计算机科学 ›› 2023, Vol. 50 ›› Issue (6A): 220600176-7.doi: 10.11896/jsjkx.220600176
张宇翔1, 韩久江1, 刘建1, 鲜明1, 张洪江2, 陈宇1, 李子源3
ZHANG Yuxiang1, HAN Jiujiang1, LIU Jian1, XIAN Ming1, ZHANG Hongjiang2, CHEN Yu1, LI Ziyuan3
摘要: 随着网络技术的快速发展,网络世界攻防对垒愈发激烈,高级网络威胁行为层出不穷,但目前网安分析人员在实际运维中对多步攻击行为的过程描述仍存在一定差异,造成了巨大的语义沟通成本。为了解决在网络高级威胁检测中的这一痛点问题,采用ATT&CK网络对抗行为框架作为多步攻击行为的统一描述语言,设计实现了一套基于事件序列关联的网络高级威胁检测系统,通过事件序列关联模型可以实现对多步攻击行为的有效检测,并通过ATT&CK攻击矩阵可视化呈现,有助于分析人员明晰恶意攻击的手段、策略及目的,分析人员通过检测系统呈现出的技术和战术,采取相应的防御措施,能够降低攻击者的攻击效果。实验结果表明,检测系统检出率可达96.43%,对网络攻击事件中的分析人员解决“防守困境”具有极大的现实意义。
中图分类号:
[1]求是网.牢固树立和践行总体国家安全观 谱写新时代国家安全新篇章[EB/OL].(2022-04-15)[2022-04-20].https://www.secrss.com/articles/41379. [2]MITTAL S,JOSHI A,FININ T.Cyber-all-Intel:An AI for Security Related Threat Intellige[J].arXiv:1905.02895,2019. [3]TOUNSI W,RAIS H.A Survey on Technical Threat Intelligence in the Age of Sophisticated Cyber Attacks[J].Computers &Security,2018,72:212-233. [4]奇安信威胁情报中心.全球高级持续性威胁(APT) 2021年度报告[EB/OL].(2022-03-25)[2022-04-20].https://www.secrss.com/articles/40646. [5]MANDIANT.IOC Editor User Guide[EB/OL].https://www.fireeye.com/content/dam/fireeye-www/services/freeware/ug-ioc-editor.pdf. [6]KUROGOME Y,OTSUKI Y,KAWAKOYA Y,et al.EIGER:Automated IOC Generation for Accurate and Interpretable Endpoint Malware Detection[C]//The 35th Annual Computer Security Applications Conference.2019:687-701. [7]LIAO X J,YUAN K,WANG X F,et al.Acing the IOC Game:Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence[C]//The 2016 ACM SIGSAC Confe-rence on Computer and Communications Security.2016:755-766. [8]BIANCO D.The pyramid of pain[EB/OL].http://detect-respond.blogspot.com/2013/03/the-pyr amid-of-pain.html. [9]CTI2020 Threat Connect[EB/OL].https://threatconnect.com/wpcontent/uploads/Survey_CTI2020_ThreatConnect.pdf. [10]ANDRESS J.Working with indicators of compromise[J].Journal Information Systems Security Association(ISSA),2015,5:14-20. [11]BARNUM S.Standardizing cyber threat intelligence information with the Structured Threat Information eXpression(STIX)[J].MITRE Corporation,2012,11:1-22. [12]Corporate Overview of The MITRE Corporation[EB/OL].https://www.mitre.org/about/corporate-overview. [13]STROM B E,APPLEBAUM A,MILLER D P,et al.Mitreatt&ck:Design and philosophy[R].Technical report,2018. [14]STROM B E,BATTAGLIA J A,KEMMERER M S,et al.Fin-ding cyber threats with ATT&CK-based analytics[R].Technical Report,The MITRE Corporation,2017. [15]OOSTHOEK K,DOERR C.SoK:ATT&CK Techniques andTrends in Windows Malware[C]//International Conference on Security and Privacy in Communication Systems.Cham:Springer,2019:406-425. [16]Matrix Enterprise of MITRE ATT&CK[EB/OL].https://attack.mitre.org/matrices/enterprise/. [17]HE S G,YUAN Y,ZHU Z,et al.Domain threat detection based on ATT&CK framework[J].Information Technology and Network Security,2021,40(12):15-18,25. [18]Microsoft.Sysmon v13.24[EB/OL].https://docs.microsoft.com/en-us/sysi-nternals/downloads/sysmon.2021. [19]Official Website.Elasticsearch.org.[EB/OL].[2014-02-04].https://www.el-astic.co/elasticsearch/. [20]WANG Y C.Design and implementation of a real-time log analysis system based on ELK Stack[D].Beijing:Beijing University of Posts and Telecom munications,2018. [21]Elasticsearch Corporation.Elasticsesrch guide[EB/OL].https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html. [22]HASSAN W U,GUO S,LI D,et al.Nodoze:Combatting threat alert fatigue with automated provenance triage[C]//Network and Dis tributed Systems Security Symposium.2019. [23]LIU Q,LI Y,DUAN H,et al.Knowledge Graph ConstructionTech niques[J].Journal of Computer Research and Development,2016,53(3):582-600. [24]Red Canary’s Top MITRE ATT&CK Techniq ues:#3 Regsvr32[EB/OL].(2021-08-20)[2022-04-02].https://redcanary.com/blog/3-technique-regsvr32-t1117/. [25]MITRE.CALDERA[EB/OL].(2021-06)[2022-04-10].https://hgithub.com/mitre/caldera. [26]PAN Y F,ZHOU T Y,ZHU J H,et al.Semantic rule construction for APT attacks based on ATT&CK[J].Journal of Information Security,2021,6(3):77-90. |
|