Computer Science

Computer Science ›› 2023, Vol. 50 ›› Issue (6A): 220600176-7.doi: 10.11896/jsjkx.220600176

• Information Security • Previous Articles     Next Articles

Network Advanced Threat Detection System Based on Event Sequence Correlation Under ATT&CK Framework

ZHANG Yuxiang1, HAN Jiujiang1, LIU Jian1, XIAN Ming1, ZHANG Hongjiang2, CHEN Yu1, LI Ziyuan3   

  1. 1 College of Electronic Science and Technology,National University of Defense Technology,Changsha 410000,China;
    2 College of Electronics and Information Engineering,Ankang University,Ankang,Shaanxi 725000,China;
    3 31438 Unit,Shenyang 110031,China
  • Online:2023-06-10 Published:2023-06-12
  • About author:ZHANG Yuxiang,born in 1998,master.His main research interests include network and information security,cloud computing and big data security. HAN Jiujiang,born in 1998,master.His main research interests include network and information security,cloud computing and big data security.
  • Supported by:
    National Natural Science Foundation of China(61801489) and Natural Science Foundation of Hunan Province(2020JJ5666).

PDF (PC)

257

Abstract: With the rapid development of network technology,the network world is becoming more and more fierce in attack and defense confrontation,and advanced network threat behaviors are emerging,but there are still some differences in the process description of multi-step attack behaviors in the actual operation and maintenance of the current network security analysts,which causes huge semantic communication costs.In order to solve this pain point problem in network advanced threat detection,ATT&CK network adversarial behavior framework is adopted as the unified description language of multi-step attack behavior,and a network advanced threat detection system based on event sequence association is designed and implemented,which can achieve effective detection of multi-step attack behavior through event sequence association model and visualize the presentation through ATT&CK attack matrix,which helps analysts to clarify the means,strategies and purposes of malicious attacks,and analysts can reduce attacker’s attack effect by taking corresponding defense measures through the techniques and tactics presented by the detection system.Experimental results show that the detection rate of the detection system can reach 96.43%,which is of great practical significance for analysts to solve the “defense dilemma” in network attacks.

Key words: Adversarial tactics, Techniques and common knowledge, Multi-step attack detection, Event sequence correlation, Advanced persistent threats

CLC Number: 

  • TP393.0
[1]求是网.牢固树立和践行总体国家安全观 谱写新时代国家安全新篇章[EB/OL].(2022-04-15)[2022-04-20].https://www.secrss.com/articles/41379.
[2]MITTAL S,JOSHI A,FININ T.Cyber-all-Intel:An AI for Security Related Threat Intellige[J].arXiv:1905.02895,2019.
[3]TOUNSI W,RAIS H.A Survey on Technical Threat Intelligence in the Age of Sophisticated Cyber Attacks[J].Computers &Security,2018,72:212-233.
[4]奇安信威胁情报中心.全球高级持续性威胁(APT) 2021年度报告[EB/OL].(2022-03-25)[2022-04-20].https://www.secrss.com/articles/40646.
[5]MANDIANT.IOC Editor User Guide[EB/OL].https://www.fireeye.com/content/dam/fireeye-www/services/freeware/ug-ioc-editor.pdf.
[6]KUROGOME Y,OTSUKI Y,KAWAKOYA Y,et al.EIGER:Automated IOC Generation for Accurate and Interpretable Endpoint Malware Detection[C]//The 35th Annual Computer Security Applications Conference.2019:687-701.
[7]LIAO X J,YUAN K,WANG X F,et al.Acing the IOC Game:Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence[C]//The 2016 ACM SIGSAC Confe-rence on Computer and Communications Security.2016:755-766.
[8]BIANCO D.The pyramid of pain[EB/OL].http://detect-respond.blogspot.com/2013/03/the-pyr amid-of-pain.html.
[9]CTI2020 Threat Connect[EB/OL].https://threatconnect.com/wpcontent/uploads/Survey_CTI2020_ThreatConnect.pdf.
[10]ANDRESS J.Working with indicators of compromise[J].Journal Information Systems Security Association(ISSA),2015,5:14-20.
[11]BARNUM S.Standardizing cyber threat intelligence information with the Structured Threat Information eXpression(STIX)[J].MITRE Corporation,2012,11:1-22.
[12]Corporate Overview of The MITRE Corporation[EB/OL].https://www.mitre.org/about/corporate-overview.
[13]STROM B E,APPLEBAUM A,MILLER D P,et al.Mitreatt&ck:Design and philosophy[R].Technical report,2018.
[14]STROM B E,BATTAGLIA J A,KEMMERER M S,et al.Fin-ding cyber threats with ATT&CK-based analytics[R].Technical Report,The MITRE Corporation,2017.
[15]OOSTHOEK K,DOERR C.SoK:ATT&CK Techniques andTrends in Windows Malware[C]//International Conference on Security and Privacy in Communication Systems.Cham:Springer,2019:406-425.
[16]Matrix Enterprise of MITRE ATT&CK[EB/OL].https://attack.mitre.org/matrices/enterprise/.
[17]HE S G,YUAN Y,ZHU Z,et al.Domain threat detection based on ATT&CK framework[J].Information Technology and Network Security,2021,40(12):15-18,25.
[18]Microsoft.Sysmon v13.24[EB/OL].https://docs.microsoft.com/en-us/sysi-nternals/downloads/sysmon.2021.
[19]Official Website.Elasticsearch.org.[EB/OL].[2014-02-04].https://www.el-astic.co/elasticsearch/.
[20]WANG Y C.Design and implementation of a real-time log analysis system based on ELK Stack[D].Beijing:Beijing University of Posts and Telecom munications,2018.
[21]Elasticsearch Corporation.Elasticsesrch guide[EB/OL].https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html.
[22]HASSAN W U,GUO S,LI D,et al.Nodoze:Combatting threat alert fatigue with automated provenance triage[C]//Network and Dis tributed Systems Security Symposium.2019.
[23]LIU Q,LI Y,DUAN H,et al.Knowledge Graph ConstructionTech niques[J].Journal of Computer Research and Development,2016,53(3):582-600.
[24]Red Canary’s Top MITRE ATT&CK Techniq ues:#3 Regsvr32[EB/OL].(2021-08-20)[2022-04-02].https://redcanary.com/blog/3-technique-regsvr32-t1117/.
[25]MITRE.CALDERA[EB/OL].(2021-06)[2022-04-10].https://hgithub.com/mitre/caldera.
[26]PAN Y F,ZHOU T Y,ZHU J H,et al.Semantic rule construction for APT attacks based on ATT&CK[J].Journal of Information Security,2021,6(3):77-90.
[1] WANG Yu, WANG Zuchao, PAN Rui. Survey of DGA Domain Name Detection Based on Character Feature [J]. Computer Science, 2023, 50(8): 251-259.
[2] HUANG Hua, JIANG Jun, YANG Yongkang, CAO Bin. Online Service Function Chain Orchestration Method for Profit Maximization [J]. Computer Science, 2023, 50(6): 66-73.
[3] WEI Tao, LI Zhihua, WANG Changjie, CHENG Shunhang. Cybersecurity Threat Intelligence Mining Algorithm for Open Source Heterogeneous Data [J]. Computer Science, 2023, 50(6): 330-337.
[4] WANG Qingyu, WANG Hairui, ZHU Guifu, MENG Shunjian. Study on SQL Injection Detection Based on FlexUDA Model [J]. Computer Science, 2023, 50(6A): 220600172-6.
[5] BAI Zhixu, WANG Hengjun, GUO Kexiang. Adversarial Examples Generation Method Based on Image Color Random Transformation [J]. Computer Science, 2023, 50(4): 88-95.
[6] GUO Gui-juan, TIAN Hui, WANG Tian, JIA Wei-jia. Efficient Federated Learning Scheme Based on Background Optimization [J]. Computer Science, 2022, 49(12): 40-45.
[7] BIAN Qing-rong, CHENG Bao-lei, FAN Jian-xi, PAN Zhi-yong. Construction Algorithm of Completely Independent Spanning Tree in Dragonfly Network [J]. Computer Science, 2022, 49(11): 284-292.
[8] LIU Wen-he, JIA Hong-yong, PAN Yun-fei. Mimic Firewall Executor Scheduling Algorithm Based on Executor Defense Ability [J]. Computer Science, 2022, 49(11A): 211200296-6.
[9] WANG Xin-tong, WANG Xuan, SUN Zhi-xin. Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network [J]. Computer Science, 2022, 49(8): 314-322.
[10] HE Xi, HE Ke-tai, WANG Jin-shan, LIN Shen-wen, YANG Jing-lin, FENG Yu-chao. Analysis of Bitcoin Entity Transaction Patterns [J]. Computer Science, 2022, 49(6A): 502-507.
[11] FAN Xing-ze, YU Mei. Coverage Optimization of WSN Based on Improved Grey Wolf Optimizer [J]. Computer Science, 2022, 49(6A): 628-631.
[12] LI Jia-rui, LING Xiao-bo, LI Chen-xi, LI Zi-mu, YANG Jia-hai, ZHANG Lei, WU Cheng-nan. Dynamic Network Security Analysis Based on Bayesian Attack Graphs [J]. Computer Science, 2022, 49(3): 62-69.
[13] LIU Kai-xiang, XIE Yong-fang, CHEN Xin, LYU Fei, LIU Jun-jiao. Industrial Serial Protocol State Detection Algorithm Based on DTMC [J]. Computer Science, 2022, 49(3): 301-307.
[14] WANG Yun-xiao, ZHAO Li-na, MA Lin, LI Ning, LIU Zi-yan, ZHANG Jie. TCAM Multi-field Rule Coding Technique Based on Hypercube [J]. Computer Science, 2021, 48(11A): 490-494.
[15] MA Lin, WANG Yun-xiao, ZHAO Li-na, HAN Xing-wang, NI Jin-chao, ZHANG Jie. Network Intrusion Detection System Based on Multi-model Ensemble [J]. Computer Science, 2021, 48(11A): 592-596.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.