Research Progress and Challenge of Advanced Persistent Threat and Its Reconstruction

Abstract

Abstract: Advanced persistent threat attacks refer to long-term customized attacks on high-value targets, which will leave scattered traces on different hosts. At the same time, attackers will use various technologies to hide their actions in normal system activities, so it is difficult for analysts to observe them. In order to analyze it and take countermeasures, it is necessary to develop a new generation of threat detection and attack reconstruction tools, so that analysts can quickly determine whether there is a major intrusion, understand the process of attackers undermining system security, and determine the impact of attacks. Causality analysis is one of the most concerned methods and has strong robustness. In this paper, the advanced persistent threat attack is briefly introduced first, then the basic attack reconstruction schemes relying on causality analysis are discussed, and the threat detection and attack reconstruction schemes based on anomaly analysis, heuristic and graphic analysis methods are emphatically analyzed. The existing schemes are evaluated, and the challenges faced by the current attack reconstruction system are analyzed. Finally, the potential research directions of attack reconstruction are discussed and prospected.

Key words: attack reconstruction, causality analysis, advanced persistent threat attack, intrusion detection, threat detection

摘要： 高级持续威胁攻击指针对高价值目标发起的长期的定制攻击，会在不同主机上留下零散的痕迹，同时攻击者会使用各种技术将自己的行动隐藏在正常系统活动之中，因此难以被分析人员观测到．为了对其进行分析并采取对策，需要开发新一代的威胁检测与攻击重构工具，使分析人员能够快速确定是否有重大入侵，了解攻击者破坏系统安全的过程，并确定攻击的影响．其中因果关系分析是很受关注的一种手段，拥有较强的鲁棒性．本文首先简要介绍了高级持续威胁攻击，然后讨论了依赖因果关系分析的攻击重构基本方案，重点分析了基于异常分析、启发式和图形分析方法的威胁检测与攻击重构方案，并对现有的方案进行了评估，分析了当前攻击重构系统面临的挑战，最后对攻击重构潜在的研究方向进行了讨论和展望．

关键词: 攻击重构, 因果关系分析, 高级持续威胁攻击, 入侵检测, 威胁检测

张博崔佳巍屈肃付安民. 高级持续性威胁及其重构研究进展与挑战[J]. 信息安全研究, 2021, 7(6): 512-519.

References

[1]Chen P,Desmet L,Huygens L.A study on advanced persistent threats[C]//Proc of IFIP Int Conf on Communications and Multimedia Security.Berlin:Springer,2014:63–72
[2]Alshamrani A, Myneni S, Chowdhary A, et al. A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities[J].IEEE Communications Surveys&Tutorials,2019,21(2):1851–1877
[3]崔传桢,田霞. 卫达安全，构建网络安全智能动态防御系统[J].信息安全研究,2017,3(12):1058-1066
[4]Pietrzak P. Jak skutecznie obslugiwac zaawansowane ataki APT[EB/OL].[2020-12-19].https://magazyn.mediarecovery.pl/jak-skutecznie-obslugiwaczaawansowane-ataki-apt-tzw-advanced-persistent-threats
[5]奇安信威胁情报中心.全球高级持续性威胁（APT）2020年度报告[EB/OL].[2021-02-07].https://ti.qianxin.com/uploads/2021/02/08/dd941ecf98c7cb9bf0111a8416131aa1.pdf
[6]360政企安全.2020全球高级持续性威胁APT研究报告[EB/OL].[2021-02-25]. http://pub-shbt.s3.360.cn/cert-public-file/2020全球高级持续性威胁APT研究报告.pdf
[7]Thailand Computer Emergency Response Team. Threat group cards:A threat actor encyclopedia[EB/OL].[2020-12-03].https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf
[8]The MITRE Corporation. ATT&CK matrix for enterprise[EB/OL].[2020-08-11].https://attack.mitre.org/
[9]McWhorter D. Mandiant exposes APT1-One of China’s cyber espionage units & releases 3,000 indicators[EB/OL]. Alexandria, Virginia:Mandiant,2013[2020-11-14].https://www.fireeye.com/blog/threat-research/2013/02/mandiant-exposes-apt1-chinas-cyber-espionage-units.html
[10]Bhatt P, Yano E T, Gustavsson P. Towards a framework to detect multi-stage advanced persistent threats attacks[C]//Proc of the 8th IEEE Int Symp on Service Oriented System Engineering. Piscataway,NJ:IEEE,2014:390–395.
[11]Caltagirone S. The diamond model of intrusion analysis[EB/OL].Hanover Md:Center For Cyber Intelligence Analysis and Threat Research,2013[2021-01-22]. https://www.threatintel.academy/wp-content/uploads/2020/07/diamond_summary.pdf
[12]Li Z, Chen Q A, Yang R, et al. Threat detection and investigation with system-level provenance graphs:A survey[J].Computers & Security,2021,106
[13]Hossain M, Milajerdi S, Wang Junao, et al.SLEUTH: Real-time attack scenario reconstruction from COTS audit data[C]//Proc of the 26th USENIX Security Symp. Berkeley, CA: USENIX Association,2017
[14]Defense Advanced Research Projects Agency. DRAPA transparent computing[EB/OL].2015[2020-08-14].https://www.darpa.mil/program/transparent-computing.
[15]王文娟,杜学绘,任志宇,等.基于因果知识和时空关联的云平台攻击场景重构[J].计算机科学,2021,48(2):317-323
[16]Ning Peng, Cui Yun, S. Reeves Douglas. Constructing attack scenarios through correlation of instrusion[C]//Proc of ACM Symp on Computer and Communications Security. New York:ACM,2002:245-254
[17]King S.T, Chen P M. Backtracking intrusions[C]//Proc of the 19th ACM Symp on Operating Systems Principles. New York:ACM,2003
[18]Liu Yushan, Zhang Mu, Li Ding, et al. Towards a timely causality analysis for enterprise security[C]//Proc of Network and Distributed System Security Symp (NDSS). Reston, Virginia: ISOC,2018
[19]Hu Erteng, Fu Anmin, Zhang Zhiyi, et al. ACTracker:A fast and efficient attack investigation method based on event causality[C]//IEEE INFOCOM-IEEE Conf on Computer Communications Workshops. Los Alamitos, CA: IEEE Computer Society,2021
[20]Symantec.Symantec internet security threat report[EB/OL].2020[2021-01-24]. https://docs.broadcom.com/doc/istr-24-2019-en
[21]Hassan W U, Guo Shengjian, Li Ding, et al.NODOZE:Combatting threat alert fatigue with automated provenance triage[C]//Proc of the 26th Annual Network and Distributed System Security Symp (NDSS).Reston,Virginia:ISOC,2019
[22]Milajerdi S M, Gjomemo R, Eshete B, et al. HOLMES: Real-time APT detection through correlation of suspicious information flows[C]//Proc of 2019 IEEE Symp on security and privacy (S&P). Los Alamitos, CA:IEEE Computer Society,2019:1137-1152
[23]Hassan W U, Bates A, Marino D. Tactical provenance analysis for endpoint detection and response systems[C]//Proc of 2020 IEEE Symp on Security and Privacy (S&P). Los Alamitos, CA: IEEE Computer Society,2020:1172-1189
[24]Pei Kexin, Gu Zhongshu, Saltaformaggio B, et al. HERCULE: Attack story reconstruction via community discovery on correlated log graph[C]//Proc of the 32nd Annual Conf on Computer Security Applications (ACSAC '16).New York: ACM, 2016:583–595
[25]Milajerdi S M, Eshete B, Gjomemo R, et al. Poirot:Aligning attack behavior with kernel audit records for cyber threat hunting[C]//Proc of 2019 ACM SIGSAC Conf on Computer and Communications Security. New York:ACM,2019:1795-1812
[26]Luo Zhicheng, Ding Weijia, Fu Anmin, et al. High-speed network attack detection framework based on optimized feature selection[C]//Proc of Int Conf on Security and Privacy in Digital Economy(SPDE). Berlin: Springer, 2020:65-78
[27]杨频,朱悦,张磊.基于属性数据流图的恶意代码家族分类[J].信息安全研究,2020,6(3):228-234