基于指标依赖模型构建与监控的攻击检测方法

doi:10.13328/j.cnki.jos.006847

微信服务号

微信订阅号

2025年4月4日 23:08 星期五

首页 > 过刊浏览>2023年第34卷第6期 >2641-2668. DOI:10.13328/j.cnki.jos.006847

PDF HTML阅读 XML下载导出引用引用提醒

基于指标依赖模型构建与监控的攻击检测方法
DOI:
                        10.13328/j.cnki.jos.006847
                    
CSTR:
                        
                    
作者:
                        王立敏王立敏
计算机软件新技术国家重点实验室(南京大学), 江苏 南京 210023;南京大学 计算机科学与技术系, 江苏 南京 210023
在期刊界中查找
在百度中查找
在本站中查找
卜磊卜磊
计算机软件新技术国家重点实验室(南京大学), 江苏 南京 210023;南京大学 计算机科学与技术系, 江苏 南京 210023;南京大学 软件学院, 江苏 南京 210093
在期刊界中查找
在百度中查找
在本站中查找
马乐之马乐之
计算机软件新技术国家重点实验室(南京大学), 江苏 南京 210023;南京大学 计算机科学与技术系, 江苏 南京 210023
在期刊界中查找
在百度中查找
在本站中查找
于笑丰于笑丰
南京大学 商学院, 江苏 南京 210093
在期刊界中查找
在百度中查找
在本站中查找
沈宁国沈宁国
华为技术有限公司, 广东 深圳 518129
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:王立敏(1994-),男,博士生,CCF学生会员,主要研究领域为软件分析,系统安全;卜磊(1983-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为形式化方法,复杂软件系统分析与验证;马乐之(2000-),男,博士生,CCF学生会员,主要研究领域为软件分析与测试
通讯作者:卜磊，bulei@nju.edu.cn
中图分类号:
基金项目:国家自然科学基金（62232008，62172200）；江苏省前沿引领技术基础研究专项（BK20202001）

Attack Detection Method Based on Indicator-dependent Model Construction and Monitoring

Author:

WANG Li-Min
WANG Li-Min
State Key Laboratory for Novel Software Technology (Nanjing University), Nanjing 210023, China;Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China
在期刊界中查找
在百度中查找
在本站中查找
BU Lei
BU Lei
State Key Laboratory for Novel Software Technology (Nanjing University), Nanjing 210023, China;Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China;Software Institute, Nanjing University, Nanjing 210093, China
在期刊界中查找
在百度中查找
在本站中查找
MA Le-Zhi
MA Le-Zhi
State Key Laboratory for Novel Software Technology (Nanjing University), Nanjing 210023, China;Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China
在期刊界中查找
在百度中查找
在本站中查找
YU Xiao-Feng
YU Xiao-Feng
Bussiness School, Nanjing University, Nanjing 210093, China
在期刊界中查找
在百度中查找
在本站中查找
SHEN Ning-Guo
SHEN Ning-Guo
Huawei Technologies Co. Ltd., Shenzhen 518129, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [49]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

随着攻击技术的不断演进，防御的难度也与日俱增.为了及时、有效地识别和阻断攻击的实施，学术界与工业界已提出众多基于攻击检测的防御技术.现有的攻击检测方法主要着眼于攻击事件，通过识别攻击特征或者定位异常活动来发现攻击，分别具有泛化性和攻击导向性不足的局限性，容易被攻击者精心构造的攻击变种绕过，造成漏报和误报.然而，根据观察发现：尽管攻击及其变种可能采用众多不同的攻击机制来绕过一些防御措施，以实现同一攻击目的，但是由于攻击目的不变，这些攻击对系统的影响依然具有相似性，因此，所造成的系统影响并不会随攻击手段的大量增多而随之产生对应的增长.针对这一特点，提出了基于攻击指标依赖模型的攻击检测方法，以更有效地应对攻击变种.所提出的指标依赖模型着眼于漏洞利用后对系统的影响而非变化多样的攻击行为，因此具有更强的泛化能力.基于模型指导，进一步采用多层次监控技术，以迅速捕获定位攻击迹，最终实现对目标攻击与变种的精确检测，有效降低攻击检测的误报率.在DARPA透明计算项目以及典型APT攻击组成的测试集上，与现有的基于攻击事件分析的检测方法进行实验对比，结果表明：在预设场景下，所提出的方法可以根据可接受的性能损耗实现99.30%的检出率.

关键词:指标依赖模型;攻击检测;漏洞利用;系统状态

Abstract:

With the continuous evolution of attack techniques, the difficulty of defense is increasing rapidly. In order to identify and block the attacks in a timely and effective manner, numerous detection-based defenses have been proposed in academia and industry. The current attack detection methods mainly focus on attack behaviors, and find attacks by identifying attack signals or locating abnormal activities. These solutions have the limitation of insufficient generalization and attack-orientation respectively and are easily bypassed by attackers' well-crafted behaviors, resulting in false positives and false negatives. Nevertheless, it is observed that the attacks and their variants usually leverage different attack mechanisms to bypass some defenses and achieve the same attack purpose. Since the attack purpose remains the same, the impact of these attacks on the system is still similar, so the caused system impact will not increase correspondingly with the large increase in attack methods. Based on the observation, an indicator-dependent model-based attack detection method is proposed to detect the attack variants more effectively. The proposed model focuses on the impact of the exploits on the system rather than the various attack behaviors, which is more generalizable. Based on the model, the multi-level monitoring technology is further adopted to quickly capture and locate attack traces, and finally the accurate detection of target attacks and variants is achieved, which effectively reduces the false alarm rate. The effectiveness of the proposed method is verified by the experiment, compared with existing attack behavior-based detection methods on the attack set composed of the DARPA transparent computing project and typical APT attacks. The experimental results show that the proposed solution is able to achieve 99.30% detection accuracy with an acceptable performance cost.

Key words:indicator-dependent model;attack detection;exploition;system status

参考文献

[1] Fireeye M. 2021 Fireeye mandiant service special report. 2022. https://www.arrow.com/ecs-media/16352/fireeye-rpt-mtrends-2021.pdf

[2] Yagemann C, Pruett M, Chung SP, et al. ARCUS: Symbolic root cause analysis of exploits in production systems. In: Proc. of the 30th USENIX Security Symp. (USENIX Security 2021). USENIX Association, 2021. 1989-2006.

[3] Alsaheel A, Nan Y, Ma S, et al. ATLAS: A sequence-based learning approach for attack investigation. In: Proc. of the 30th USENIX Security Symp. (USENIX Security 2021). USENIX Association, 2021. 3005-3022.

[4] Yu L, Ma S, Zhang Z, et al. ALchemist: Fusing application and audit logs for precise attack provenance without instrumentation. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2021). The Internet Society, 2021.

[5] Milajerdi SM, Gjomemo R, Eshete B, et al. Holmes: Real-time apt detection through correlation of suspicious information flows. In: Proc. of the IEEE Symp. on Security and Privacy (SP). IEEE, 2019. 1137-1152.

[6] Lee KH, Zhang X, Xu D. High accuracy attack provenance via binary-based execution partition. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2013). The Internet Society, 2013.

[7] Kwon Y, Wang F, Wang W, et al. MCI: Modeling-based causality inference in audit logging for attack investigation. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2018). The Internet Society, 2018.

[8] Ma S, Zhai J, Wang F, et al. MPI: Multiple perspective attack investigation with semantic aware execution partitioning. In: Proc. of the 26th USENIX Security Symp. (USENIX Security 2017). USENIX Association, 2017. 1111-1128.

[9] Hassan WU, Noureddine MA, Datta P, et al. OmegaLog: High-fidelity attack investigation via transparent multi-layer log analysis. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2020). The Internet Society, 2020.

[10] Ma S, Zhang X, Xu D. Protracer: Towards practical provenance tracing by alternating between logging and tainting. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2016). The Internet Society, 2016.

[11] Irshad H, Ciocarlie G, Gehani A, et al. Trace: Enterprise-wide provenance tracking for real-time apt detection. IEEE Trans. on Information Forensics and Security, 2021, 16: 4363-4376.

[12] Elastic. Open security platform unifying SIEM, endpoint & cloud. Elastic, 2022. https://www.elastic.co/security

[13] Hutchins EM, Cloppert MJ, Amin RM. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 2011, 1: 80-106.

[14] DARPA. Transparent computing. 2022. https://www.darpa.mil/program/transparent-computing

[15] Canella C, Van Bulck J, Schwarz M, et al. A systematic evaluation of transient execution attacks and defenses. In: Proc. of the 28th USENIX Security Symp. (USENIX Security 2019). USENIX Association, 2019. 249-266.

[16] Wang T, Wei T, Gu G, et al. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: Proc. of the IEEE Symp. on Security and Privacy. IEEE, 2010. 497-512.

[17] Lin G, Wen S, Han QL, et al. Software vulnerability detection using deep neural networks: A survey. Proc. of the IEEE, 2020, 108(10): 1825-1848.

[18] Farris KA, Shah A, Cybenko G, et al. Vulcon: A system for vulnerability prioritization, mitigation, and management. ACM Trans. on Privacy and Security (TOPS), 2018, 21(4): 1-28.

[19] Duan R, Alrawi O, Kasturi RP, et al. Towards measuring supply chain attacks on package managers for interpreted languages. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2021). The Internet Society, 2021.

[20] Syed NF, Shah SW, Trujillo-Rasua R, et al. Traceability in supply chains: A cyber security analysis. Computers & Security, 2022, 112: 102536.

[21] MITRE. CWE—Detection methods. 2022. https://cwe.mitre.org/community/swa/detection_methods.html

[22] MITRE. MITRE ATT & CK^®. 2022. https://attack.mitre.org/

[23] Su T, Wang J, Su Z. Benchmarking automated GUI testing for Android against real-world bugs. In: Proc. of the 29th ACM Joint Meeting on European Software Engineering Conf. and Symp. on the Foundations of Software Engineering. ACM, 2021. 119-130.

[24] Muraus T. Detecting which process is creating a file using LD_PRELOAD trick. 2022. https://www.tomaz.me/2014/01/08/detecting-which-process-is-creating-a-file-using-ld-preload-trick.html

[25] Sysdig. Security tools for containers, kubernetes, & cloud. 2022. https://sysdig.com/

[26] Everson D, Cheng L, Zhang Z. Log4shell: Redefining the Web attack surface. In: Proc. of the Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb). The Internet Society, 2022.

[27] Darktrace. Detecting and responding to Log4Shell in the wild. 2022. https://www.darktrace.com/en/blog/detecting-and-responding-to-log-4-shell-in-the-wild

[28] Synopsys. Heartbleed bug. 2022. https://heartbleed.com/

[29] Elastic. Detecting exploitation of CVE-2021-44228 (log4j2) with Elastic security. 2022. https://www.elastic.co/cn/security-labs/detecting-log4j2-with-elastic-security

[30] Hossain MN, Milajerdi SM, Wang J, et al. SLEUTH: Real-time attack scenario reconstruction from COTS audit data. In: Proc. of the 26th USENIX Security Symp. (USENIX Security 2017). USENIX Association, 2017. 487-504.

[31] Milajerdi SM, Eshete B, Gjomemo R, et al. Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. In: Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2019). ACM, 2019. 1795-1812.

[32] Han X, Pasquier T, Bates A, et al. UNICORN: Runtime provenance-based detector for advanced persistent threats. In: Proc. of the Network and Distributed Systems Security (NDSS 2020) Symp. 2020. The Internet Society, 2020.

[33] Pei K, Gu Z, Saltaformaggio B, et al. Hercule: Attack story reconstruction via community discovery on correlated log graph. In: Proc. of the 32nd Annual Conf. on Computer Security Applications. ACM, 2016. 583-595.

[34] SPEC. SPEC CPU^® 2006. 2022. https://www.spec.org/cpu2006/

[35] Hassan WU, Guo S, Li D, et al. Nodoze: Combatting threat alert fatigue with automated provenance triage. In: Proc. of the Network and Distributed Systems Security (NDSS 2019). The Internet Society, 2019.

[36] Wang Q, Hassan WU, Li D, et al. You are what you do: Hunting stealthy malware via data provenance analysis. In: Proc. of the Network and Distributed Systems Security (NDSS 2020). The Internet Society, 2020.

[37] Liang RZ, Gao Y, Zhao XB. Sequence feature extraction-based APT attack detection method with provenance graphs. Scientia Sinica Informationis, 2022, 52: 1463-1480 (in Chinese with English abstract). 梁若舟, 高跃, 赵曦滨. 基于序列特征提取的溯源图上APT攻击检测方法. 中国科学: 信息科学, 2022, 52: 1463-1480.

[38] Liang H, Li X, Yin NN, et al. APT attack detection method combining dynamic behavior and static characteristics. Computer Engineering and Application, 2022 (in Chinese with English abstract). 梁鹤, 李鑫, 尹南南, 李超. 结合动态行为和静态特征的APT攻击检测方法. 计算机工程与应用, 2022.

[39] Kemerlis VP, Portokalidis G, Jee K, et al. libdft: Practical dynamic data flow tracking for commodity systems. In: Proc. of the 8th ACM SIGPLAN/SIGOPS Conf. on Virtual Execution Environments. ACM, 2012. 121-132.

[40] Kang MG, McCamant S, Poosankam P, et al. Dta++: Dynamic taint analysis with targeted control-flow propagation. In: Proc. of the Network and Distributed Systems Security (NDSS 2011). The Internet Society, 2011.

[41] Bosman E, Slowinska A, Bos H. Minemu: The world's fastest taint tracker. In: Proc. of the Int'l Workshop on Recent Advances in Intrusion Detection. Springer, 2011. 1-20.

[42] Schneier B. Attack trees. Dr. Dobb's Journal, 1999, 24(12): 21-29.

[43] Wing JM. Scenario graphs applied to network security. In: Information Assurance: Survivability and Security in Networked Systems. 2008. 247-277.

[44] Sheyner OM. Scenario graphs and attack graphs [Ph. D. Thesis]. Pittsburgh: Carnegie Mellon University, 2004.

[45] Sheyner O, Wing J. Tools for generating and analyzing attack graphs. In: Proc. of the Int'l Symp. on Formal Methods for Components and Objects. Springer, 2003. 344-371.

[46] Jha S, Sheyner O, Wing J. Two formal analyses of attack graphs. In: Proc. of the 15th IEEE Computer Security Foundations Workshop. IEEE, 2002. 49-63.

[47] Bhattacharya S, Ghosh SK. An artificial intelligence based approach for risk management using attack graph. In: Proc. of the 2007 Int'l Conf. on Computational Intelligence and Security (CIS 2007). IEEE, 2007. 794-798.

[48] Wang L, Yao C, Singhal A, et al. Interactive analysis of attack graphs using relational queries. In: Proc. of the IFIP Annual Conf. on Data and Applications Security and Privacy. Springer, 2006. 119-132.

[49] Wang L, Zhu Z, Wang Z, et al. Analyzing the security of the cache side channel defences with attack graphs. In: Proc. of the 25th Asia and South Pacific Design Automation Conf. (ASP-DAC). IEEE, 2020. 50-55.

引用本文

王立敏,卜磊,马乐之,于笑丰,沈宁国.基于指标依赖模型构建与监控的攻击检测方法.软件学报,2023,34(6):2641-2668

复制

文章指标

点击次数:
下载次数:
HTML阅读次数:
引用次数:

历史

收稿日期:2022-09-05
最后修改日期:2022-12-14
录用日期:
在线发布日期: 2023-01-13
出版日期: 2023-06-06

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码