]//China Computer Information Protection Annual Conference and Information Protection System Construction Seminar.2008.
[16] ZHANG Y,LIU Y H,TIAN D X,et al.Intrusion Detection System Based on Association Rules[J].Journal of Jilin University:Information Science Edition,2006(2):204-209.
[17] FENG X.The Application of Fuzzy Association Rule Mining in Intrusion Detection[D].Anhui:University of Science and Technology of China,2010.
[18] https://attack.mitre.org.
[19] https://attack.mitre.org/versions/v6/tactics/enterprise/.
[20] https://attack.mitre.org/versions/v6/techniques/enterprise/.
[21] UTCHINS E M,CLOPPERT M J,AMIN R M.Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains[OL].https://www.researchgate.net/publication/266038451_Intelligence-Driven_Computer_Network_Defense_Informed_by_Analysis_of_Adversary_Campaigns_and_Intrusion_Kill_Chains.
[22] NICKELS K.Leveraging MITRE ATT&CK for Detection[EB].Analysis & Defense.
[23] Free Automated Malware Analysis Service[EB/OL].https://www.hybrid-analysis.com/.2020.11.
[24] YANG P,SHU H,KANG F,et al.Automatically GeneratingMalware Summary Using Semantic Behavior Graphs (SBGs)[C]//2020 Information Communication Technologies Conference (ICTC).Nanjing,China,2020:282-291.
[25] FISCHER M J,PATERSON M S.String-matching and other products[C]//Proceeding of the 7th SIAM AMS Complexity of Computation.Cambridge,USA,1974:113-125.
[26] MANBER U,BAEZA-YATES R.An algorithm for string matching with a sequence of don't cares[J].Information Processing Leters,1991,37(3):133-136.
[27] CHEN G,WU X D,ZHU X Q,et al.Effcient string matching with wildcards and length constraints[J].Knowledge and Information Systems,2006,10(4):399-419.
[28] WU X D,ZHU X Q,HE Y,et al.PMBC:Pattern mining from biological sequences with wildcard constraints[J].Computers in Biology and Medicine,2013,43(5):481-492.
[29] QIANG J P,XIE F,GAO J,et al.Pattern matching with wildcards of arbitrary length[J].Acta Automatica Sinica,2014,40(11):2499-2511.
[30] RISTAD E S,YIANILOS P N.Learning String Edit Distance[J].IEEE Transactions on Pattern Analysis and Machine Intelligence,1998,20(5):522-532.
[31] YI P,ZHOU Q,MEN H S.Dynamic social network community discovery algorithm based on HMM[J].Journal of Computer Research and Development,2017,54(11):2611-2619.
[32] ZHOU D Q,ZHANG H F,ZHANG S W,et al.HMM-based distributed denial of service attack detection method[J].Journal of Computer Research and Development,2005,42(9):1594-1599.
[33] YUAN Y,WANG C R,WANG C,et al.Cloud resource allocation model based on incomplete information game[J].Computer Research and Development,2016,53(6):1342-1351.
[34] NING P,CUI Y,REEVES D S.Constructing Attack ScenariosThrough Correlation of Intrusion Alerts[C]//Proc.of the 9th ACM Conference on Computer and Communications Security.Washington,D.C.,2002:245-254.
[35] NING P,REEVES D,CUI Y.Correlating Alerts Using Prerequisites of Intrusions:Towards Reducing False Alerts and Uncovering High Level Attack Strategies[R].North Carolina State University,Department of Computer Science,2001.
[36] ZHANG H B.Research on IDS alarm correlation model based on description logic[D].Shanghai:Shanghai Jiaotong University.
[1] 李嘉睿, 凌晓波, 李晨曦, 李子木, 杨家海, 张蕾, 吴程楠.
基于贝叶斯攻击图的动态网络安全分析
Dynamic Network Security Analysis Based on Bayesian Attack Graphs
计算机科学, 2022, 49(3): 62-69. https://doi.org/10.11896/jsjkx.210800107
[2] 刘凯祥, 谢永芳, 陈新, 吕飞, 刘俊矫.
基于DTMC的工业串行协议状态检测算法
Industrial Serial Protocol State Detection Algorithm Based on DTMC
计算机科学, 2022, 49(3): 301-307. https://doi.org/10.11896/jsjkx.210200078
[3] 李一萌, 李成海, 宋亚飞, 王坚.
基于Attention-DenseNet-BC的恶意软件家族分类方法
Method of Malware Family Classification Based on Attention-DenseNet-BC Model Mechanism
计算机科学, 2021, 48(10): 308-314. https://doi.org/10.11896/jsjkx.210200166
[4] 王金恒, 单志龙, 谭汉松, 王煜林.
基于遗传优化PNN神经网络的网络安全态势评估
Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network
计算机科学, 2021, 48(6): 338-342. https://doi.org/10.11896/jsjkx.201200239
[5] 杨林, 王永杰.
蚁群算法在动态网络持续性路径预测中的运用及仿真
Application and Simulation of Ant Colony Algorithm in Continuous Path Prediction of Dynamic Network
计算机科学, 2021, 48(6A): 485-490. https://doi.org/10.11896/jsjkx.200800132
[6] 周天阳, 曾子懿, 臧艺超, 王清贤.
基于多Agent联合决策的队组协同攻击规划
Team Cooperative Attack Planning Based on Multi-agent Joint Decision
计算机科学, 2021, 48(5): 301-307. https://doi.org/10.11896/jsjkx.200800174
[7] 曹康华, 董伟伟, 汪锦量, 周林, 王勇.
基于虚拟蜜网的用电信息采集系统攻击检测方法
Attack Detection Method for Electricity Information Collection System Based on Virtual Honeynet
计算机科学, 2019, 46(11A): 455-459.
[8] 高沙沙, 王中华.
基于MILS架构的嵌入式操作系统多级安全域动态管理技术
Dynamical Management Technology of Multi-Level Security Domain for Embedded Operating System Based on MILS
计算机科学, 2019, 46(11A): 460-463.
[9] 鲁显光, 杜学绘, 王文娟.
基于改进FP growth的告警关联算法
Alert Correlation Algorithm Based on Improved FP Growth
计算机科学, 2019, 46(8): 64-70. https://doi.org/10.11896/j.issn.1002-137X.2019.08.010
[10] 曹卫东,许志香,王静.
基于深度生成模型的半监督入侵检测算法
Intrusion Detection Based on Semi-supervised Learning with Deep Generative Models
计算机科学, 2019, 46(3): 197-201. https://doi.org/10.11896/j.issn.1002-137X.2019.03.029
[11] 陈维鹏, 敖志刚, 郭杰, 余勤, 童俊.
基于改进的BP神经网络的网络空间态势感知系统安全评估
Research on Cyberspace Situation Awareness Security Assessment Based on Improved BP Neural Network
计算机科学, 2018, 45(11A): 335-337.
[12] 尹中旭, 张连成.
一种数据流相关过滤器自动插入的注入入侵避免方案
SQL Injection Intrusion Avoidance Scheme Based on Automatic Insertion of Dataflow-relevant Filters
计算机科学, 2019, 46(1): 201-205. https://doi.org/10.11896/j.issn.1002-137X.2019.01.031
[13] 卢强, 游荣义, 叶晓红.
基于自适应卷积滤波的网络近邻入侵检测算法
Network Nearest Neighbor Intrusion Detection Algorithm Based on Adaptive Convolution Filtering
计算机科学, 2018, 45(7): 154-157. https://doi.org/10.11896/j.issn.1002-137X.2018.07.026
[14] 李翼宏, 刘方正, 杜镇宇.
一种改进主动学习的恶意代码检测算法
Malware Detection Algorithm for Improving Active Learning
计算机科学, 2019, 46(5): 92-99. https://doi.org/10.11896/j.issn.1002-137X.2019.05.014
[15] 裴兰珍, 赵英俊, 王哲, 罗赟骞.
采用深度学习的DGA域名检测模型比较
Comparison of DGA Domain Detection Models Using Deep Learning
计算机科学, 2019, 46(5): 111-115. https://doi.org/10.11896/j.issn.1002-137X.2019.05.017
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!