计算机科学 ›› 2021, Vol. 48 ›› Issue (6A): 448-458.doi: 10.11896/jsjkx.201100074
杨萍, 舒辉, 康绯, 卜文娟, 黄宇垚
YANG Ping, SHU Hui, KANG Fei, BU Wen-juan, HUANG Yu-yao
摘要: 为深入分析恶意代码高层行为之间的逻辑关系,剖析恶意代码的工作机制,针对现有的基于语义的行为分析方法无法进一步抽象出更高层语义行为以及挖掘之间逻辑关系的缺陷,文中以行为事件为研究对象,提出了一种基于语义分析的恶意代码攻击图生成方法。首先,借助MITRE ATT&CK模型,设计了一种新的恶意代码行为分析模型——m-ATT&CK(Malware-Adversarial Tactics,Techniques,and Common Knowledges),该模型由恶意代码、行为事件、攻击战术及其之间的联系构成;然后,提出了基于F-MWTO(Fuzzy Method of Window Then Occurrence)的近似模式匹配行为映射算法,实现了恶意代码行为信息到m-ATT&CK模型的映射,并构建了隐马尔可夫模型挖掘攻击战术序列;最后,定义了恶意代码语义级攻击图并设计了其生成算法,结合已识别出的行为事件,还原恶意代码高层行为的上下文语义信息,生成恶意代码语义级攻击图。实验结果表明,基于以上方法得到的语义级攻击图能够清晰地展现恶意代码的工作机制以及攻击意图。
中图分类号:
[1] YU B,FANG Y,YANG Q,et al.A survey of malware behavior description and analysis[J].Frontiers of Information and Electronic Engineering (English),2018,19(5):583-603. [2] https://attack.mitre.org/versions/v6/techniques/T1020/. [3] DAS S,LIU Y,ZHANG W,et al.Semantics-based online malware detection:towards efficient real-time protection against malware[J].IEEE Transactions on Information Forensics and Security,2016,11(2):289-302. [4] NAVAL S,LAXMI V,RAJARAJAN M,et al.Employing Program Semantics for Malware Detection[J].IEEE Transactions on Information Forensics and Security,2017,10(12):2591-2604. [5] COVER,THOMAS M,THOMAS,et al.Asymptotic Equipartition Property[M]//Elements of Information Theory.John Wiley & Sons,Inc.2001. [6] ALAZAB M,VENKATARAMAN S,WATTERS P.TowardsUnderstanding malware behaviour by the extraction of API calls[C]//Proc 2nd Cybercrime and Trustworthy Computing Workshop.2010:52-59. [7] GUPTA S,SHARMA H,KAUR S.Malware Characterization Using Windows API Call Sequences[C]//International Conference on Security,Privacy,and Applied Cryptography Engineering.Springer,Cham,2016. [8] LI Z L,SHU H,KANG F,et al.Hierarchical analysis method of malicious behavior based on API correlation[J].Computer Engineering and Design,2014,35(11):3730-3735. [9] NING P,REEVES D,CUI Y.Correlating Alerts Using Prerequisites of Intrusions:Towards Reducing False Alerts and Uncovering High Level Attack Strategies[R].North Carolina State University,Department of Computer Science,2001. [10] WANG X S,ZHANG Y,LI Y H.Development and Improve-ment of an Intrusion Detection System Based on Correlation Analysis[C]//Proceedings of 2006 National Theoretical Computer Science Conference.2006:169-171. [11] CUPPENS F,MIEGE A.Alert correlation in a cooperative intrusion detection framework[C]//Proceedings 2002 IEEE Symposium on Security and Privacy.Berkeley,CA,USA,2002:202-215. [12] CHEN X S,YIN H B.The analysis of event correlation in intrusion detection[J].Journal of Huazhong University of Science and Technology,2003,31(4):30-33. [13] AGRAWAL R,IMIELINSKI T,SWAMI A.Mining association rules between sets of items in large database[C]//Washington DC:Procedings of the ACM SIGMOD Conference on Management of Data.1993:207-216. [14] AGRAWAL R,SRIKANT R.Fast Algorithms for mining association rules[C]//Proc 1994 Int'l Conf Very Large Database.Santiago,Chile,1994:487-499. [15] LIANG J S,ZHENG T.The Application of the AssociationRules in Intrusion Detection System[C]//China Computer Information Protection Annual Conference and Information Protection System Construction Seminar.2008. [16] ZHANG Y,LIU Y H,TIAN D X,et al.Intrusion Detection System Based on Association Rules[J].Journal of Jilin University:Information Science Edition,2006(2):204-209. [17] FENG X.The Application of Fuzzy Association Rule Mining in Intrusion Detection[D].Anhui:University of Science and Technology of China,2010. [18] https://attack.mitre.org. [19] https://attack.mitre.org/versions/v6/tactics/enterprise/. [20] https://attack.mitre.org/versions/v6/techniques/enterprise/. [21] UTCHINS E M,CLOPPERT M J,AMIN R M.Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains[OL].https://www.researchgate.net/publication/266038451_Intelligence-Driven_Computer_Network_Defense_Informed_by_Analysis_of_Adversary_Campaigns_and_Intrusion_Kill_Chains. [22] NICKELS K.Leveraging MITRE ATT&CK for Detection[EB].Analysis & Defense. [23] Free Automated Malware Analysis Service[EB/OL].https://www.hybrid-analysis.com/.2020.11. [24] YANG P,SHU H,KANG F,et al.Automatically GeneratingMalware Summary Using Semantic Behavior Graphs (SBGs)[C]//2020 Information Communication Technologies Conference (ICTC).Nanjing,China,2020:282-291. [25] FISCHER M J,PATERSON M S.String-matching and other products[C]//Proceeding of the 7th SIAM AMS Complexity of Computation.Cambridge,USA,1974:113-125. [26] MANBER U,BAEZA-YATES R.An algorithm for string matching with a sequence of don't cares[J].Information Processing Leters,1991,37(3):133-136. [27] CHEN G,WU X D,ZHU X Q,et al.Effcient string matching with wildcards and length constraints[J].Knowledge and Information Systems,2006,10(4):399-419. [28] WU X D,ZHU X Q,HE Y,et al.PMBC:Pattern mining from biological sequences with wildcard constraints[J].Computers in Biology and Medicine,2013,43(5):481-492. [29] QIANG J P,XIE F,GAO J,et al.Pattern matching with wildcards of arbitrary length[J].Acta Automatica Sinica,2014,40(11):2499-2511. [30] RISTAD E S,YIANILOS P N.Learning String Edit Distance[J].IEEE Transactions on Pattern Analysis and Machine Intelligence,1998,20(5):522-532. [31] YI P,ZHOU Q,MEN H S.Dynamic social network community discovery algorithm based on HMM[J].Journal of Computer Research and Development,2017,54(11):2611-2619. [32] ZHOU D Q,ZHANG H F,ZHANG S W,et al.HMM-based distributed denial of service attack detection method[J].Journal of Computer Research and Development,2005,42(9):1594-1599. [33] YUAN Y,WANG C R,WANG C,et al.Cloud resource allocation model based on incomplete information game[J].Computer Research and Development,2016,53(6):1342-1351. [34] NING P,CUI Y,REEVES D S.Constructing Attack ScenariosThrough Correlation of Intrusion Alerts[C]//Proc.of the 9th ACM Conference on Computer and Communications Security.Washington,D.C.,2002:245-254. [35] NING P,REEVES D,CUI Y.Correlating Alerts Using Prerequisites of Intrusions:Towards Reducing False Alerts and Uncovering High Level Attack Strategies[R].North Carolina State University,Department of Computer Science,2001. [36] ZHANG H B.Research on IDS alarm correlation model based on description logic[D].Shanghai:Shanghai Jiaotong University. |
[1] | 李嘉睿, 凌晓波, 李晨曦, 李子木, 杨家海, 张蕾, 吴程楠. 基于贝叶斯攻击图的动态网络安全分析 Dynamic Network Security Analysis Based on Bayesian Attack Graphs 计算机科学, 2022, 49(3): 62-69. https://doi.org/10.11896/jsjkx.210800107 |
[2] | 刘凯祥, 谢永芳, 陈新, 吕飞, 刘俊矫. 基于DTMC的工业串行协议状态检测算法 Industrial Serial Protocol State Detection Algorithm Based on DTMC 计算机科学, 2022, 49(3): 301-307. https://doi.org/10.11896/jsjkx.210200078 |
[3] | 李一萌, 李成海, 宋亚飞, 王坚. 基于Attention-DenseNet-BC的恶意软件家族分类方法 Method of Malware Family Classification Based on Attention-DenseNet-BC Model Mechanism 计算机科学, 2021, 48(10): 308-314. https://doi.org/10.11896/jsjkx.210200166 |
[4] | 王金恒, 单志龙, 谭汉松, 王煜林. 基于遗传优化PNN神经网络的网络安全态势评估 Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network 计算机科学, 2021, 48(6): 338-342. https://doi.org/10.11896/jsjkx.201200239 |
[5] | 杨林, 王永杰. 蚁群算法在动态网络持续性路径预测中的运用及仿真 Application and Simulation of Ant Colony Algorithm in Continuous Path Prediction of Dynamic Network 计算机科学, 2021, 48(6A): 485-490. https://doi.org/10.11896/jsjkx.200800132 |
[6] | 周天阳, 曾子懿, 臧艺超, 王清贤. 基于多Agent联合决策的队组协同攻击规划 Team Cooperative Attack Planning Based on Multi-agent Joint Decision 计算机科学, 2021, 48(5): 301-307. https://doi.org/10.11896/jsjkx.200800174 |
[7] | 曹康华, 董伟伟, 汪锦量, 周林, 王勇. 基于虚拟蜜网的用电信息采集系统攻击检测方法 Attack Detection Method for Electricity Information Collection System Based on Virtual Honeynet 计算机科学, 2019, 46(11A): 455-459. |
[8] | 高沙沙, 王中华. 基于MILS架构的嵌入式操作系统多级安全域动态管理技术 Dynamical Management Technology of Multi-Level Security Domain for Embedded Operating System Based on MILS 计算机科学, 2019, 46(11A): 460-463. |
[9] | 鲁显光, 杜学绘, 王文娟. 基于改进FP growth的告警关联算法 Alert Correlation Algorithm Based on Improved FP Growth 计算机科学, 2019, 46(8): 64-70. https://doi.org/10.11896/j.issn.1002-137X.2019.08.010 |
[10] | 曹卫东,许志香,王静. 基于深度生成模型的半监督入侵检测算法 Intrusion Detection Based on Semi-supervised Learning with Deep Generative Models 计算机科学, 2019, 46(3): 197-201. https://doi.org/10.11896/j.issn.1002-137X.2019.03.029 |
[11] | 陈维鹏, 敖志刚, 郭杰, 余勤, 童俊. 基于改进的BP神经网络的网络空间态势感知系统安全评估 Research on Cyberspace Situation Awareness Security Assessment Based on Improved BP Neural Network 计算机科学, 2018, 45(11A): 335-337. |
[12] | 尹中旭, 张连成. 一种数据流相关过滤器自动插入的注入入侵避免方案 SQL Injection Intrusion Avoidance Scheme Based on Automatic Insertion of Dataflow-relevant Filters 计算机科学, 2019, 46(1): 201-205. https://doi.org/10.11896/j.issn.1002-137X.2019.01.031 |
[13] | 卢强, 游荣义, 叶晓红. 基于自适应卷积滤波的网络近邻入侵检测算法 Network Nearest Neighbor Intrusion Detection Algorithm Based on Adaptive Convolution Filtering 计算机科学, 2018, 45(7): 154-157. https://doi.org/10.11896/j.issn.1002-137X.2018.07.026 |
[14] | 李翼宏, 刘方正, 杜镇宇. 一种改进主动学习的恶意代码检测算法 Malware Detection Algorithm for Improving Active Learning 计算机科学, 2019, 46(5): 92-99. https://doi.org/10.11896/j.issn.1002-137X.2019.05.014 |
[15] | 裴兰珍, 赵英俊, 王哲, 罗赟骞. 采用深度学习的DGA域名检测模型比较 Comparison of DGA Domain Detection Models Using Deep Learning 计算机科学, 2019, 46(5): 111-115. https://doi.org/10.11896/j.issn.1002-137X.2019.05.017 |
|