[go: up one dir, main page]

CN115484062B - A threat detection method, device and equipment based on APT attack graph - Google Patents

A threat detection method, device and equipment based on APT attack graph Download PDF

Info

Publication number
CN115484062B
CN115484062B CN202210960193.XA CN202210960193A CN115484062B CN 115484062 B CN115484062 B CN 115484062B CN 202210960193 A CN202210960193 A CN 202210960193A CN 115484062 B CN115484062 B CN 115484062B
Authority
CN
China
Prior art keywords
attack
apt
node
score
alarm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210960193.XA
Other languages
Chinese (zh)
Other versions
CN115484062A (en
Inventor
高庆官
张博
付安民
王国伟
杨劲松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Cyber Peace Technology Co Ltd
Original Assignee
Nanjing Cyber Peace Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Cyber Peace Technology Co Ltd filed Critical Nanjing Cyber Peace Technology Co Ltd
Priority to CN202210960193.XA priority Critical patent/CN115484062B/en
Publication of CN115484062A publication Critical patent/CN115484062A/en
Application granted granted Critical
Publication of CN115484062B publication Critical patent/CN115484062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种基于APT攻击图的威胁检测方法、装置与设备。本发明方法包括APT攻击图生成、入侵警报收集、攻击路径识别、APT攻击检测、证据链重构等步骤。本发明通过设计APT攻击图,根据网络和系统信息预先分析攻击行动,降低了实时攻击分析开销;从危害性、必要性等多角度评估攻击,保证了威胁检测的全面性,并设计攻击路径评分方法,实现了全局攻击分析;关联攻击行为痕迹形成证据链,并利用灰名单关联多攻击实体,实现对攻击影响范围的准确定位。通过结合APT攻击预测、检测和监测三方面能力,有效打击了威胁警报疲劳问题,并提高零日漏洞利用检测的健壮性,使得本发明能够高效准确地检测APT攻击。

The present invention discloses a threat detection method, device and equipment based on an APT attack graph. The method of the present invention includes the steps of APT attack graph generation, intrusion alarm collection, attack path identification, APT attack detection, and evidence chain reconstruction. The present invention reduces the real-time attack analysis overhead by designing an APT attack graph and pre-analyzing attack actions according to network and system information; evaluates attacks from multiple angles such as harmfulness and necessity to ensure the comprehensiveness of threat detection, and designs an attack path scoring method to achieve global attack analysis; associates attack behavior traces to form an evidence chain, and uses a gray list to associate multiple attack entities to achieve accurate positioning of the attack impact range. By combining the three capabilities of APT attack prediction, detection and monitoring, the problem of threat alarm fatigue is effectively combated, and the robustness of zero-day vulnerability exploit detection is improved, so that the present invention can efficiently and accurately detect APT attacks.

Description

Threat detection method, device and equipment based on APT attack graph
Technical Field
The invention relates to the technical field of network space security, in particular to a threat detection method, device and equipment based on an APT attack graph.
Background
Advanced Persistent Threat (APT) attacks are network attacks that are initiated by complex and well-resource attackers against high-value targets such as target businesses or governments. The APT attack causes more serious damage compared with the general network attack, including theft of intellectual property rights, leakage of financial information, destruction of key infrastructure, etc., and is a great threat to the current network security. The three characteristics of long latency, slow action and zero-day vulnerability utilization of the APT attack bring difficulty to detection. The detection method mainly faces two kinds of challenges in the current detection, namely (1) an intrusion detection tool can generate a large number of false alarms for the backlog investigation task of analysts, and meanwhile, because a low-level log system is too huge, tedious manual labor is required for confirming the authenticity of threat alarms, so that the threat alarm fatigue problem is caused, and (2) the zero-day vulnerability exploitation behavior in the attack process is difficult to detect. Therefore, how to design a low-cost method, effectively strike threat alarm fatigue, and timely find out the zero-day exploit trace is a main problem to be solved at present.
An attack graph is a directed graph representing all attack paths an attacker may take, and is a powerful security technique that simulates the multiple ways an attacker may compromise different assets in a network. The threat information is used as an external information resource of direct or potential security threat, so that security personnel can rapidly screen malicious threat attack and timely respond and defend. Therefore, attack graphs are widely used to actively discover vulnerable points in a system, and understand the security state of the current network. The attack graph is the most commonly used and effective method in the existing network vulnerability analysis method, intuitively and graphically displays the details of attack behaviors through attack paths, provides support for predicting the intention and subsequent behaviors of an attacker, and helps an defender to know the relationship of vulnerabilities in a target network and the relationship of vulnerabilities and network security configuration. However, in the APT attack detection field, the adaptability is lost because the position attack cannot be detected, so that the feasibility application of the attack graph is lacking.
Existing APT attack detection methods can be generally divided into two types, namely a heuristic matching-based method and an anomaly analysis-based method. The method is characterized in that the method comprises the steps of firstly observing and collecting benign system environment data, establishing a benign system behavior model, discovering an attack behavior based on behavior model deviation, and achieving serious problems of severe use conditions, weak portability and serious omission rate. The system is analyzed by using the attribute attack graph technology, so that the cost is high, and the problem of missing report is often caused by unequal information. Regardless of heuristic matching or anomaly analysis, the current APT detection method mainly has two problems, namely a missed detection problem caused by zero-day exploit and a threat alarm fatigue problem.
Disclosure of Invention
Aiming at the problems existing in the prior art, the invention aims to provide a threat detection method, a threat detection device and threat detection equipment based on an APT attack graph, so as to strike the threat alarm fatigue problem in APT attack detection, improve the resistance to zero-day exploit attack, identify the serious invasion occurring in a system and locate the attack influence range.
The technical scheme for realizing the aim of the invention is that the threat detection method based on the APT attack graph comprises the following steps:
Generating an APT attack graph based on the collected network and system information to be protected, and collecting malicious behavior intrusion alarms through a deployed intrusion detection system, wherein an attack behavior node in the APT attack graph comprises an attack technology and APT stage information;
matching the intrusion alarm with an attack technology in the APT attack graph to obtain an attack path associated with the intrusion alarm, wherein the attack path comprises at least one attack behavior node matched with the intrusion alarm;
Quantitatively analyzing each attack behavior node on the attack path from the aspects of attack behavior commonness, severity and necessity to respectively obtain a commonness score S c, a severity score S s and a necessity score S n As the comprehensive score of the attack behavior of the APT, wherein A is the highest value of the commonality and severity score, alpha and beta are weights larger than 0 and smaller than 1, alpha+beta=1, S n is 0 or 1, and if the attack behavior is the behavior of the essential stage of the attack of the APT, the necessity is 1;
and carrying out evidence chain reconstruction on the attack path of the APT attack, and displaying the actions of the attacker and the interaction between the risk entities in the system to be protected.
Preferably, when generating an APT attack graph, carrying out reasoning analysis on collected information by utilizing a Mulval framework, firstly reasoning possible attack behaviors, analyzing APT stages corresponding to the attack behaviors, starting from an attack initial node of which the attack stage is reconnaissance, resource development or initial access, carrying out reasoning along the direction of an edge, if a directed edge pointing to a node B from the node A exists in the attack graph, defining the node A as a front node of the node B, and defining the node B as a rear node of the node A, wherein the reasoning rule is as follows (1) the corresponding stage of the rear node is the subsequent stage of the front node, the subsequent stage is the next stage of the APT stage of the front node or is the same as the APT stage of the front node, (2) if the nodes are respectively based on a plurality of subsequent stages, analyzing backwards, and (3) if the rear node cannot meet the relation requirement of the attack stage, the path is not established, (4) finally, the path of all attack stages obtained by reasoning is included in the attack graph.
Preferably, in the quantitative analysis process of the attack behaviors, the commonness and the severity of the attack behaviors are classified based on the ATT & CK model, and the more common the attack behaviors are, the higher the commonness score, and the more serious the attack behaviors are, the higher the severity score is.
Preferably, the collected intrusion alarms are aggregated according to the similarity between alarm features, and a plurality of alarms caused by the same attack behavior are combined into one alarm group, so that the alarm scale is reduced.
Preferably, when matching the intrusion alert with the attack graph, if the alert which is not matched with any attack node in the attack graph exists, the alert is stored as an independent alert, and if the independent alert exists a similar alert, the independent alert is added to the attack node matched with the similar alert.
Preferably, when the evidence chain is reconstructed, firstly, the alarm entities on the APT attack path are associated, an initial evidence chain is generated according to the association between alarms, then, a evidence chain reducing method based on event occurrence frequency and a multi-attack entity association mechanism based on a gray list are adopted, and system entity screening is carried out on the basis of intrusion alarm information.
The multi-attack entity association mechanism based on the gray list is characterized in that system entities which are excluded based on event occurrence frequency are added into a monitoring gray list, reliability degree evaluation is carried out on the gray list entities, the 0-level reliability degree is lowest, if an abnormality score is lower than a set threshold value, the event associated entity is not shown as attack evidence and recorded in the gray list for the first time, the reliability degree is 1, if the entity with the reliability degree of 1 is associated with other attacks, the reliability degree is set to be 0 and checked, if the entity check result is safe, the reliability degree is set to be 2, the entity with the reliability degree of 2 is deleted after a set time window, wherein the event abnormality score=1-event frequency score, and the event frequency score is normalized to the interval of [0,1 ].
Based on the same inventive concept, the invention provides a threat detection apparatus based on an APT attack graph, comprising:
The APT attack graph generation module is used for generating an APT attack graph based on the collected network and the system information to be protected, and an attack behavior node in the APT attack graph comprises an attack technology and APT stage information;
The alarm collection module is used for collecting malicious behavior intrusion alarms through the deployed intrusion detection system;
The attack path identification module is used for matching the intrusion alarm with an attack technology in the APT attack graph to acquire an attack path associated with the intrusion alarm, wherein the attack path comprises at least one attack behavior node matched with the intrusion alarm;
The APT attack detection module is configured to quantitatively analyze each attack behavior node on the attack path from the viewpoint of attack behavior commonness, severity and necessity to obtain a commonness score S c, a severity score S s and a necessity score S n, respectively As the comprehensive score of the APT attack behavior, wherein a is the highest value of the commonness and severity score, α and β are weights greater than 0 and less than 1, α+β=1, and s n is 0 or 1; accumulating comprehensive scores of all attack behavior nodes matched with the intrusion alarm on the whole attack path, taking the accumulated comprehensive scores as path scores, and identifying APT attack based on the path scores;
and the evidence chain restoration module is used for carrying out evidence chain reconstruction on the attack path of the APT attack, and displaying the actions of an attacker and the interaction between dangerous entities in the system to be protected.
Based on the same inventive concept, the invention provides a computer device, comprising a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the computer program is characterized in that the steps of the threat detection method based on the APT attack graph are realized when the computer program is loaded to the processor.
Based on the same inventive concept, the present invention provides a computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the steps of the threat detection method based on the APT attack graph.
Compared with the prior art, the invention has the following advantages:
(1) Zero day exploit detection robustness. The invention adds the judging information of the necessity of the attack stage in the threat detection process, so that the detection is comprehensively considered from three angles of the commonness, the severity and the necessity, and meanwhile, the attack path evaluation mechanism also enhances the detection capability of the zero-day exploit attack, prevents an attacker from bypassing the detection by using the zero-day vulnerability, realizes comprehensive APT attack detection, and enhances the robustness of the zero-day exploit attack detection.
(2) The alert size is reduced. The invention uses the designed APT attack graph to analyze the possibility of attack behavior in advance, and simultaneously uses the attack behavior and path scoring method to detect the APT attack, thereby greatly reducing the scale of the alarm sent by the bottom intrusion detection system aiming at the analysis of long-term attack and striking the threat alarm fatigue problem existing in the detection of the APT attack.
(3) And accurately restoring the attack influence range. The invention further designs an evidence chain reduction method based on the event frequency and a multi-attack entity association method based on the gray list. When an APT attack is detected, the method of restoring the evidence chain by recovering the system entity involved in the attack alarm may generate an excessive inspection range. The evidence chain can be reduced and the checking range can be reduced by reducing the occurrence frequency of the events of the computing system, and the multi-attack entity association method based on the gray list can ensure the security of the evidence chain reduction.
(4) Low overhead. The method carries out attack prediction based on the APT attack graph, is not limited by real-time analysis of massive system events in the traditional detection method, and reduces storage overhead and calculation overhead required by threat detection by a rapid and efficient matching mechanism.
Drawings
FIG. 1 is a method general flow diagram of an embodiment of the present invention.
Fig. 2 is a schematic illustration of an APT attack in an embodiment of the present invention.
FIG. 3 is an exemplary diagram of evidence chain reduction results in an embodiment of the present invention.
Fig. 4 is a schematic view of the structure of the device according to the embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the accompanying drawings and specific examples. The following examples are given by way of illustration of the embodiments and procedures of the present invention, but the scope of the present invention is not limited to the following examples.
The embodiment of the invention discloses a threat detection method based on an APT attack graph, which comprises the steps of firstly generating the APT attack graph based on collected network and system information to be protected, collecting malicious behavior invasion alarms through a deployed intrusion detection system, then matching the invasion alarms with an attack technology in the APT attack graph to obtain attack paths related to the invasion alarms, quantitatively analyzing each attack behavior node on the attack paths from the aspects of commonness, severity and necessity of the attack behaviors, comprehensively scoring the attack behaviors from the aspects of commonness, severity and necessity, calculating the score of the whole attack path, identifying the APT attack based on the path score, and finally carrying out evidence chain reconstruction on the attack paths detected with the APT attack, and displaying interaction between actions of an attacker and a risk entity in the system to be protected.
As shown in fig. 1, the specific implementation steps of this embodiment are as follows:
and step 1, generating an APT attack graph.
Firstly, collecting network and system information to be protected to obtain information such as network topology, network service, vulnerability information, system account, data access strategy, attack targets and the like, and supporting APT attack graph generation.
Based on the collected initial information, utilizing Mulval frame to make preliminary reasoning, analyzing a series of attack behaviors possibly occurring under the current network condition, starting from the attack behavior sequence, analyzing APT attack stage, starting from the node in the initial stage of attack and making backward reasoning so as to finally produce APT attack graph. As shown in FIG. 2, the APT attack graph mainly comprises three types of nodes, namely an initial information node, an attack behavior node and an attack target node. In the figure, an initial information node is represented by a rectangle to display network topology, network service, vulnerability information, account information, data access strategies and the like, an attack behavior node is represented by an ellipse to display two aspects of information of an attack technology and a corresponding APT stage, such as token theft technology-authority improvement, and an attack target node is represented by a diamond to display protected target equipment. The edges provide connections between system states and attack actions, attack actions.
Specifically, the embodiment infers possible attack behaviors based on the initial information, and analyzes the APT stage corresponding to the attack behaviors according to the technical stage relationship. And (3) adopting a top-down reasoning method, and starting from an attack initial node for reconnaissance, resource development or initial access in an attack stage, and reasoning along the direction of the edge. If a directed edge pointing from the node A to the node B exists in the attack graph, the node A is defined as a front node of the node B, and the node B is defined as a rear node of the node A.
The attack stage reasoning rules are as follows:
(1) The corresponding phase of the post node is the subsequent phase of the pre node, which is the next phase of the APT phase of the pre node (the phase to which the attacker further acts) or is the same as the APT phase of the pre node.
(2) If the node has a plurality of subsequent stages meeting the regulations, the backward analysis is respectively based on each stage.
(3) If the post node cannot meet the attack stage relation requirement, the path is not established.
(4) The final attack graph contains all attack stage paths obtained by reasoning.
And 2, alarm collection and aggregation.
And deploying an underlying Snort intrusion detection system on the protected host or device, and collecting malicious behavior intrusion alarms. Alarms can be further aggregated according to similarity between alarm features, reducing alarm size. And carrying out alarm aggregation according to the similarity of characteristic fields such as source IP addresses, destination ports, thread IDs, process IDs, alarm events, proxy servers and the like among the alarms, for example, alarms of the same source IP address, combining a plurality of alarms caused by the same attack action into an alarm group, extracting attack alarm event information, and primarily reducing the alarm scale.
Step 3, attack path identification
Intrusion alarms often contain malicious traces or attack tool information with finer granularity than attack techniques. In order to establish the association between the intrusion alert and the attack technology, on one hand, common malicious behaviors of the intrusion alert are collected in advance, and a corresponding relation is established, on the other hand, an attack tool is queried, the high-level semantics of common intrusion alert information are arranged, then the intrusion alert information is matched with the attack graph technology, an APT attack graph after the intrusion alert is mapped is obtained, and the APT attack stage progress analysis is supported. If an alarm is present that is not matched to any node of the attack graph, it is defined as an independent alarm and is staged.
Searching all attack paths in the attack graph, and acquiring a series of alarms and corresponding attack information on each attack path. For independent alarms, a broader similarity between alarms is determined based on the alarm characteristics field, such as alarms with source IP addresses in the same subnet. If the similar alarm exists in a certain independent alarm, the independent alarm is used as the auxiliary information of the path to which the similar alarm belongs to be detected together.
Step4 APT attack detection
And designing a missing path matching scoring algorithm aiming at the APT attack, and quantitatively analyzing the APT behavior from the aspects of attack behavior commonality, severity and necessity. Calculate the popularity score S c, severity score S s and necessity score S n, respectively, toAs the comprehensive score of the APT attack behavior, wherein a is the highest value of the commonness and severity score, α and β are weights greater than 0 and less than 1, α+β=1, s n is 0 or 1, and if the attack behavior is the behavior of the APT attack necessary stage, the necessity is 1.
In this example, based on the technical analysis in the ATT & CK model to quantify the attack commonness and severity, the behavior corresponding scores S c and S s are both in the value range of [0,10], and the behavior with the lower commonness score S c or the higher severity score S s is more likely to be an APT attack behavior. In the latest research [Xiong C,Zhu T,Dong W,et al.CONAN:A practical real-time APT detection system with high accuracy and efficiency[J].IEEE Transactions on Dependable and Secure Computing,2020.], an APT attack three-phase detection model is proposed and it is pointed out that during an APT attack, the three parts that remain unchanged are (1) deploying and executing the attacker's code, i.e. the attacker has to first deploy the code to the victim in order to achieve the objective, (2) collecting sensitive information or causing damage, the attacker will typically try to steal confidential data or damage the victim's data and machines, (3) communicating with a C & C server or filtering sensitive data, which is also a necessary operation to accomplish an APT attack. Based on the necessity research conclusion in the APT attack three-phase detection model, the scheme evaluates the necessity of the attack behavior in the APT attack process, wherein the score S n is 0 or 1, and the necessity score of a certain behavior is 1, which means that if the attack behavior occurs, the APT attack is necessarily generated. In this example, according to the formulaAnd (5) quantitatively calculating the APT behavior score of the alarm node. After accumulating the alarm node scores on the whole path, a normalization analysis is performed by using a formula Pathsum '= (Pathsum-min (pathsum))/(max (pathsum) -min (pathsum)), wherein Pathsum and Pathsum' are score values before and after normalization of an attack path respectively, and Pathsums is a score set of all attack paths. Paths that score too high (exceeding a set threshold) are identified as APT attacks.
The attack path detected by the alarm node may lack some stage information of the APT attack, because an attacker escapes from the inspection of the intrusion detection system by utilizing the attack behavior initiated by the zero-day vulnerability, but comprehensively analyzes the risk degree of the whole attack path, particularly the inspection of the APT attack necessity, so that the system can still find the APT attack. Therefore, although incomplete matching of local attack paths is allowed in the threat discrimination process, strict attack detection on the global level is realized, the method provides robustness of zero-day exploit detection for a detection system, and the action process of an attacker can be reversely deduced through subsequent evidence restoration to master the zero-day exploit evidence.
According to the APT attack graph and the intrusion alert set, an algorithm for identifying an APT attack path is described as follows:
Algorithm 1. Missing path matching scoring algorithm MPS (AAG, alerts).
Input APT attack graph AAG, alert set alert
Output attack Path set Apaths with anomaly score
1 FOR each Ae in Alerts
2 Obtaining the attack action of the current processing alarm
3 Obtain action corresponds to APT behavior APTAction
4 Score<-GetScore(APTAction)
5 FOR each V in AAG
6 IF V=APTAction:action THEN
7 V.score<-Score
8 END
9 IF NONE V=APTAction:action THEN
10 SingleAlerts<-(Ae,APTAction,Score)
11 END
12
13 SAlert=this->SingleAlerts
14 FIND SAlert.similar
15 Adding SAlert to similar alert correspondence node
16 DELETE SAlert FROM SingleAlerts
17 APaths=NULL
18 FOR AttackPath in AAG
19 APaths<-AttackPath
20 Pathsum<-0
21 FOR each V in AttackPath
22 Pathsum=Pathsum+V.score
23 END
24 Pathsums<-Pathsum
25 END
26 FOR each Pathsum in Pathsums
27 Pathsum=(Pathsum-min(Pathsums))/(max(Pathsums)-min(Pathsums))
28 APaths.score<-Pathsum
29 END
30 RETURN APaths
31 END
Step 5, evidence chain reconstruction
And carrying out evidence chain reconstruction on an attack path of which the threat judgment result is that the APT attack is detected, displaying interaction between actions of an attacker and a risk entity, and providing reference for security personnel isolation and analysis system entities. The system entity mainly comprises files, processes, sockets and the like. The method comprises the steps of firstly associating alarm entities on an APT behavior path, and generating an initial evidence chain according to the association between alarms. To accurately locate the attack influence range, screening system entities based on intrusion alarm information to eliminate normal and possibly unaffected system entities, the method includes storing system events of the host in a time window in a database in a pre-collection area, and using a formulaEvent frequency scores are calculated, where Freq (e) is the frequency score of event e and Freq max and Freq min are the maximum and minimum frequency scores, respectively, in the current event frequency database. The equation processes the event frequency score based on a minimum-maximum normalization algorithm, and maps the data to the interval of [0,1], so that the influence of the number of hosts on the event frequency and the event normal score can be avoided. And subtracting the event frequency score from 1 to obtain an event abnormality score, and screening out system entities associated with events with abnormality scores lower than a set threshold. In order to avoid system error screening caused by attacker deception, a multi-attack entity association mechanism based on a gray list is established, the excluded system entity is added into a monitoring gray list, the gray list entity is subjected to credibility evaluation, wherein the evaluation is 0,1 or 2, and the level 0 credibility is the lowest. If the entity with low anomaly score appears in the attack for the first time, the entity with low anomaly score is not displayed as attack evidence and recorded in a gray list, the credibility is set to 1, if the entity with the credibility of 1 is associated with other attacks, namely the system entity appears in alarm information corresponding to other attacks, the credibility is set to 0, manual inspection is carried out, if the entity inspection result is safe, the credibility is set to 2, and the entity with the credibility of 2 is deleted after a certain time window. The change time is recorded while the confidence level is changed each time, and a reference is provided for a confidence time window.
Taking fig. 3 as an example, an attacker uses a host with an IP address 195.73.151.50, starts from a 1028 port, firstly initiates ICMP scanning, scans to a target host Loche with an IP address 172.16.112.10, then uses Cobalt Strike tools to perform port scanning, finds that a vulnerability exists in an Apache service corresponding to the 25 # port of the target host, sends an exploit script quoa.bash file, installs a trojan horse program Mstream by utilizing the vulnerability on the Apache after the script file is executed, and directs 172.16.112.10 hosts to initiate DDoS actions to a mill server with an IP address 172.16.115.20 by utilizing the trojan horse program.
As shown in fig. 4, the threat detection apparatus based on an APT attack chart disclosed in the embodiment of the present invention mainly includes an APT attack chart generation module, an alarm collection module, an attack path identification module, an APT attack detection module, and an evidence chain restoration module. The system comprises an APT attack graph generation module, an alarm collection module, an attack path identification module, an APT attack detection module and a judgment module, wherein the APT attack graph generation module is used for generating an APT attack graph based on collected network and system information to be protected, the alarm collection module is used for collecting malicious behavior intrusion alarms through a deployed intrusion detection system, the attack path identification module is used for matching the intrusion alarms with attack technologies in the APT attack graph to obtain attack paths related to the intrusion alarms, the APT attack detection module is used for quantitatively analyzing each attack behavior node on the attack paths from the aspects of attack behavior commonness, severity and necessity to respectively obtain a commonness score S c, a severity score S s and a necessity score S n The system comprises an APT attack behavior comprehensive score, a path score identification module, an evidence chain restoration module and a system risk entity protection module, wherein the APT attack behavior comprehensive score is obtained by integrating the comprehensive scores of all attack behavior nodes matched with the intrusion alarm on the whole attack path, the APT attack is identified based on the path score as the path score, and the evidence chain restoration module is used for carrying out evidence chain reconstruction on the attack path with the APT attack is detected and displaying the interaction between the action of an attacker and the risk entity in the system to be protected.
Further, the threat detection apparatus is further provided with a gray list database for implementing a multi-attack entity association mechanism based on the gray list. The specific working process of each module described above may refer to the corresponding process in the foregoing method embodiment, and will not be described herein.
Based on the same inventive concept, the embodiment of the invention discloses a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the computer program realizes the steps of the threat detection method based on the APT attack graph when being loaded to the processor.
Based on the same inventive concept, an embodiment of the present invention discloses a computer readable storage medium, where a computer program is stored, where the computer program, when executed by a processor, implements the steps of the threat detection method based on an APT attack graph.
It will be appreciated by those skilled in the art that aspects of the present invention, in essence or contributing to the prior art, may be embodied in the form of a software product stored in a storage medium, comprising instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present invention. The storage medium includes various media capable of storing computer programs, such as a U disk, a mobile hard disk, a read-only memory ROM, a random access memory RAM, a magnetic disk or an optical disk.

Claims (9)

1.一种基于APT攻击图的威胁检测方法,其特征在于,包括如下步骤:1. A threat detection method based on APT attack graph, characterized by comprising the following steps: 基于收集的网络与待保护系统信息生成APT攻击图,并通过部署的入侵检测系统,收集恶意行为入侵警报;所述APT攻击图中的攻击行为节点包括攻击技术和APT阶段信息;Generate an APT attack graph based on the collected network and protected system information, and collect malicious behavior intrusion alerts through the deployed intrusion detection system; the attack behavior nodes in the APT attack graph include attack technology and APT stage information; 将入侵警报与APT攻击图中攻击技术进行匹配,获取与入侵警报相关联的攻击路径,攻击路径上包括至少一个匹配到入侵警报的攻击行为节点;Matching the intrusion alarm with the attack technology in the APT attack graph to obtain the attack path associated with the intrusion alarm, where the attack path includes at least one attack behavior node that matches the intrusion alarm; 从攻击行为常见度、严重性和必要性出发对攻击路径上各攻击行为节点进行量化分析,分别得到常见度评分S c 、严重性评分S s 和必要性评分S n ,将作为APT攻击行为综合评分,其中A为常见度和严重性评分的最高值,为大于0小于1的权值,S n 取值为0或1,若攻击行为是APT攻击必要阶段的行为,则必要性取值为1;将整条攻击路径上所有匹配到入侵警报的攻击行为节点的综合评分累加,作为路径评分,基于路径评分识别APT攻击;Based on the commonness, severity and necessity of the attack behavior, a quantitative analysis is performed on each attack behavior node on the attack path, and the commonness score S c , severity score S s and necessity score S n are obtained respectively. As a comprehensive score of APT attack behavior, A is the highest value of commonness and severity score. , is a weight greater than 0 and less than 1, , S n takes a value of 0 or 1. If the attack behavior is a necessary stage of the APT attack, the necessity value is 1. The comprehensive scores of all attack behavior nodes that match the intrusion alarm on the entire attack path are accumulated as the path score, and the APT attack is identified based on the path score; 对检测到APT攻击的攻击路径进行证据链重构,显示攻击者行动和待保护系统中风险实体之间的交互。The attack path of the detected APT attack is reconstructed through the evidence chain to show the interaction between the attacker's actions and the risk entities in the protected system. 2.根据权利要求1所述的基于APT攻击图的威胁检测方法,其特征在于,生成APT攻击图时,利用Mulval框架对收集的信息进行推理分析,先推理出可能的攻击行为,再分析攻击行为对应的APT阶段;从攻击阶段为侦察、资源开发或初始访问的攻击初期节点出发,沿着边的指向进行推理;若攻击图中存在一条由节点A指向节点B的有向边,定义节点A为节点B的前置节点,节点B为节点A的后置节点;推理规则如下:(1)后置节点的对应阶段是前置节点的后续阶段,后续阶段是前置节点的APT阶段的下一个阶段或者与前置节点的APT阶段相同;(2)若节点存在多个后续阶段,分别基于每个阶段向后分析;(3)若后置节点无法满足攻击阶段关系要求则路径不成立;(4)最终攻击图中包含推理得到的全部攻击阶段路径。2. The threat detection method based on the APT attack graph according to claim 1 is characterized in that, when generating the APT attack graph, the Mulval framework is used to perform reasoning analysis on the collected information, firstly inferring possible attack behaviors, and then analyzing the APT stages corresponding to the attack behaviors; starting from the initial attack node whose attack stage is reconnaissance, resource development or initial access, reasoning is performed along the direction of the edge; if there is a directed edge from node A to node B in the attack graph, node A is defined as the predecessor node of node B, and node B is the successor node of node A; the reasoning rules are as follows: (1) the corresponding stage of the successor node is the subsequent stage of the predecessor node, and the subsequent stage is the next stage of the APT stage of the predecessor node or the same as the APT stage of the predecessor node; (2) if the node has multiple subsequent stages, backward analysis is performed based on each stage respectively; (3) if the successor node cannot meet the attack stage relationship requirements, the path is invalid; (4) the final attack graph contains all the attack stage paths obtained by reasoning. 3.根据权利要求1所述的基于APT攻击图的威胁检测方法,其特征在于,在攻击行为量化分析过程中,基于ATT&CK模型将攻击行为的常见度和严重性划分等级,攻击行为越常见,则常见度分数越高,攻击行为越严重,则严重性分数越高。3. The threat detection method based on APT attack graph according to claim 1 is characterized in that, in the process of quantitative analysis of attack behavior, the commonness and severity of attack behavior are graded based on the ATT&CK model. The more common the attack behavior, the higher the commonness score, and the more serious the attack behavior, the higher the severity score. 4.根据权利要求1所述的基于APT攻击图的威胁检测方法,其特征在于,将收集到的入侵警报根据警报特征之间的相似度进行聚合,合并由同一攻击行为引起的多个警报到一个警报组,缩减警报规模。4. According to the threat detection method based on APT attack graph as described in claim 1, it is characterized in that the collected intrusion alarms are aggregated according to the similarity between the alarm features, and multiple alarms caused by the same attack behavior are merged into one alarm group to reduce the alarm scale. 5.根据权利要求1所述的基于APT攻击图的威胁检测方法,其特征在于,在将入侵警报与攻击图进行匹配时,若存在未被匹配到攻击图中任一攻击行为节点的警报,则作为独立警报保存;若独立警报存在相似警报,则将独立警报加入相似警报所匹配的攻击行为节点。5. According to the threat detection method based on APT attack graph according to claim 1, it is characterized in that when matching the intrusion alarm with the attack graph, if there is an alarm that is not matched to any attack behavior node in the attack graph, it is saved as an independent alarm; if there is a similar alarm to the independent alarm, the independent alarm is added to the attack behavior node matched by the similar alarm. 6.根据权利要求1所述的基于APT攻击图的威胁检测方法,其特征在于,证据链重构时,首先关联APT攻击路径上的警报实体,根据警报间关联生成初始证据链;然后基于事件发生频率缩减证据链方法,以及基于灰名单的多攻击实体关联机制,在入侵警报信息基础上进行系统实体筛选;6. The threat detection method based on the APT attack graph according to claim 1 is characterized in that, when reconstructing the evidence chain, the alarm entities on the APT attack path are first associated, and the initial evidence chain is generated according to the association between the alarms; then, the evidence chain reduction method is based on the frequency of event occurrence, and the multi-attack entity association mechanism based on the gray list is used to screen system entities based on the intrusion alarm information; 所述基于灰名单的多攻击实体关联机制是:将基于事件发生频率排除掉的系统实体加入监测灰名单,对灰名单实体进行可信程度评价,0级可信程度最低;若异常得分低于设定阈值的事件关联的实体初次在攻击中出现,不显示为攻击证据并在灰名单中记录,可信程度置1;若可信程度为1的实体与其他攻击发生关联,则将其可信程度置为0并进行检查;若实体检查结果为安全则将可信程度置2;可信程度为2的实体经过设定时间窗口后予以删除;其中事件异常得分=1-事件频率得分,事件频率得分归一化到[0,1]的区间。The gray list-based multi-attack entity association mechanism is as follows: adding system entities excluded based on event frequency to the monitoring gray list, evaluating the credibility of gray list entities, with level 0 being the lowest credibility; if an entity associated with an event with an anomaly score lower than a set threshold appears for the first time in an attack, it is not displayed as attack evidence and is recorded in the gray list, and the credibility is set to 1; if an entity with a credibility of 1 is associated with other attacks, its credibility is set to 0 and checked; if the entity check result is safe, the credibility is set to 2; entities with a credibility of 2 are deleted after a set time window; wherein the event anomaly score = 1-event frequency score, and the event frequency score is normalized to the interval [0,1]. 7.一种基于APT攻击图的威胁检测装置,其特征在于,包括:7. A threat detection device based on an APT attack graph, comprising: APT攻击图生成模块,用于基于收集的网络与待保护系统信息生成APT攻击图,APT攻击图中的攻击行为节点包括攻击技术和APT阶段信息;An APT attack graph generation module is used to generate an APT attack graph based on the collected network and protected system information. The attack behavior nodes in the APT attack graph include attack technology and APT stage information. 警报收集模块,用于通过部署的入侵检测系统,收集恶意行为入侵警报;An alarm collection module is used to collect malicious behavior intrusion alarms through the deployed intrusion detection system; 攻击路径识别模块,用于将入侵警报与APT攻击图中攻击技术进行匹配,获取与入侵警报相关联的攻击路径,攻击路径上包括至少一个匹配到入侵警报的攻击行为节点;An attack path identification module is used to match the intrusion alarm with the attack technology in the APT attack graph to obtain the attack path associated with the intrusion alarm, where the attack path includes at least one attack behavior node that matches the intrusion alarm; APT攻击检测模块,用于从攻击行为常见度、严重性和必要性出发对攻击路径上各攻击行为节点进行量化分析,分别得到常见度评分S c 、严重性评分S s 和必要性评分S n ,将作为APT攻击行为综合评分,其中A为常见度和严重性评分的最高值,为大于0小于1的权值,S n 取值为0或1,若攻击行为是APT攻击必要阶段的行为,则必要性取值为1;将整条攻击路径上所有匹配到入侵警报的攻击行为节点的综合评分累加,作为路径评分,基于路径评分识别APT攻击; The APT attack detection module is used to quantitatively analyze each attack behavior node on the attack path based on the commonness, severity and necessity of the attack behavior, and obtain the commonness score Sc , severity score Ss and necessity score Sn respectively. As a comprehensive score of APT attack behavior, A is the highest value of commonness and severity score. , is a weight greater than 0 and less than 1, , S n takes a value of 0 or 1. If the attack behavior is a necessary stage of the APT attack, the necessity value is 1. The comprehensive scores of all attack behavior nodes that match the intrusion alarm on the entire attack path are accumulated as the path score, and the APT attack is identified based on the path score; 以及证据链还原模块,用于对检测到APT攻击的攻击路径进行证据链重构,显示攻击者行动和待保护系统中风险实体之间的交互。And the evidence chain restoration module is used to reconstruct the evidence chain of the attack path of the detected APT attack, showing the interaction between the attacker's actions and the risk entities in the protected system. 8.一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述计算机程序被加载至处理器时实现根据权利要求1-6任一项所述的基于APT攻击图的威胁检测方法的步骤。8. A computer device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the computer program is loaded into the processor, the steps of the threat detection method based on the APT attack graph according to any one of claims 1 to 6 are implemented. 9.一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现根据权利要求1-6任一项所述的基于APT攻击图的威胁检测方法的步骤。9. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the steps of the threat detection method based on the APT attack graph according to any one of claims 1 to 6.
CN202210960193.XA 2022-08-11 2022-08-11 A threat detection method, device and equipment based on APT attack graph Active CN115484062B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210960193.XA CN115484062B (en) 2022-08-11 2022-08-11 A threat detection method, device and equipment based on APT attack graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210960193.XA CN115484062B (en) 2022-08-11 2022-08-11 A threat detection method, device and equipment based on APT attack graph

Publications (2)

Publication Number Publication Date
CN115484062A CN115484062A (en) 2022-12-16
CN115484062B true CN115484062B (en) 2025-03-11

Family

ID=84423023

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210960193.XA Active CN115484062B (en) 2022-08-11 2022-08-11 A threat detection method, device and equipment based on APT attack graph

Country Status (1)

Country Link
CN (1) CN115484062B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117134999B (en) * 2023-10-26 2023-12-22 四川万物纵横科技股份有限公司 Safety protection method of edge computing gateway, storage medium and gateway
CN119066464B (en) * 2024-07-31 2025-09-05 电子科技大学 APT covert channel identification method and system for multimodal anomaly detection

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790186A (en) * 2016-12-30 2017-05-31 中国人民解放军信息工程大学 Multi-step attack detection method based on multi-source anomalous event association analysis
CN108418843A (en) * 2018-06-11 2018-08-17 中国人民解放军战略支援部队信息工程大学 Network Attack Target Identification Method and System Based on Attack Graph

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109995793B (en) * 2019-04-12 2021-08-03 中国人民解放军战略支援部队信息工程大学 Network dynamic threat tracking quantification method and system
CN110602042B (en) * 2019-08-07 2022-04-29 中国人民解放军战略支援部队信息工程大学 APT attack behavior analysis and detection method and device based on cascade attack chain model
CN112819336B (en) * 2021-02-03 2023-12-15 国家电网有限公司 Quantification method and system based on network threat of power monitoring system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790186A (en) * 2016-12-30 2017-05-31 中国人民解放军信息工程大学 Multi-step attack detection method based on multi-source anomalous event association analysis
CN108418843A (en) * 2018-06-11 2018-08-17 中国人民解放军战略支援部队信息工程大学 Network Attack Target Identification Method and System Based on Attack Graph

Also Published As

Publication number Publication date
CN115484062A (en) 2022-12-16

Similar Documents

Publication Publication Date Title
US10728263B1 (en) Analytic-based security monitoring system and method
US8181248B2 (en) System and method of detecting anomaly malicious code by using process behavior prediction technique
Almousa et al. Api-based ransomware detection using machine learning-based threat detection models
JP5248612B2 (en) Intrusion detection method and system
Hammad et al. Intrusion detection system using feature selection with clustering and classification machine learning algorithms on the unsw-nb15 dataset
Brownor et al. Ransomware detection using dynamic anomaly matrix for accurate and real-time threat identification
Park et al. Performance evaluation of a fast and efficient intrusion detection framework for advanced persistent threat-based cyberattacks
US12206694B2 (en) Cyberattack identification in a network environment
CN115484062B (en) A threat detection method, device and equipment based on APT attack graph
Welderman et al. A robust system for ransomware detection using temporal behavior modeling
CN108234419A (en) A kind of network attack monitoring method and device based on big data
CN118101291A (en) Network service security protection method and system based on big data mining
Teoh et al. Analyst intuition inspired neural network based cyber security anomaly detection
Kang et al. Actdetector: A sequence-based framework for network attack activity detection
CN116094817A (en) A network security detection system and method
Mönch et al. Real-time APT detection technologies: a literature review
Sulaiman et al. Big data analytic of intrusion detection system
Gui et al. A Principled Approach for Detecting APTs in Massive Networks via Multi-Stage Causal Analytics
Liang et al. Outlier-based Anomaly Detection in Firewall Logs
Borovska et al. In silico knowledge data discovery in the context of IoT ecosystem security issues
Akshay et al. APT detection using memory forensics: An empirical study
Landge et al. An Intelligent Cyber Security System Approach using Machine Learning Techniques on KDD-99 Dataset
US12086247B2 (en) Logical identification of malicious threats across a plurality of end-point devices
Sani Improved Log Monitoring using Host-based Intrusion Detection System
CN119520042B (en) A ransomware attack path mining and deep identification method based on multivariate alarm log analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant