一种基于攻击图的高级持续威胁检测方法

doi:10.3969/j.issn.1671-1122.2023.12.007

摘要/Abstract

摘要：

针对传统入侵检测工具无法检测高级持续威胁（Advanced Persistent Threat，APT）攻击和威胁警报疲劳问题，文章提出一种基于攻击图的APT检测方法ADBAG（APT Detection Based on Attack Graph），该方法根据网络拓扑、漏洞报告等信息生成攻击图，并利用攻击图对攻击者行为进行预先分析，有效解决了威胁警报疲劳问题。文章结合ATT&CK（Adversarial Tactics，Techniques and Common Knowledge）模型和APT攻击三相检测模型，设计了一种缺失路径匹配评分算法，从攻击全局角度分析和检测APT攻击。同时，设计了基于灰名单的多攻击实体关联方法，以保证生成的APT攻击证据链的准确性。在公开数据集上进行实验，实验结果表明，ADBAG可以有效检测APT攻击，并能够检测基于零日漏洞的APT攻击，进一步定位攻击影响范围。

关键词: 入侵检测, 威胁检测, APT攻击, 攻击图

Abstract:

Aiming at the problem that traditional intrusion detection tools can’t detect advanced persistent threat (APT) attacks and threat alert fatigue, this paper proposed an advanced persistent threat detection method based on attack graph, which generated attack graph according to network topology, vulnerability report and other information to analyze the attacker’s behavior in advance, which effectively combated the threat alert fatigue problem. Combining adversarial tactics, techniques and common knowledge (ATT&CK) model and APT attack three-phase detection model, a scoring algorithm for missing path matching was designed to analyze and detect APT attacks from the global perspective. At the same time, a multi-attack entity association method based on grey list was designed to ensure the accuracy of the generated APT attack evidence chain. In this paper, experiments were carried out on public data sets, and the results show that ADBAG can effectively detect APT attacks and APT attacks that exploit zero-day vulnerabilities, and further locate the scope of attacks.

Key words: intrusion detection, threat detection, APT attack, attack graph

中图分类号:

TP309

高庆官, 张博, 付安民. 一种基于攻击图的高级持续威胁检测方法[J]. 信息网络安全, 2023, 23(12): 59-68.

GAO Qingguan, ZHANG Bo, FU Anmin. An Advanced Persistent Threat Detection Method Based on Attack Graph[J]. Netinfo Security, 2023, 23(12): 59-68.

图/表 12

图1

表1

表2

图2

图3

图4

表3

图5

表4

表5

图6

表6

参考文献 37

[1]	REN Yitong, XIAO Yanjun, ZHOU Yinghai, et al. CSKG4APT: A Cybersecurity Knowledge Graph for Advanced Persistent Threat Organization Attribution[J]. IEEE Transactions on Knowledge and Data Engineering, 2022, 35(6): 5695-5709.
[2]	LI Teng, JIANG Ya, LIN Chi, et al. DeepAG: Attack Graph Construction and Threats Prediction with Bi-Directional Deep Learning[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 20(1): 740-757. doi: 10.1109/TDSC.2022.3143551 URL
[3]	ALSHAMRANI A, MYNENI S, CHOWDHARY A, et al. A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities[J]. IEEE Communications Surveys & Tutorials, 2019, 21(2): 1851-1877.
[4]	ADEL A, SOWMYA M, ANKUR C, et al. A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities[J]. IEEE Communications Surveys & Tutorials, 2019, 21(2): 1851-1877.
[5]	CVERC. Report on the Investigation of Northwestern Polytechnical University’s Network Attack by the US NSA(Part One)[EB/OL]. (2022-09-25) [2023-02-13]. https://www.cverc.org.cn/head/zhaiyao/news20220905-NPU.htm Sept. 2022.
	国家计算机病毒应急处理中心. 西北工业大学遭美国NSA网络攻击事件调查报告(之一)[EB/OL]. (2022-09-25)[2023-02-13]. https://www.cverc.org.cn/head/zhaiyao/news20220905-NPU.htm.
[6]	MICHAEL H. Stuxnet Worm Attack on Iranian Nuclear Facilities[EB/OL]. (2016-08-03)[2023-02-13]. http://large.stanford.edu/courses/2015/ph241/holloway1/.
[7]	ZHANG Yuxiang, HAN Jiujiang, LIU Jian, et al. Network Advanced Threat Detection System Based on Event Sequence Correlation Under ATT&CK Framework[J]. Computer Science, 2023, 50(z1): 700-706.
	张宇翔, 韩久江, 刘建, 等. ATT&CK框架下基于事件序列关联的网络高级威胁检测系统[J]. 计算机科学, 2023, 50(z1): 700-706.
[8]	XU Liping, HAO Wenjiang. Analysis and Enlightenment of US Government and Enterprise Cyber Threat Intelligence[J]. Netinfo Security, 2016, 16(9): 278-284.
	徐丽萍, 郝文江. 美国政企网络威胁情报现状及对我国的启示[J]. 信息网络安全, 2016, 16(9): 278-284.
[9]	HASSAN W U, BATES A, MARINO D. Tactical Provenance Analysis for Endpoint Detection and Response Systems[C]// IEEE. IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2020: 1172-1189.
[10]	HODAYA B, RON B, MASAKI I, et al. A Framework for Modeling Cyber Attack Techniques from Security Vulnerability Descriptions[C]// ACM. 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining. New York: ACM, 2021: 2574-2583.
[11]	MARTIN B, EMIL C L. Naggen:A Network Attack Graph Generation Tool-IEEE CNS 17 Poster[C]// IEEE. IEEE Conference on Communications and Network Security (CNS). New York: IEEE, 2017: 378-379.
[12]	JIN Zhigang, WANG Xinjian, LI Gen, et al. The Generation Method of Network Defense Strategy Combining with Attack Graph and Game Model[J]. Netinfo Security, 2021, 21(1): 1-9.
	金志刚, 王新建, 李根, 等. 融合攻击图和博弈模型的网络防御策略生成方法[J]. 信息网络安全, 2021, 21(1): 1-9.
[13]	LUO Zhiyong, ZHANG Yu, WANG Qing, et al. Study of SDN Intrusion Intent Identification Algorithm Based on Bayesian Attack Graph[J]. Journal on Communications, 2023, 44(4): 216-225. doi: 10.11959/j.issn.1000-436x.2023073
	罗智勇, 张玉, 王青, 等. 基于贝叶斯攻击图的SDN入侵意图识别算法的研究[J]. 通信学报, 2023, 44(4): 216-225. doi: 10.11959/j.issn.1000-436x.2023073
[14]	SHEYNER O, HAINES J, JHA S, et al. Automated Generation and Analysis of Attack Graphs[C]// IEEE. IEEE Symposium on Security and Privacy. New York: IEEE, 2002: 254-265.
[15]	YANG Hongyu, YUAN Haihang, ZHANG Liang. Host Security Assessment Method Based on Attack Graph[J]. Journal on Communications, 2022, 43(2): 89-99. doi: 10.11959/j.issn.1000-436x.2022030
	杨宏宇, 袁海航, 张良. 基于攻击图的主机安全评估方法[J]. 通信学报, 2022, 43(2): 89-99. doi: 10.11959/j.issn.1000-436x.2022030
[16]	MARTIN B, RODRIGO V S, RABIH M, et al. Tracking the Bad Guys: An Efficient Forensic Methodology to Trace Multi-Step Attacks Using Core Attack Graphs[C]// IEEE. 13th International Conference on Network and Service Management (CNSM). New York: IEEE, 2017: 1-7.
[17]	NICHOLS W, HAWRYLAK P, HALE J, et al. Introducing Priority into Hybrid Attack Graphs[C]// ACM. 12th Annual Conference on Cyber and Information Security Research. New York: ACM, 2017: 1-4.
[18]	THANH H N, MASON W, MICHAEL P W, et al. Multi-Stage Attack Graph Security Games: Heuristic Strategies, with Empirical Game-Theoretic Analysis[C]// ACM. Proceedings of the 2017 Workshop on Moving Target Defense. New York: ACM, 2017: 87-97.
[19]	WANG Xiaofan, ZHOU Tianyang, ZHU Junhu. Network Security Assessment Based on Full Host-Based Attack Graph[C]// ACM. International Conference on Cyberspace Innovation of Advanced Technologies. New York: ACM, 2020: 230-235.
[20]	GHAZO A T A, IBRAHIM M, REN Hao, et al. A2G2V: Automatic Attack Graph Generation and Visualization and Its Applications to Computer and SCADA Networks[J]. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2020, 50(10): 3488-3498. doi: 10.1109/TSMC.6221021 URL
[21]	AMJAD I, STEVICA B, ALEXANDER P. Attack Graph Generation for Microservice Architecture[C]// ACM. 34th ACM/SIGAPP Symposium on Applied Computing. New York: ACM, 2019: 1235-1242.
[22]	LUO Zhiyong, YANG Xu, LIU Jiahui, et al. Network Intrusion Intention Analysis Model Based on Bayesian Attack Graph[J]. Journal on Communications, 2020, 41(9): 160-169. doi: 10.11959/j.issn.1000-436x.2020172
	罗智勇, 杨旭, 刘嘉辉, 等. 基于贝叶斯攻击图的网络入侵意图分析模型[J]. 通信学报, 2020, 41(9): 160-169. doi: 10.11959/j.issn.1000-436x.2020172
[23]	LI Heng, WANG Yongjun, CAO Yuan. Searching Forward Complete Attack Graph Generation Algorithm Based on Hypergraph Partitioning[C]// ACM. Procedia Computer Science. New York: ACM, 2017: 27-38.
[24]	LI Jiyong. Network Intrusion Detection Algorithm and Simulation of Complex System in Internet Environment[EB/OL]. (2022-12-29)[2023-02-13]. https://ieeexplore.ieee.org/document/9985720.
[25]	ZHANG Bo, CUI Jiawei, QU Su, et al. Research Progress and Challenge of Advanced Persistent Threat and Its Reconstruction[J]. Journal of Information Security Research, 2021, 7(6): 512-519.
[26]	KING I J, HUANG H H. Euler: Detecting Network Lateral Movement via Scalable Temporal Graph Link Prediction[J]. ACM Transactions on Privacy and Security, 2022, 26(3): 1-36.
[27]	XIONG Chunlin, ZHU Tiantian, DONG Weihao, et al. CONAN: A Practical Real-Time APT Detection System with High Accuracy and Efficiency[J]. IEEE Transactions on Dependable and Secure Computing, 2020, 19(1): 551-565. doi: 10.1109/TDSC.2020.2971484 URL
[28]	YU Le, MA Shiqing, ZHANG Zhuo, et al. ALchemist: Fusing Application and Audit Logs for Precise Attack Provenance without Instrumentation[EB/OL]. (2021-02-21)[2023-02-13]. https://www.ndss-symposium.org/wp-content/uploads/ndss2021_7A-2_24445_paper.pdf.
[29]	ALSAHEEL A, NAN Yuhong, MA Shiqing, et al. ATLAS: A Sequence-Based Learning Approach for Attack Investigation[C]// USENIX. 30th USENIX Security Symposium (USENIX Security 21). Berlin:USENIX, 2021: 3005-3022.
[30]	WU Yafeng, XIE Yulai, LIAO Xuelong, et al. Paradise: Real-Time, Generalized, and Distributed Provenance-Based Intrusion Detection[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 20(2): 1624-1640. doi: 10.1109/TDSC.2022.3160879 URL
[31]	ZENG Jun, WANG Xiang, LIU Jiahao, et al. Shadewatcher: Recommendation-guided Cyber Threat Analysis Using System Audit Records[C]// IEEE. 2022 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2022: 489-506.
[32]	Aptnotes. Data[EB/OL]. (2022-03-11)[2023-02-13]. https://github.com/aptnotes/data/.
[33]	OU Xinming, GOVINDAVAJHALA S, APPEL A W. MulVAL: A Logic-Based Network Security Analyzer[C]// USENIX. USENIX Security Symposium. Berlin:USENIX, 2005(8): 113-128.
[34]	FANG Pengcheng, GAO Peng, LIU Changlin, et al. Back-Propagating: System Dependency Impact for Attack Investigation[C]// USENIX. 31st USENIX Security Symposium (USENIX Security 22). Berlin:USENIX, 2022: 2461-2478.
[35]	HU Erteng, FU Anmin, ZHANG Zhiyi, et al. ACTracker: A Fast and Efficient Attack Investigation Method Based on Event Causality[C]// IEEE. IEEE INFOCOM 2021-IEEE Conference on Computer Communications Work-Shops. New York: IEEE, 2021: 1-6.
[36]	GHAZO A T A, IBRAHIM M, REN Hao, et al. A2G2V: Automatic Attack Graph Generation and Visualization and Its Applications to Computer and SCADA Networks[J]. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2020, 50(10): 3488-3498. doi: 10.1109/TSMC.6221021 URL
[37]	LIANG Ruozhou, GAO Yue, ZHAO Xibin. APT Attack Detection Method on Traceability Map Based on Sequence Feature Extraction[J]. Scientia Sinica (Informationis), 2022, 52(8): 1463-1480.
	梁若舟, 高跃, 赵曦滨. 基于序列特征提取的溯源图上APT攻击检测方法[J]. 中国科学:信息科学, 2022, 52(8): 1463-1480.

特征字段	判定指标
源IP地址	警报源IP在同一网段中
目的端口	较长时间窗口内警报目的端口一致
线程ID	警报对应同一线程
进程ID	警报对应同一进程
警报时间	警报发生在较小的时间窗口内
代理服务器	使用同一个代理服务器
自定义字段	附加相同的字符串信息

APT阶段	常见度	严重性	必要性	行为分数
侦察	9	1	0	0.100
资源开发	5	0	0	0.175
初始访问	7	2	0	0.235
执行	4	5	0	0.535
坚持	6	4	0	0.400
权限提升	3	7	0	0.700
防御规避	3	4	0	0.505
凭据访问	5	6	0	0.565
发现	3	4	0	0.505
横向运动	2	4	0	0.540
收集	4	5	0	0.535
指挥与控制	1	7	1	1.770
外渗	2	8	0	0.800
冲击	0	10	1	2.000

警报类别	严重性	数量/个
Misc activity	3	672
Potentially Bad Traffic	2	5
Misc Attack	2	55
Not Suspicious Traffic	3	15
Attempted Information Leak	2	50
Access to potentially vulnerable app	2	18
Decode of an RPC Query	2	92
Attempted Administrator Privilege Gain	1	19

模拟场景	检出恶意行为	关联行为
定期日志窃取	主机扫描、端口扫描、SSH爆破、权限提升、数据泄露	远程登录、脚本隐藏
ARP欺骗	主机扫描、端口扫描、非法截图	Arpspoof断网、流量转发
远程木马	非法远程控制	elf文件下载、文件执行
FTP爆破	主机扫描、端口扫描、版本侦察、用户侦察、FTP爆破、非法传输	远程登录

进程名称	攻击类别	时间	路径信息	进程ID
shell	shell远程控制	Tue 07 Mar 10:34:57-10:35:01 AM	/usr/bin/sh	2783.2785.2789
I386	建立外部连接	Tue 07 Mar 10:35:01 AM	/usr/bin/i386	2783.2785.2790
quota	提升权限	Tue 07 Mar 10:35:01 AM	/usr/lib/fs/ufs/quota	2783.2785.2791
cat	文件改写	Tue 07 Mar 10:35:01 AM	/usr/bin/cat	2783.2785.2792
mail	文件传送	Tue 07 Mar 10:35:01 AM	/usr/bin/mail	2783.2785.2793
shell	shell远程控制	Tue 07 Mar 10:50:38 AM	/usr/bin/sh	2783.2785.2849
I386	建立外部连接	Tue 07 Mar 10:50:38 AM	/usr/bin/i386	2783.2785.2850
quota	提升权限	Tue 07 Mar 10:50:38 AM	/usr/lib/fs/ufs/quota	2783.2785.2851
cat	文件改写	Tue 07 Mar 10:50:38 AM	/usr/bin/cat	2783.2785.2852
mail	文件传送	Tue 07 Mar 10:50:38 AM	/usr/bin/mail	2783.2785.2853
mkdir	创建目录	Tue 07 Mar 10:50:38 AM	/usr/bin/mkdir	2783.2785.2854
rcp	远程文件复制	Tue 07 Mar 10:50:38 AM	/usr/bin/rcp	2783.2785.2855
chmod	权限修改	Tue 07 Mar 10:50:38 AM	/usr/bin/chmod	2783.2785.2856
shell	shell远程控制	Tue 07 Mar 10:50:53 AM	/usr/bin/sh	2783.2785.2858
Server-sol	连接木马组件	Tue 07 Mar 10:50:54 AM	/tmp/.mstream/server-sol	2783.2785.2859