一种可扩展的实时多步攻击场景重构方法

信息安全研究 ›› 2023, Vol. 9 ›› Issue (12): 1173-.

一种可扩展的实时多步攻击场景重构方法

谢峥1,2路广平3付安民3

1(南京赛宁信息技术有限公司南京211100)
2(复旦大学计算机学院上海200433)
3(南京理工大学计算机科学与工程学院南京210094)

出版日期:2023-12-20 发布日期:2023-12-28
通讯作者: 付安民博士，教授，博士生导师.主要研究方向为工业互联网安全、智能系统与软件安全. fuam@njust.edu.cn
作者简介:谢峥博士研究生，工程师，南京赛宁信息技术有限公司总经理.主要研究方向为网络攻防平台、网络靶场. xiezh@cyberpeace.cn 路广平硕士研究生.主要研究方向为威胁检测、警报关联. lugp@njust.edu.cn 付安民博士，教授，博士生导师.主要研究方向为工业互联网安全、智能系统与软件安全. fuam@njust.edu.cn

A Scalable Realtime Multistep Attack Scene Reconstruction Method#br#
#br#

Xie Zheng1,2, Lu Guangping3, and Fu Anmin3#br#

#br#

1(Nanjing Saining Information Technology Co., Ltd., Nanjing 211100)
2(School of Computer Science, Fudan University, Shanghai 200433)
3(School of Computer Science and Engineering, Nanjing University of Science & Technology, Nanjing 210094)

Online:2023-12-20 Published:2023-12-28

摘要/Abstract

摘要： 入侵检测系统(intrusion detection system, IDS)作为一种积极主动的安全防护技术，能够发现异常情况和及时发出警报信息或采取主动防护措施，成为网络安全系统的重要组成部分.但是近年随着网络攻击规模的快速增长，IDS在对复杂的多步攻击行为进行实时分析方面变得力不从心.设计了基于专家知识的可扩展攻击匹配模板，用以实现对多步攻击场景的还原与重构，从攻击者视角还原攻击事件，帮助安全人员定位安全威胁.以实时警报信息为输入，通过挖掘出语义知识和预先构建的攻击匹配模板，利用匹配关联算法对警报进行聚合和关联，还原攻击场景，展示攻击脉络.实验结果显示，该方法可以实现对IDS的实时警报处理和关联，形成的攻击事件和攻击场景可为安全人员对漏洞的修复和下一步攻击的预防提供极大帮助，同时，设计构建的攻击匹配模板具有可扩展性及应对未来更多攻击的能力.

关键词: 攻击场景重构, 多步攻击, 攻击匹配模板, 警报关联, 入侵检测系统

Abstract: As an active security protection technology, Intrusion Detection System (IDS) can find abnormal situations and send out alarm information in time or take active protection measures, becoming an important part of the network security system. But in recent years, with the increasing scale of network attacks, IDS has become powerless in realtime analysis of complex multistep attacks. This paper designed an extensible attack matching template based on expert prior knowledge to restore and reconstruct multistep attack scene, which is used to restore attack events from the perspective of attackers and help security personnel locate security threats. The method takes realtime alarm information as input, and through mining semantic knowledge and prebuilt attack matching template, it uses matching association algorithm to aggregate and correlate alerts, restore attack scene, and display attack context. The experimental results show that, the method can achieve realtime alert processing and correlation for IDS, and the formed attack events and attack scene will also provide great help for security personnel to repair the system and prevent the next attack. At the same time, the attack matching template has scalability and the ability to deal with more future attacks.

Key words: reconstruction of attack scene, multistep attack, attack matching templates, alert correlation, intrusion detection system

中图分类号:

TP393.08

谢峥, 路广平, 付安民, . 一种可扩展的实时多步攻击场景重构方法[J]. 信息安全研究, 2023, 9(12): 1173-.

参考文献

［1］蹇诗婕, 卢志刚, 杜丹, 等. 网络入侵检测技术综述［J］. 信息安全学报, 2020, 5(4): 96122［2］Kim J, Shin N, Jo S Y, et al. Method of intrusion detection using deep neural network［C］ Proc of 2017 IEEE Int Conf on Big Data and Smart Computing (BigComp). Piscataway, NJ: IEEE, 2017: 313316［3］Tjhai G C, Papadaki M, Furnell S M, et al. Investigating the problem of IDS false alarms: An experimental study using Snort［C］ Proc of IFIP Int Information Security Conf. Berlin: Springer, 2008: 253267［4］Luo Zhicheng, Dimg Weijia, Fu Anmin, et al. Highspeed network attack detection framework based on optimized feature selection［C］ Proc of Int Conf on Security and Privacy in Digital Economy. Berlin: Springer, 2020: 6578［5］张博, 崔佳巍, 屈肃, 等. 高级持续性威胁及其重构研究进展与挑战［J］. 信息安全研究, 2021, 7(6): 512519［6］黄强, 鲁学仲, 运凯, 等. 基于多源告警信息关联的网路安全技防技术［J］. 信息安全研究, 2021, 7(11): 10411046［7］潘亚峰, 朱俊虎, 周天阳. APT攻击场景重构方法综述［J］. 信息工程大学学报, 2021, 22(1): 5560, 80［8］Hu Erteng, Fu Anmin, Zhang Zhiyi, et al. ACTracker: A fast and efficient attack investigation method based on event causality［C］ Proc of IEEE Conf on Computer Communications Workshops (INFOCOM 2021). Piscataway, NJ: IEEE, 2021: 16［9］伏晓, 石进, 谢立. 用于自动证据分析的层次化入侵场景重构方法［J］. 软件学报, 2011, 22(5): 9961008［10］Milajerdi S M, Gjomemo R, Eshete B, et al. Holmes: Realtime apt detection through correlation of suspicious information flows［C］ Proc of 2019 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2019: 11371152［11］Dain O, Cunningham R K. Fusing a heterogeneous alert stream into scenarios［G］ Applications of Data Mining in Computer Security. Berlin: Springer, 2002: 103122［12］王硕, 汤光明, 王建华, 等. 基于因果知识网络的攻击场景构建方法［J］. 计算机研究与发展, 2018, 55(12): 26202636［13］Ye Nong, Zhang Yebin, Borror C M. Robustness of the Markovchain model for cyberattack detection［J］. IEEE Trans on Reliability, 2004, 53(1): 116123［14］Hassan W U, Guo S, Li D, et al. Nodoze: Combatting threat alert fatigue with automated provenance triage［C］ Proc of Network and Distributed Systems Security Symp. San Diego, CA: ISOC, 2019［15］Zhu Z, Dumitras T. ChainSmith: Automatically learning the semantics of malicious campaigns by mining threat intelligence reports［C］ Proc of 2018 IEEE European Symp on Security and Privacy (Euro S&P). Piscataway, NJ: IEEE, 2018: 458472［16］Bellas C, Naskos A, Kougka G, et al. A methodology for runtime detection and extraction of threat patterns［J］. SN Computer Science, 2020, 1: 113［17］孔斌, 吕遒健, 吴峥嵘. 数据驱动的网络安全风险事件预测技术研究［J］. 信息安全研究, 2019, 5(6): 477487

[1]	张明明, 刘凯, 李贤慧, 许梦晗, 顾颖程, 张见豪, 程环宇, 王永利, . 基于广义神经网络的网络攻击检测与分类方法[J]. 信息安全研究, 2023, 9(6): 593-.
[2]	李思涌, 吴书汉, 孙伟, . 基于注意力机制的CNN-LSTM网络车内CAN总线入侵检测技术[J]. 信息安全研究, 2023, 9(10): 961-.
[3]	陈立军, 张屹, 陈孝如, . 可编程数据平面系统异常检测系统的设计与实现[J]. 信息安全研究, 2022, 8(2): 135-.
[4]	黄屿璁, 张潮, 吕鑫, 曾涛, 王鑫元, 丁辰龙, . 基于深度学习的网络入侵检测研究综述[J]. 信息安全研究, 2022, 8(12): 1163-.
[5]	莫坤王娜李恒吉李朝阳李剑. 基于LightGBM的网络入侵检测系统[J]. 信息安全研究, 2019, 5(2): 152-156.