Netinfo Security ›› 2023, Vol. 23 ›› Issue (12): 59-68.doi: 10.3969/j.issn.1671-1122.2023.12.007

Previous Articles     Next Articles

An Advanced Persistent Threat Detection Method Based on Attack Graph

GAO Qingguan1,2, ZHANG Bo3, FU Anmin3()   

  1. 1. School of Computer Science and Engineering, Southeast University, Nanjing 211189, China
    2. Nanjing Saining Information Technology Co., Ltd., Nanjing 211100, China
    3. School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China
  • Received:2023-02-17 Online:2023-12-10 Published:2023-12-13

Abstract:

Aiming at the problem that traditional intrusion detection tools can’t detect advanced persistent threat (APT) attacks and threat alert fatigue, this paper proposed an advanced persistent threat detection method based on attack graph, which generated attack graph according to network topology, vulnerability report and other information to analyze the attacker’s behavior in advance, which effectively combated the threat alert fatigue problem. Combining adversarial tactics, techniques and common knowledge (ATT&CK) model and APT attack three-phase detection model, a scoring algorithm for missing path matching was designed to analyze and detect APT attacks from the global perspective. At the same time, a multi-attack entity association method based on grey list was designed to ensure the accuracy of the generated APT attack evidence chain. In this paper, experiments were carried out on public data sets, and the results show that ADBAG can effectively detect APT attacks and APT attacks that exploit zero-day vulnerabilities, and further locate the scope of attacks.

Key words: intrusion detection, threat detection, APT attack, attack graph

CLC Number: