计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (6A): 220600176-7.doi: 10.11896/jsjkx.220600176

• 信息安全 • 上一篇    下一篇

ATT&CK框架下基于事件序列关联的网络高级威胁检测系统

张宇翔1, 韩久江1, 刘建1, 鲜明1, 张洪江2, 陈宇1, 李子源3   

  1. 1 国防科技大学电子科学学院 长沙 410000 ;
    2 安康学院电子与信息工程学院 陕西 安康 725000;
    3 31438部队 沈阳 110031
  • 出版日期:2023-06-10 发布日期:2023-06-12
  • 通讯作者: 韩久江(1069930599@qq.com)
  • 作者简介:(zyx998522@163.com)
  • 基金资助:
    国家自然科学基金(61801489);湖南省自然科学基金(2020JJ5666)

Network Advanced Threat Detection System Based on Event Sequence Correlation Under ATT&CK Framework

ZHANG Yuxiang1, HAN Jiujiang1, LIU Jian1, XIAN Ming1, ZHANG Hongjiang2, CHEN Yu1, LI Ziyuan3   

  1. 1 College of Electronic Science and Technology,National University of Defense Technology,Changsha 410000,China;
    2 College of Electronics and Information Engineering,Ankang University,Ankang,Shaanxi 725000,China;
    3 31438 Unit,Shenyang 110031,China
  • Online:2023-06-10 Published:2023-06-12
  • About author:ZHANG Yuxiang,born in 1998,master.His main research interests include network and information security,cloud computing and big data security. HAN Jiujiang,born in 1998,master.His main research interests include network and information security,cloud computing and big data security.
  • Supported by:
    National Natural Science Foundation of China(61801489) and Natural Science Foundation of Hunan Province(2020JJ5666).

PDF (PC)

258

摘要: 随着网络技术的快速发展,网络世界攻防对垒愈发激烈,高级网络威胁行为层出不穷,但目前网安分析人员在实际运维中对多步攻击行为的过程描述仍存在一定差异,造成了巨大的语义沟通成本。为了解决在网络高级威胁检测中的这一痛点问题,采用ATT&CK网络对抗行为框架作为多步攻击行为的统一描述语言,设计实现了一套基于事件序列关联的网络高级威胁检测系统,通过事件序列关联模型可以实现对多步攻击行为的有效检测,并通过ATT&CK攻击矩阵可视化呈现,有助于分析人员明晰恶意攻击的手段、策略及目的,分析人员通过检测系统呈现出的技术和战术,采取相应的防御措施,能够降低攻击者的攻击效果。实验结果表明,检测系统检出率可达96.43%,对网络攻击事件中的分析人员解决“防守困境”具有极大的现实意义。

关键词: 对抗性战术, 技术和常识, 多步攻击检测, 事件序列关联, 高级持续威胁

Abstract: With the rapid development of network technology,the network world is becoming more and more fierce in attack and defense confrontation,and advanced network threat behaviors are emerging,but there are still some differences in the process description of multi-step attack behaviors in the actual operation and maintenance of the current network security analysts,which causes huge semantic communication costs.In order to solve this pain point problem in network advanced threat detection,ATT&CK network adversarial behavior framework is adopted as the unified description language of multi-step attack behavior,and a network advanced threat detection system based on event sequence association is designed and implemented,which can achieve effective detection of multi-step attack behavior through event sequence association model and visualize the presentation through ATT&CK attack matrix,which helps analysts to clarify the means,strategies and purposes of malicious attacks,and analysts can reduce attacker’s attack effect by taking corresponding defense measures through the techniques and tactics presented by the detection system.Experimental results show that the detection rate of the detection system can reach 96.43%,which is of great practical significance for analysts to solve the “defense dilemma” in network attacks.

Key words: Adversarial tactics, Techniques and common knowledge, Multi-step attack detection, Event sequence correlation, Advanced persistent threats

中图分类号: 

  • TP393.0
[1]求是网.牢固树立和践行总体国家安全观 谱写新时代国家安全新篇章[EB/OL].(2022-04-15)[2022-04-20].https://www.secrss.com/articles/41379.
[2]MITTAL S,JOSHI A,FININ T.Cyber-all-Intel:An AI for Security Related Threat Intellige[J].arXiv:1905.02895,2019.
[3]TOUNSI W,RAIS H.A Survey on Technical Threat Intelligence in the Age of Sophisticated Cyber Attacks[J].Computers &Security,2018,72:212-233.
[4]奇安信威胁情报中心.全球高级持续性威胁(APT) 2021年度报告[EB/OL].(2022-03-25)[2022-04-20].https://www.secrss.com/articles/40646.
[5]MANDIANT.IOC Editor User Guide[EB/OL].https://www.fireeye.com/content/dam/fireeye-www/services/freeware/ug-ioc-editor.pdf.
[6]KUROGOME Y,OTSUKI Y,KAWAKOYA Y,et al.EIGER:Automated IOC Generation for Accurate and Interpretable Endpoint Malware Detection[C]//The 35th Annual Computer Security Applications Conference.2019:687-701.
[7]LIAO X J,YUAN K,WANG X F,et al.Acing the IOC Game:Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence[C]//The 2016 ACM SIGSAC Confe-rence on Computer and Communications Security.2016:755-766.
[8]BIANCO D.The pyramid of pain[EB/OL].http://detect-respond.blogspot.com/2013/03/the-pyr amid-of-pain.html.
[9]CTI2020 Threat Connect[EB/OL].https://threatconnect.com/wpcontent/uploads/Survey_CTI2020_ThreatConnect.pdf.
[10]ANDRESS J.Working with indicators of compromise[J].Journal Information Systems Security Association(ISSA),2015,5:14-20.
[11]BARNUM S.Standardizing cyber threat intelligence information with the Structured Threat Information eXpression(STIX)[J].MITRE Corporation,2012,11:1-22.
[12]Corporate Overview of The MITRE Corporation[EB/OL].https://www.mitre.org/about/corporate-overview.
[13]STROM B E,APPLEBAUM A,MILLER D P,et al.Mitreatt&ck:Design and philosophy[R].Technical report,2018.
[14]STROM B E,BATTAGLIA J A,KEMMERER M S,et al.Fin-ding cyber threats with ATT&CK-based analytics[R].Technical Report,The MITRE Corporation,2017.
[15]OOSTHOEK K,DOERR C.SoK:ATT&CK Techniques andTrends in Windows Malware[C]//International Conference on Security and Privacy in Communication Systems.Cham:Springer,2019:406-425.
[16]Matrix Enterprise of MITRE ATT&CK[EB/OL].https://attack.mitre.org/matrices/enterprise/.
[17]HE S G,YUAN Y,ZHU Z,et al.Domain threat detection based on ATT&CK framework[J].Information Technology and Network Security,2021,40(12):15-18,25.
[18]Microsoft.Sysmon v13.24[EB/OL].https://docs.microsoft.com/en-us/sysi-nternals/downloads/sysmon.2021.
[19]Official Website.Elasticsearch.org.[EB/OL].[2014-02-04].https://www.el-astic.co/elasticsearch/.
[20]WANG Y C.Design and implementation of a real-time log analysis system based on ELK Stack[D].Beijing:Beijing University of Posts and Telecom munications,2018.
[21]Elasticsearch Corporation.Elasticsesrch guide[EB/OL].https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html.
[22]HASSAN W U,GUO S,LI D,et al.Nodoze:Combatting threat alert fatigue with automated provenance triage[C]//Network and Dis tributed Systems Security Symposium.2019.
[23]LIU Q,LI Y,DUAN H,et al.Knowledge Graph ConstructionTech niques[J].Journal of Computer Research and Development,2016,53(3):582-600.
[24]Red Canary’s Top MITRE ATT&CK Techniq ues:#3 Regsvr32[EB/OL].(2021-08-20)[2022-04-02].https://redcanary.com/blog/3-technique-regsvr32-t1117/.
[25]MITRE.CALDERA[EB/OL].(2021-06)[2022-04-10].https://hgithub.com/mitre/caldera.
[26]PAN Y F,ZHOU T Y,ZHU J H,et al.Semantic rule construction for APT attacks based on ATT&CK[J].Journal of Information Security,2021,6(3):77-90.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发