基于指标依赖模型构建与监控的攻击检测方法
作者:
作者简介:

王立敏(1994-),男,博士生,CCF学生会员,主要研究领域为软件分析,系统安全;卜磊(1983-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为形式化方法,复杂软件系统分析与验证;马乐之(2000-),男,博士生,CCF学生会员,主要研究领域为软件分析与测试

通讯作者:

卜磊,bulei@nju.edu.cn

基金项目:

国家自然科学基金(62232008,62172200);江苏省前沿引领技术基础研究专项(BK20202001)


Attack Detection Method Based on Indicator-dependent Model Construction and Monitoring
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [49]
  • |
  • 相似文献 [20]
  • | | |
  • 文章评论
    摘要:

    随着攻击技术的不断演进,防御的难度也与日俱增.为了及时、有效地识别和阻断攻击的实施,学术界与工业界已提出众多基于攻击检测的防御技术.现有的攻击检测方法主要着眼于攻击事件,通过识别攻击特征或者定位异常活动来发现攻击,分别具有泛化性和攻击导向性不足的局限性,容易被攻击者精心构造的攻击变种绕过,造成漏报和误报.然而,根据观察发现:尽管攻击及其变种可能采用众多不同的攻击机制来绕过一些防御措施,以实现同一攻击目的,但是由于攻击目的不变,这些攻击对系统的影响依然具有相似性,因此,所造成的系统影响并不会随攻击手段的大量增多而随之产生对应的增长.针对这一特点,提出了基于攻击指标依赖模型的攻击检测方法,以更有效地应对攻击变种.所提出的指标依赖模型着眼于漏洞利用后对系统的影响而非变化多样的攻击行为,因此具有更强的泛化能力.基于模型指导,进一步采用多层次监控技术,以迅速捕获定位攻击迹,最终实现对目标攻击与变种的精确检测,有效降低攻击检测的误报率.在DARPA透明计算项目以及典型APT攻击组成的测试集上,与现有的基于攻击事件分析的检测方法进行实验对比,结果表明:在预设场景下,所提出的方法可以根据可接受的性能损耗实现99.30%的检出率.

    Abstract:

    With the continuous evolution of attack techniques, the difficulty of defense is increasing rapidly. In order to identify and block the attacks in a timely and effective manner, numerous detection-based defenses have been proposed in academia and industry. The current attack detection methods mainly focus on attack behaviors, and find attacks by identifying attack signals or locating abnormal activities. These solutions have the limitation of insufficient generalization and attack-orientation respectively and are easily bypassed by attackers' well-crafted behaviors, resulting in false positives and false negatives. Nevertheless, it is observed that the attacks and their variants usually leverage different attack mechanisms to bypass some defenses and achieve the same attack purpose. Since the attack purpose remains the same, the impact of these attacks on the system is still similar, so the caused system impact will not increase correspondingly with the large increase in attack methods. Based on the observation, an indicator-dependent model-based attack detection method is proposed to detect the attack variants more effectively. The proposed model focuses on the impact of the exploits on the system rather than the various attack behaviors, which is more generalizable. Based on the model, the multi-level monitoring technology is further adopted to quickly capture and locate attack traces, and finally the accurate detection of target attacks and variants is achieved, which effectively reduces the false alarm rate. The effectiveness of the proposed method is verified by the experiment, compared with existing attack behavior-based detection methods on the attack set composed of the DARPA transparent computing project and typical APT attacks. The experimental results show that the proposed solution is able to achieve 99.30% detection accuracy with an acceptable performance cost.

    参考文献
    [1] Fireeye M. 2021 Fireeye mandiant service special report. 2022. https://www.arrow.com/ecs-media/16352/fireeye-rpt-mtrends-2021.pdf
    [2] Yagemann C, Pruett M, Chung SP, et al. ARCUS: Symbolic root cause analysis of exploits in production systems. In: Proc. of the 30th USENIX Security Symp. (USENIX Security 2021). USENIX Association, 2021. 1989-2006.
    [3] Alsaheel A, Nan Y, Ma S, et al. ATLAS: A sequence-based learning approach for attack investigation. In: Proc. of the 30th USENIX Security Symp. (USENIX Security 2021). USENIX Association, 2021. 3005-3022.
    [4] Yu L, Ma S, Zhang Z, et al. ALchemist: Fusing application and audit logs for precise attack provenance without instrumentation. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2021). The Internet Society, 2021.
    [5] Milajerdi SM, Gjomemo R, Eshete B, et al. Holmes: Real-time apt detection through correlation of suspicious information flows. In: Proc. of the IEEE Symp. on Security and Privacy (SP). IEEE, 2019. 1137-1152.
    [6] Lee KH, Zhang X, Xu D. High accuracy attack provenance via binary-based execution partition. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2013). The Internet Society, 2013.
    [7] Kwon Y, Wang F, Wang W, et al. MCI: Modeling-based causality inference in audit logging for attack investigation. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2018). The Internet Society, 2018.
    [8] Ma S, Zhai J, Wang F, et al. MPI: Multiple perspective attack investigation with semantic aware execution partitioning. In: Proc. of the 26th USENIX Security Symp. (USENIX Security 2017). USENIX Association, 2017. 1111-1128.
    [9] Hassan WU, Noureddine MA, Datta P, et al. OmegaLog: High-fidelity attack investigation via transparent multi-layer log analysis. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2020). The Internet Society, 2020.
    [10] Ma S, Zhang X, Xu D. Protracer: Towards practical provenance tracing by alternating between logging and tainting. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2016). The Internet Society, 2016.
    [11] Irshad H, Ciocarlie G, Gehani A, et al. Trace: Enterprise-wide provenance tracking for real-time apt detection. IEEE Trans. on Information Forensics and Security, 2021, 16: 4363-4376.
    [12] Elastic. Open security platform unifying SIEM, endpoint & cloud. Elastic, 2022. https://www.elastic.co/security
    [13] Hutchins EM, Cloppert MJ, Amin RM. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 2011, 1: 80-106.
    [14] DARPA. Transparent computing. 2022. https://www.darpa.mil/program/transparent-computing
    [15] Canella C, Van Bulck J, Schwarz M, et al. A systematic evaluation of transient execution attacks and defenses. In: Proc. of the 28th USENIX Security Symp. (USENIX Security 2019). USENIX Association, 2019. 249-266.
    [16] Wang T, Wei T, Gu G, et al. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: Proc. of the IEEE Symp. on Security and Privacy. IEEE, 2010. 497-512.
    [17] Lin G, Wen S, Han QL, et al. Software vulnerability detection using deep neural networks: A survey. Proc. of the IEEE, 2020, 108(10): 1825-1848.
    [18] Farris KA, Shah A, Cybenko G, et al. Vulcon: A system for vulnerability prioritization, mitigation, and management. ACM Trans. on Privacy and Security (TOPS), 2018, 21(4): 1-28.
    [19] Duan R, Alrawi O, Kasturi RP, et al. Towards measuring supply chain attacks on package managers for interpreted languages. In: Proc. of the Network and Distributed System Security Symp. (NDSS 2021). The Internet Society, 2021.
    [20] Syed NF, Shah SW, Trujillo-Rasua R, et al. Traceability in supply chains: A cyber security analysis. Computers & Security, 2022, 112: 102536.
    [21] MITRE. CWE—Detection methods. 2022. https://cwe.mitre.org/community/swa/detection_methods.html
    [22] MITRE. MITRE ATT & CK®. 2022. https://attack.mitre.org/
    [23] Su T, Wang J, Su Z. Benchmarking automated GUI testing for Android against real-world bugs. In: Proc. of the 29th ACM Joint Meeting on European Software Engineering Conf. and Symp. on the Foundations of Software Engineering. ACM, 2021. 119-130.
    [24] Muraus T. Detecting which process is creating a file using LD_PRELOAD trick. 2022. https://www.tomaz.me/2014/01/08/detecting-which-process-is-creating-a-file-using-ld-preload-trick.html
    [25] Sysdig. Security tools for containers, kubernetes, & cloud. 2022. https://sysdig.com/
    [26] Everson D, Cheng L, Zhang Z. Log4shell: Redefining the Web attack surface. In: Proc. of the Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb). The Internet Society, 2022.
    [27] Darktrace. Detecting and responding to Log4Shell in the wild. 2022. https://www.darktrace.com/en/blog/detecting-and-responding-to-log-4-shell-in-the-wild
    [28] Synopsys. Heartbleed bug. 2022. https://heartbleed.com/
    [29] Elastic. Detecting exploitation of CVE-2021-44228 (log4j2) with Elastic security. 2022. https://www.elastic.co/cn/security-labs/detecting-log4j2-with-elastic-security
    [30] Hossain MN, Milajerdi SM, Wang J, et al. SLEUTH: Real-time attack scenario reconstruction from COTS audit data. In: Proc. of the 26th USENIX Security Symp. (USENIX Security 2017). USENIX Association, 2017. 487-504.
    [31] Milajerdi SM, Eshete B, Gjomemo R, et al. Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. In: Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2019). ACM, 2019. 1795-1812.
    [32] Han X, Pasquier T, Bates A, et al. UNICORN: Runtime provenance-based detector for advanced persistent threats. In: Proc. of the Network and Distributed Systems Security (NDSS 2020) Symp. 2020. The Internet Society, 2020.
    [33] Pei K, Gu Z, Saltaformaggio B, et al. Hercule: Attack story reconstruction via community discovery on correlated log graph. In: Proc. of the 32nd Annual Conf. on Computer Security Applications. ACM, 2016. 583-595.
    [34] SPEC. SPEC CPU® 2006. 2022. https://www.spec.org/cpu2006/
    [35] Hassan WU, Guo S, Li D, et al. Nodoze: Combatting threat alert fatigue with automated provenance triage. In: Proc. of the Network and Distributed Systems Security (NDSS 2019). The Internet Society, 2019.
    [36] Wang Q, Hassan WU, Li D, et al. You are what you do: Hunting stealthy malware via data provenance analysis. In: Proc. of the Network and Distributed Systems Security (NDSS 2020). The Internet Society, 2020.
    [37] Liang RZ, Gao Y, Zhao XB. Sequence feature extraction-based APT attack detection method with provenance graphs. Scientia Sinica Informationis, 2022, 52: 1463-1480 (in Chinese with English abstract). 梁若舟, 高跃, 赵曦滨. 基于序列特征提取的溯源图上APT攻击检测方法. 中国科学: 信息科学, 2022, 52: 1463-1480.
    [38] Liang H, Li X, Yin NN, et al. APT attack detection method combining dynamic behavior and static characteristics. Computer Engineering and Application, 2022 (in Chinese with English abstract). 梁鹤, 李鑫, 尹南南, 李超. 结合动态行为和静态特征的APT攻击检测方法. 计算机工程与应用, 2022.
    [39] Kemerlis VP, Portokalidis G, Jee K, et al. libdft: Practical dynamic data flow tracking for commodity systems. In: Proc. of the 8th ACM SIGPLAN/SIGOPS Conf. on Virtual Execution Environments. ACM, 2012. 121-132.
    [40] Kang MG, McCamant S, Poosankam P, et al. Dta++: Dynamic taint analysis with targeted control-flow propagation. In: Proc. of the Network and Distributed Systems Security (NDSS 2011). The Internet Society, 2011.
    [41] Bosman E, Slowinska A, Bos H. Minemu: The world's fastest taint tracker. In: Proc. of the Int'l Workshop on Recent Advances in Intrusion Detection. Springer, 2011. 1-20.
    [42] Schneier B. Attack trees. Dr. Dobb's Journal, 1999, 24(12): 21-29.
    [43] Wing JM. Scenario graphs applied to network security. In: Information Assurance: Survivability and Security in Networked Systems. 2008. 247-277.
    [44] Sheyner OM. Scenario graphs and attack graphs [Ph. D. Thesis]. Pittsburgh: Carnegie Mellon University, 2004.
    [45] Sheyner O, Wing J. Tools for generating and analyzing attack graphs. In: Proc. of the Int'l Symp. on Formal Methods for Components and Objects. Springer, 2003. 344-371.
    [46] Jha S, Sheyner O, Wing J. Two formal analyses of attack graphs. In: Proc. of the 15th IEEE Computer Security Foundations Workshop. IEEE, 2002. 49-63.
    [47] Bhattacharya S, Ghosh SK. An artificial intelligence based approach for risk management using attack graph. In: Proc. of the 2007 Int'l Conf. on Computational Intelligence and Security (CIS 2007). IEEE, 2007. 794-798.
    [48] Wang L, Yao C, Singhal A, et al. Interactive analysis of attack graphs using relational queries. In: Proc. of the IFIP Annual Conf. on Data and Applications Security and Privacy. Springer, 2006. 119-132.
    [49] Wang L, Zhu Z, Wang Z, et al. Analyzing the security of the cache side channel defences with attack graphs. In: Proc. of the 25th Asia and South Pacific Design Automation Conf. (ASP-DAC). IEEE, 2020. 50-55.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

王立敏,卜磊,马乐之,于笑丰,沈宁国.基于指标依赖模型构建与监控的攻击检测方法.软件学报,2023,34(6):2641-2668

复制
分享
文章指标
  • 点击次数:1012
  • 下载次数: 4241
  • HTML阅读次数: 2916
  • 引用次数: 0
历史
  • 收稿日期:2022-09-05
  • 最后修改日期:2022-12-14
  • 在线发布日期: 2023-01-13
  • 出版日期: 2023-06-06
文章二维码
您是第19778218位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号