基于目标模型的APT攻击检测研究

Advanced Persistent Threats (APTs) are some of the most growing information security threats today. Their persistence and advancement make it difficult for traditional attack detecting methods based on signatures and specified point-in-time to detect them. Big data analysis is one of the widely acceptable methods used by current researchers to detect the APTs, while the quantity of the security events and the weakness of correlations among them become the roadblocks when applying said methods. Thus, the pivotal problems in detecting the APTs with big data analysis is to pick up key events from the mass of the security events and to discover the weak correlation among them.. In this project, it is found that APTs are launched against some targets with various means. However, the attacking target is changeless which means that the target is the only constant element of the dynamic attacking process, while theother elements changed dynamically according to the information about the target gathered. The attackers arranged an attack based on the analysis of the target. Thus with the analysis of the target, it is possible to organize numerous and complex attacking fragments during a long time to help for APT detection..The project plans to conduct research around ‘Targets’ and an APT detection method based on Target Model is proposed, wherein Target Model describes the target from the aspect of the defenders who are better informed about the target. With the target model, we can find the key events of an APT attack and also discover the weak correlations among the events to backtrack the whole attacking process.

APT 攻击的持续性和先进性使得传统基于时间点和特征匹配的攻击检测技术难以适用,大数据分析是APT攻击检测重要研究方向,但海量的安全事件和事件间关联的隐蔽性制约了该类方法的发展,发现APT攻击的核心事件及事件间的关联关系,是APT攻击检测亟待解决的关键问题。.本项目认为,“目标”是APT攻击中唯一的不变量,攻击者围绕目标制定攻击方案,只有对目标进行深入分析，才能以不变应万变, 将APT攻击过程中繁多的、长时间的、复杂的、片段化的攻击痕迹组织起来,检测APT攻击。本项目拟以“目标”为核心,目标由防御方自行定义，一般是机构内最有价值的对象，也即是最有可能成为APT攻击目标的对象。研究目标模型的建立，并基于目标模型,从海量数据中发现针对目标的APT攻击的核心事件集和事件间的隐蔽关联关系,进而检测出针对目标的APT攻击,并揭示APT攻击全过程。

APT攻击是攻击者以任务为导向对目标实施的长期、复杂的攻击。APT攻击过程中根据目标环境动态采用各种攻击手段，攻击效果显著且难于防范，已成为网络渗透和系统攻击的演进趋势，而其危害性远远大于传统的网络攻击，对经济、能源甚至国家的政治及军事造成严重危害。因此，研究APT攻击检测技术，发现正在进行中的APT攻击，并还原APT攻击的整个过程是安全领域的必然需求，具有重大的现实意义。.本项目认为，“目标”是 APT 攻击中唯一的不变量，只有明确目标，才能以不变应万变，将 APT 攻击过程中繁多的、长时间的、复杂的、片段化的攻击痕迹组织起来，实现 APT 攻击检测的目的。因此，本项目以防御方自定义的保护对象，即最有可能成为APT攻击目标的对象为核心，关联APT攻击过程中的海量安全事件，实现APT攻击检测，并还原APT攻击全过程。.本项目第一年度主要研究通用目标模型的建立及动态目标模型的生成，搭建大数据分析平台；第二季度研究基于模型的扩展图及目标安全影响图的自动生成，以及研究基于目标模型的种子安全事件生成方法与迭代启发式隐蔽关联发现方法；第三季度为搭建实验环境，模拟典型APT攻击，根据仿真实验结果对相关技术方案进行调整工作。本项目按期完成研究计划，将项目研究成果形成多篇高质量的论文，并在国内外的知名会议和期刊上投稿并录用，如IEEE Access、Security and Communication Network等。本项目共发表及录用论文19篇，其中SCI检索10篇，EI检索4篇，申请专利4项。.本项目结合已有的工作基础，在对APT攻击进行深入研究的基础之上，提出基于目标模型的APT攻击检测。目标可由防御方自行定义，往往是机构内最有价值的对象，也即是最有可能成为APT攻击目标的对象。基于目标模型对安全事件进行多尺度量化，从海量数据集中挖掘出最有可能构成针对目标的APT攻击的安全事件，形成种子安全事件集，并基于目标模型发现安全事件间的隐蔽关联关系。这项研究的科学意义还在于为APT攻击检测、网络攻击检测提供新的研究方法和研究思路。