通信学报 ›› 2022, Vol. 43 ›› Issue (7): 172-188.doi: 10.11959/j.issn.1000-436x.2022105
冷涛1,2,2, 蔡利君1, 于爱民1,2, 朱子元1,2, 马建刚1, 李超飞1,2, 牛瑞丞1,2, 孟丹1,2
修回日期:
2022-04-20
出版日期:
2022-07-25
发布日期:
2022-06-01
作者简介:
冷涛(1986- ),男,四川合江人,中国科学院大学博士生,四川警察学院副教授,主要研究方向为APT攻击检测、取证分析基金资助:
Tao LENG1,2,2, Lijun CAI1, Aimin YU1,2, Ziyuan ZHU1,2, Jian’gang MA1, Chaofei LI1,2, Ruicheng NIU1,2, Dan MENG1,2
Revised:
2022-04-20
Online:
2022-07-25
Published:
2022-06-01
Supported by:
摘要:
通过调研溯源图研究相关的文献,提出了基于系统溯源图的网络威胁发现和取证分析研究框架。详细综述了基于溯源图的数据采集、数据管理、数据查询和可视化方法;提出了基于规则、基于异常和基于学习的威胁检测分类方法;概括了基于威胁情报或基于战略、技术、过程驱动的威胁狩猎方法;总结了基于因果关系、序列学习、特殊领域语言查询和语义重建的取证分析方法;最后指出了未来的研究趋势。
中图分类号:
冷涛, 蔡利君, 于爱民, 朱子元, 马建刚, 李超飞, 牛瑞丞, 孟丹. 基于系统溯源图的威胁发现与取证分析综述[J]. 通信学报, 2022, 43(7): 172-188.
Tao LENG, Lijun CAI, Aimin YU, Ziyuan ZHU, Jian’gang MA, Chaofei LI, Ruicheng NIU, Dan MENG. Review of threat discovery and forensic analysis based on system provenance graph[J]. Journal on Communications, 2022, 43(7): 172-188.
表1
溯源图缩减方法"
类型 | 文献 | 方法 | 缩减前与缩减后的比值 |
CPR | 1.27~3.56 | ||
Xu等[ | CPR+PCAR | 1.43~5.59 | |
边缩减 | CPR+PCAR+DOM | 1.46~10.2 | |
FD-SD[ | 完全依赖保留 | 4.46~91.5 | |
源依赖保留 | 4.54~122.5 | ||
顶点缩减 | NodeMerge[ | 基于模板 | 4.2~33.7 |
Log[ | 垃圾收集理念 | 0~77 | |
图缩减 | NoDoze[ | 减掉普通行为 | 2 |
Rapsheet[ | 2个规则 | 1.5 | |
图形压缩 | SEAL[ | 友好查询压缩 | 2.63~12.94 |
语义保留 | GS-SS[ | 维护全局语义压缩 | 4.36~13.18 |
基于可疑语义压缩 | 7.86~26.99 |
表2
威胁检测研究热点"
方法 | 论文 | 检测内容 | 检测方法/模型 | 数据集 | 实时/离线 |
SLEUTH[ | APT检测 | 溯源图标签+自定义策略规则 | DARPA TC | 实时 | |
Morse[ | APT检测(告警) | 标签传播,自定义策略规则 | DARPA TC | 实时 | |
基于规则 | HOLMES[ | APT检测(多步) | Kill-chain,TTP | DARPA TC | 实时 |
POIROT[ | APT检测(告警) | 图模式匹配 | DARPA TC | 离线 | |
SAQL[ | 企业系统异常检测 | 基于规则查询 | 采集实时数据 | 实时 | |
Patrol[ | 零日攻击路径 | 规则匹配 | 真实企业网络数据 | 实时 | |
SteamSpot[ | APT检测 | 聚类:异常分数 | SteamSpot | 实时 | |
Pagoda[ | 检测进程 | 异常分数(路径异常+图异常) | 17个正常和漏洞应用 | 实时 | |
基于异常 | SAQL[ | 企业系统异常检测 | 统计异常:基于时间序列、不变值、离群值异常查询 | 采集实时数据 | 实时 |
FRAPpuccino[ | PaaS错误检测 | 统计异常:时间窗口 | CamFlow采集PaaS实例 | 实时 | |
P-Gaussian[ | 检测入侵行为变体 | 统计异常:(基于证据的高斯分布) | 17个正常和漏洞应用+DARPA APT trace | 实时 | |
Unicorn[ | APT检测 | 聚类:图形草图聚类 | DARPA TC,StreamSpot | 实时 | |
ZePro[ | 零日攻击路径 | 异常路径贝叶斯网络推理 | CVE-2008-0166,CVE-2009-2692,CVE-2011-4089 | 实时 | |
Li等[ | APT检测 | 注意力图神经网络,深度自编码 | LANL,streamspot | 离线 | |
基于学习 | SIGL[ | 安全软件安装 | Graph LSTM深度自编码 | NEC实验室数据 | 离线 |
Ayoade等[ | 零日攻击 | 在线度量学习,基于距离的学习 | CamFlow采集攻击数据 | 实时 | |
ProvDetector[ | 隐秘的恶意软件 | 图嵌入,局部离群因子 | 恶意样本(约15 000个) | 实时 |
表3
威胁情报提取模型"
文献 | 实体类型及关系 | 提取方法 | 查询方法 | 数据集 | 实验评价 |
POIROT [ | 实体类型:进程、文 | 手动提取查询图 | 图对齐 | MISP、 | — |
件、套接字、管道等 | STIX | ||||
关系类型:系统调用 | |||||
ThreatRaptor[ | 实体类型:进程、文 | 利用spaCy自动提取IoC和 | TBQL查询 | DARPA TC3, | 实体提取:精确率为 96%,召回率为 |
件、套接字 | IoC之间的关系,构建威胁 | 其他CVE案例 | 97.3%,F1值为96.64% | ||
关系类型:描述关系 | 行为图 | 关系提取:精确率为 96%,召回率为 | |||
89%,F1值为92% | |||||
EXTRACTOR[ | 实体类型:进程、文 | 自动提取攻击行为图 | 图对齐 | 非结构化真实 | 实体提取:精确率为 90%,召回率为 |
件、套接字 | 实体提取:文本摘要 | CTI 报 告; | 95.8%,F1值为92.8% | ||
关系类型:系统调用 | 关系提取:在依赖解析基 | DARPATC(公 | 关系提取:精度为96%,召回率为94%, | ||
础上,考虑语义角色标签,对应系统审计日志 | 开数据集);微软等CTI报告 | F1值为95% | |||
HINTI[ | 实体类型:攻击者、漏 | 异构信息网络 | 图卷积网络 | 安全博客、黑 | IoC 实体识别准确率为 98.59%,精确率 |
洞、设备、平台、恶意 | 实体提取:Xpath提取、基 | 客 论 坛、cve | 为98.72%,微观F1值为98.69% | ||
文件和攻击类型 | 于注意力的多粒度识别 | 数据库等 | |||
关系类型:描述关系 | 关系提取:定义关系模板 | ||||
SecurityKG[ | 实体类型:威胁者、技 | 自动提取安全知识图 | — | OSCTI报告 | — |
术、工具、软件、多种类 | 实体提取:IoC 保护、CRF | ||||
型的IoC | 模型关系提取:依赖解析 | ||||
关系类型:文本描述 |
表4
取证分析相关研究"
分类方法 | 文献 | 方法 | 案例研究 | 评价方案(结果) | |
执行单元分区 | Ma等[ | 解析ETW日志为单元,执行后向追踪/前向追踪 | 错误配置,钓鱼攻击,信息泄露,间谍软件 | 有效性:匹配正确 | |
ProPatrol[ | 应用程序执行单元分区(浏览器、邮件等客户端) | 远程访问木马,挂马,CSRF and DNS 重定向,即时消息客户端 | 找出根源,给出还原的因果关系图 | ||
污点分析 | Morse[ | 标签传播,重构场景图入口点识别(后向查询),前向分析 | Firefox 后门,浏览器扩展,恶意http请求,CCleaner,勒索软件,横向移动,内核恶意软件 | 给出攻击案例的溯源场景图(入口点和前向分析) | |
基于因果关系 | 记录和重放 | RTAG[ | 跨主机调查 | 6个攻击场景 | 信息流匹配事实真相(100%) |
模型推断 | LDX[ | 代码双执行,MCI利用LDX | 钓鱼邮件和伪装的FTP服务器利用InfoZip进行信息窃取 | 给出利用MCI模型生成的因果图 | |
PrioTracker[ | 优先考虑异常依赖边前向追踪 | 3 个案例攻击图(数据窃取、钓鱼邮件、Shellshock后门) | 给出缩减版前向溯源图 | ||
通用溯源 | NoDoze[ | 考虑整个事件链条异常后向查询/前向查询 | 10 个 攻 击(数 据 窃 取、Shellshock后门等) | 完整性:通过溯源图能找到攻击依赖图的比率。生成精确的警告依赖图(1个88%,9个100%) | |
OmegaLog[ | 修改整个系统溯源图,增加app 日志顶点,形成富含语义、执行分区的通用溯源图 | 信息泄露攻击,钓鱼邮件 | 给出传统溯源图和基于OmegaLog的语义溯源图对比 | ||
基于序列学习 | ATLAS[ | 序列词法化,采样,序列嵌入,模型学习调查:攻击实体识别,关联攻击事件 | 10个攻击场景(单主机和跨主机2种场景),1个案例调查(Pony campaign) | 实体识别和事件识别的精确率、召回率和 F1 值,案例调查给出恢复攻击序列和溯源图 | |
AIQL[ | AIQL查询语言 | APT攻击(5个步骤) | 完整攻击:查询次数、事件匹配、调查时间 | ||
基于特定领域语言查询 | GrAALF[ | GrAALF查询语言 | 3个攻击调查案例(DARPA TC 3) | 查询结果图 | |
APTrace[ | BDL查询语言 | 5 个攻击实例,其中钓鱼邮件和恶意Excel宏病毒作为攻击案例 | 攻击的分析时间,BDL查询语句,生成依赖图 | ||
WATSON[ | 上下文语义聚合抽象行为 | 4个数据集,其中DARPA TC 3 trace,恶意数据集(8个实例)调查案例:配置泄露,内容销毁 | 行为抽象:F1值为92.8%,精确率为92.8%,召回率为94.2%可视化总结行为实例的信息流 | ||
OmegaLog[ | 多层日志,执行分区 | 信息泄露攻击,钓鱼邮件 | 给出OmegaLog的语义溯源图 | ||
基于语义重建 | UIScope[ | 关联系统事件和UI事件 | 6个真实攻击(钓鱼邮件、远程代码执行、Office 宏病毒、基于凭证的攻击、水坑攻击、内部攻击) | 判断是否找到入侵的根源(均正确),提供1个案例(远程代码执行)的溯源图 | |
1) 攻击取证有效性 | |||||
ALchemist[ | 应用程序日志和系统审计 | 14个攻击实例(含DARPA TC) | 审计级日志:精度为 92.8%,召回率为99.6% | ||
攻击案例调查:渗出攻击、Azazel攻击 | 应用级日志:精度为 97.7%,召回率为100% | ||||
2) 攻击案例调查的ALchemist因果图 |
[1] | BINDE B E , MCCREE R , O’CONNOR T J , . Assessing outbound traffic to uncover advanced persistent threat[R]. 2011. |
[2] | ESHETE B , GJOMEMO R , HOSSAIN M N ,et al. Attack analysis results for adversarial engagement 1 of the DARPA transparent computing program[J]. arXiv Preprint,arXiv:1610.06936, 2016. |
[3] | HAN X Y , PASQUIER T , SELTZER M . Provenance-based intrusion detection:opportunities and challenges[C]// Proceedings of the 10th USENIX Conference on Theory and Practice of Provenance. Berkeley:USENIX Association, 2018: 1-3. |
[4] | ZAFAR F , KHAN A , SUHAIL S ,et al. Trustworthy data:a survey,taxonomy and future trends of secure provenance schemes[J]. Journal of Network and Computer Applications, 2017,94: 50-68. |
[5] | TAN C , WANG Q , WANG L N ,et al. Attack provenance tracing in cyberspace:solutions,challenges and future directions[J]. IEEE Network, 2019,33(2): 174-180. |
[6] | LI Z Y , CHEN Q A , YANG R Q ,et al. Threat detection and investigation with system-level provenance graphs:a survey[J]. Computers &Security, 2021,106:102282. |
[7] | 潘亚峰, 朱俊虎, 周天阳 . APT 攻击场景重构方法综述[J]. 信息工程大学学报, 2021,22(1): 55-60,80. |
PAN Y F , ZHU J H , ZHOU T Y . Survey on APT attack scenario reconstruction methods[J]. Journal of Information Engineering University, 2021,22(1): 55-60,80. | |
[8] | KING S T , CHEN P M . Backtracking intrusions[C]// Proceedings of the 19th ACM Symposium on Operating Systems Principles. New York:ACM Press, 2003: 223-236. |
[9] | 蹇诗婕, 卢志刚, 杜丹 ,等. 网络入侵检测技术综述[J]. 信息安全学报, 2020,5(4): 96-122. |
JIAN S J , LU Z G , DU D ,et al. Overview of network intrusion detection technology[J]. Journal of Cyber Security, 2020,5(4): 96-122. | |
[10] | 徐嘉涔, 王轶骏, 薛质 . 网络空间威胁狩猎的研究综述[J]. 通信技术, 2020,53(1): 1-8. |
XU J C , WANG Y J , XUE Z . Research on threat hunting in cyberspace[J]. Communications Technology, 2020,53(1): 1-8. | |
[11] | VALENTINA P . Practical threat intelligence and data-driven threat hunting[M]. Birmingham: Packt Publishing, 2021. |
[12] | Secjuice. 5 types of threat hunting[EB]. 2021. |
[13] | Secjuice. Breach detection-controlling dwell time is about much more than compliance[EB]. 2021. |
[14] | CAN S , CAO P . Lineage file system[EB]. 2021. |
[15] | MUNISWAMY-REDDY K K , HOLLAND D A , BRAUN U ,et al. Provenance-aware storage systems[C]// Proceedings of the Annual Conference on USENIX’06 Annual Technical Conference. Berkeley:USENIX Association, 2006: 43-56. |
[16] | MUNISWAMY-REDDY K K , BRAUN U , HOLLAND D A ,et al. Layering in provenance systems[C]// Proceedings of the 2009 Conference on USENIX Annual Technical Conference. Berkeley:USENIX Association, 2009: 1-10. |
[17] | GEHANI A , TARIQ D . SPADE:support for provenance auditing in distributed environments[C]// Lecture Notes in Computer Science. Berlin:Springer, 2012: 101-120. |
[18] | POHLY D J , MCLAUGHLIN S , MCDANIEL P ,et al. Hi-Fi:collecting high-fidelity whole-system provenance[C]// Proceedings of the 28th Annual Computer Security Applications Conference. New York:ACM Press, 2012: 259-268. |
[19] | BATES A , TIAN D J , BUTLER K R B ,et al. Trustworthy whole-system provenance for the linux kernel[C]// Proceedings of the 24th USENIX Security Symposium. Berkeley:USENIX Association, 2015: 319-334. |
[20] | BATES A , BUTLER K , DOBRA A ,et al. Retrofitting applications with provenance-based security monitoring[J]. arXiv Preprint,arXiv:1609.00266, 2016. |
[21] | PASQUIER T , HAN X Y , GOLDSTEIN M ,et al. Practical whole-system provenance capture[C]// Proceedings of the 2017 Symposium on Cloud Computing. New York:ACM Press, 2017: 405-418. |
[22] | HASSAN W U , NOUREDDINE M A , DATTA P ,et al. OmegaLog:high-fidelity attack investigation via transparent multi-layer log analysis[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-16. |
[23] | YU L , MA S Q , ZHANG Z ,et al. ALchemist:fusing application and audit logs for precise attack provenance without instrumentation[C]// Proceedings of 2021 Network and Distributed System Security Symposium. Reston:Internet Society, 2021: 1-18. |
[24] | XIE Y L , FENG D , LIAO X L ,et al. Efficient monitoring and forensic analysis via accurate network-attached provenance collection with minimal storage overhead[J]. Digital Investigation, 2018,26: 19-28. |
[25] | HAAS S , SOMMER R , FISCHER M . Zeek-Osquery:host-network correlation for advanced monitoring and intrusion detection[C]// ICT Systems Security and Privacy Protection. Berlin:Springer, 2020: 248-262. |
[26] | JI Y , LEE S , FAZZINI M ,et al. Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 1705-1722. |
[27] | JI Y . Efficient and refinable attack investigation[D]. Atlanta:Georgia Institute of Technology, 2019. |
[28] | LEE K H , ZHANG X , XU D Y . High accuracy attack provenance via binary-based execution partition[C]// Proceedings of the 20th Network and Distributed System Security Symposium (NDSS’13). Reston:Internet Society, 2013: 1-16. |
[29] | MA S Q , ZHANG X Y , XU D Y . ProTracer:towards practical provenance tracing by alternating between logging and tainting[C]// Proceedings of 2016 Network and Distributed System Security Symposium. Reston:Internet Society, 2016: 1-15. |
[30] | MA S Q , ZHAI J , WANG F ,et al. MPI:multiple perspective attack investigation with semantic aware execution partitioning[C]// Proceedings of the 26th USENIX Security Symposium. Berkeley:USENIX Association, 2017: 1111-1128. |
[31] | MA S Q , LEE K H , KIM C H ,et al. Accurate,low cost and instrumentation-free security audit logging for windows[C]// Proceedings of the 31st Annual Computer Security Applications Conference. New York:ACM Press, 2015: 401-410. |
[32] | LEE K H , ZHANG X Y , XU D Y . LogGC:garbage collecting audit log[C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. New York:ACM Press, 2013: 1005-1016. |
[33] | YANG R Q , MA S Q , XU H T ,et al. UIScope:accurate,instrumentation-free,and visible attack investigation for GUI applications[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-18. |
[34] | MANZOOR E , MILAJERDI S M , AKOGLU L . Fast memory-efficient anomaly detection in streaming heterogeneous graphs[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York:ACM Press, 2016: 1035-1044. |
[35] | The CERT Division. Insider threat tools[EB]. 2018. |
[36] | KENT A D . Comprehensive,multi-source cyber-security events data set[R]. 2015. |
[37] | Transparent computing engagement 5 data release[EB]. 2019. |
[38] | ANGELOS K . Transparent computing engagement 3 data release[EB]. 2018. |
[39] | ANJUM M M , IQBAL S , HAMELIN B . Analyzing the usefulness of the DARPA OpTC dataset in cyber threat detection research[C]// Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. New York:ACM Press, 2021: 27-32. |
[40] | LI Z T , CHENG X , SUN L X ,et al. A hierarchical approach for advanced persistent threat detection with attention-based graph neural networks[J]. Security and Communication Networks,2021, 2021:9961342. |
[41] | LI M , LI Q , XUAN G Z ,et al. Identifying compromised hosts under APT using DNS request sequences[J]. Journal of Parallel and Distributed Computing, 2021,152: 67-78. |
[42] | LIU F C , WEN Y , ZHANG D X ,et al. Log2vec:a heterogeneous graph embedding based approach for detecting cyber threats within enterprise[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1777-1794. |
[43] | LIU F C , WEN Y , WU Y N ,et al. MLTracer:malicious logins detection system via graph neural network[C]// Proceedings of 2020 IEEE 19th International Conference on Trust,Security and Privacy in Computing and Communications (TrustCom). Piscataway:IEEE Press, 2021: 715-726. |
[44] | COCHRANE T , FOSTER P , CHHABRA V ,et al. SK-Tree:a systematic malware detection algorithm on streaming trees via the signature kernel[C]// Proceedings of 2021 IEEE International Conference on Cyber Security and Resilience. Piscataway:IEEE Press, 2021: 35-40. |
[45] | HOSSAIN M N , MILAJERDI S M , WANG J ,et al. SLEUTH:Real-time attack scenario reconstruction from COTS audit data[C]// Proceedings of the 26th USENIX Security Symposium. Berkeley:USENIX Association, 2017: 487-504. |
[46] | HOSSAIN M N , SHEIKHI S , SEKAR R . Combating dependence explosion in forensic analysis using alternative tag propagation semantics[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1139-1155. |
[47] | SETAYESHFAR O , ADKINS C , JONES M ,et al. GrAALF:supporting graphical analysis of audit logs for forensics[J]. Software Impacts, 2021,8:100068. |
[48] | MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. HOLMES:real-time APT detection through correlation of suspicious information flows[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 1137-1152. |
[49] | HOSSAIN M N , WANG J , WEISSE O ,et al. Dependence-preserving data compaction for scalable forensic analysis[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 1723-1740. |
[50] | ZENG J , CHUA Z L , CHEN Y F ,et al. WATSON:abstracting behaviors from audit logs via aggregation of contextual semantics[C]// Proceedings of 2021 Network and Distributed System Security Symposium. Reston:Internet Society, 2021: 1-18. |
[51] | BERRADA G , CHENEY J , BENABDERRAHMANE S ,et al. A baseline for unsupervised advanced persistent threat detection in system-level provenance[J]. Future Generation Computer Systems, 2020,108: 401-413. |
[52] | BENABDERRAHMANE S , BERRADA G , CHENEY J ,et al. A rule mining-based advanced persistent threats detection system[J]. arXiv Preprint,arXiv:2105.10053, 2021. |
[53] | HASSAN W U , GUO S J , LI D ,et al. NoDoze:combatting threat alert fatigue with automated provenance triage[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 1-15. |
[54] | MYNENI S , CHOWDHARY A , SABUR A ,et al. DAPT 2020 - constructing a benchmark dataset for advanced persistent threats[C]// Deployable Machine Learning for Security Defense. Berlin:Springer, 2020: 138-163. |
[55] | LIU Y S , ZHANG M , LI D ,et al. Towards a timely causality analysis for enterprise security[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Reston:Internet Society, 2018: 1-15. |
[56] | GUI J P , LI D , CHEN Z Z ,et al. APTrace:a responsive system for agile enterprise level causality analysis[C]// Proceedings of 2020 IEEE 36th International Conference on Data Engineering. Piscataway:IEEE Press, 2020: 1701-1712. |
[57] | XU Z , WU Z Y , LI Z C ,et al. High fidelity data reduction for big data security dependency analyses[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 504-516. |
[58] | MICHAEL N , MINK J , LIU J ,et al. On the forensic validity of approximated audit logs[C]// Proceedings of Annual Computer Security Applications Conference. New York:ACM Press, 2020: 189-202. |
[59] | TANG Y T , LI D , LI Z C ,et al. NodeMerge:template based efficient data reduction for big-data causality analysis[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1324-1337. |
[60] | HASSAN W U , BATES A , MARINO D . Tactical provenance analysis for endpoint detection and response systems[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1172-1189. |
[61] | FEI P , LI Z , WANG Z ,et al. SEAL:storage-efficient causality analysis on enterprise logs with query-friendly compression[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 2987-3004. |
[62] | ZHU T T , WANG J Y , RUAN L Q ,et al. General,efficient,and real-time data compaction strategy for APT forensic analysis[J]. IEEE Transactions on Information Forensics and Security, 2021,16: 3312-3325. |
[63] | GAO P , SHAO F , LIU X Y ,et al. A system for efficiently hunting for cyber threats in computer systems using threat intelligence[C]// Proceedings of 2021 IEEE 37th International Conference on Data Engineering. Piscataway:IEEE Press, 2021: 2705-2708. |
[64] | MILAJERDI S M , ESHETE B , GJOMEMO R ,et al. POIROT:aligning attack behavior with kernel audit records for cyber threat hunting[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1795-1812. |
[65] | HASSAN W U , LI D , JEE K ,et al. This is why we can’t cache nice things:lightning-fast threat hunting using suspicion-based hierarchical storage[C]// Proceedings of Annual Computer Security Applications Conference. New York:ACM Press, 2020: 165-178. |
[66] | MA S Q , ZHAI J , KWON Y ,et al. Kernel-supported cost-effective audit logging for causality tracking[C]// Proceedings of the 2018 USENIX Conference on Usenix Annual Technical Conference. Berkeley:USENIX Association, 2018: 241-254. |
[67] | XIE Y L , FENG D , TAN Z P ,et al. Unifying intrusion detection and forensic analysis via provenance awareness[J]. Future Generation Computer Systems, 2016,61: 26-36. |
[68] | XIE Y L , FENG D , HU Y C ,et al. Pagoda:a hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments[J]. IEEE Transactions on Dependable and Secure Computing, 2020,17(6): 1283-1296. |
[69] | GAO P , XIAO X S , LI Z C ,et al. A query system for efficiently investigating complex attack behaviors for enterprise security[J]. arXiv Preprint,arXiv:1810.03464, 2018. |
[70] | PASQUIER T , HAN X Y , MOYER T ,et al. Runtime analysis of whole-system provenance[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1601-1616. |
[71] | GAO P , XIAO X S , LI Z C ,et al. AIQL:enabling efficient attack investigation from system monitoring data[C]// Proceedings of 2018 USENIX Annual Technical Conference. Berkeley:USENIX Association, 2018: 113-126. |
[72] | GAO P , XIAO X S , LI D . SAQL:a stream-based query system for real-time abnormal system behavior detection[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 639-656. |
[73] | GAO P , SHAO F , LIU X Y ,et al. Enabling efficient cyber threat hunting with cyber threat intelligence[C]// Proceedings of 2021 IEEE 37th International Conference on Data Engineering. Piscataway:IEEE Press, 2021: 193-204. |
[74] | GAO P , XIAO X S , LI D ,et al. Querying streaming system monitoring data for enterprise system anomaly detection[C]// Proceedings of 2020 IEEE 36th International Conference on Data Engineering. Piscataway:IEEE Press, 2020: 1774-1777. |
[75] | XIONG C L , ZHU T T , DONG W H ,et al. Conan:a practical real-time APT detection system with high accuracy and efficiency[J]. IEEE Transactions on Dependable and Secure Computing, 2022,19(1): 551-565. |
[76] | DING X , LIU B X , JIANG Z W ,et al. Spear phishing emails detection based on machine learning[C]// Proceedings of 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design. Piscataway:IEEE Press, 2021: 354-359. |
[77] | DAI J , SUN X Y , LIU P . Patrol:revealing zero-day attack paths through network-wide system object dependencies[C]// European Symposium on Research in Computer Security. Berlin:Springer, 2013: 536-555. |
[78] | HAN X Y , PASQUIER T , RANJAN T ,et al. FRAPpuccino:Fault-detection through runtime analysis of provenance[C]// Proceedings of the 9th USENIX Conference on Hot Topics in Cloud Computing. Berkeley:USENIX Association, 2017: 1-18. |
[79] | XIE Y L , WU Y F , FENG D ,et al. P-Gaussian:provenance-based Gaussian distribution for detecting intrusion behavior variants using high efficient and real time memory databases[J]. IEEE Transactions on Dependable and Secure Computing, 2021,18(6): 2658-2674. |
[80] | HAN X Y , PASQUIER T , BATES A ,et al. Unicorn:runtime provenance-based detector for advanced persistent threats[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-18. |
[81] | SUN X Y , DAI J , LIU P ,et al. Using Bayesian networks for probabilistic identification of zero-day attack paths[J]. IEEE Transactions on Information Forensics and Security, 2018,13(10): 2506-2521. |
[82] | HAN X Y , YU X , PASQUIER T ,et al. SIGL:securing software installations through deep graph learning[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 2345-2362. |
[83] | AYOADE G , AKBAR K A , SAHOO P ,et al. Evolving advanced persistent threat detection using provenance graph and metric learning[C]// Proceedings of 2020 IEEE Conference on Communications and Network Security. Piscataway:IEEE Press, 2020: 1-9. |
[84] | WANG Q , HASSAN W U , LI D ,et al. You are what you do:hunting stealthy malware via data provenance analysis[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-17. |
[85] | SATVAT K , GJOMEMO R , VENKATAKRISHNAN V N . Extractor:extracting attack behavior from threat reports[C]// 2021 IEEE European Symposium on Security and Privacy (EuroS&P). Piscataway:IEEE Press, 2021: 598-615. |
[86] | ZHAO J , YAN Q B , LIU X D ,et al. Cyber threat intelligence modeling based on heterogeneous graph convolutional network[C]// Proceedings of the 23rd International Symposium on Research in Attacks,Intrusions and Defenses. Berkeley:USENIX Association, 2020: 241-256. |
[87] | GAO P , LIU X Y , CHOI E ,et al. A system for automated open-source threat intelligence gathering and management[C]// Proceedings of the 2021 International Conference on Management of Data. New York:ACM Press, 2021: 2716-2720. |
[88] | WEI R Z , CAI L J , ZHAO L X ,et al. DeepHunter:a graph neural network based approach for robust cyber threat hunting[C]// Security and Privacy in Communication Networks. Berlin:Springer, 2021: 3-24. |
[89] | NOEL S , HARLEY E , TAM K H ,et al. CyGraph:graph-based analytics and visualization for cybersecurity[J]. Handbook of Statistics, 2016,35: 117-167. |
[90] | SHU X K , ARAUJO F , SCHALES D L ,et al. Threat intelligence computing[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1883-1898. |
[91] | KARUNA P , HEMBERG E , O’REILLY U M , ,et al. Automating cyber threat hunting using NLP,automated query generation,and genetic perturbation[J]. arXiv Preprint,arXiv:2104.11576, 2021. |
[92] | MILAJERDI S M , ESHETE B , GJOMEMO R ,et al. ProPatrol:attack investigation via extracted high-level tasks[C]// Information Systems Security. Berlin:Springer, 2018: 107-126. |
[93] | ALLEN J , YANG Z , LANDEN M ,et al. Mnemosyne:an effective and efficient postmortem watering hole attack investigation system[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2020: 787-802. |
[94] | NEWSOME J , SONG D . Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software[C]// Proceedings of the Network and Distributed System Security Symposium. Reston:Internet Society, 2005: 1-17. |
[95] | YIN H , SONG D , EGELE M ,et al. Panorama:capturing system-wide information flow for malware detection and analysis[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. New York:ACM Press, 2007: 116-127. |
[96] | JI Y , LEE S , DOWNING E ,et al. RAIN:refinable attack investigation with on-demand inter-process information flow tracking[C]// Pro ceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 377-390. |
[97] | KWON Y , KIM D , SUMNER W N ,et al. LDX:causality inference by lightweight dual execution[C]// Proceedings of the 21st International Conference on Architectural Support for Programming Languages and Operating Systems. New York:ACM Press, 2016: 503-515. |
[98] | KWON Y , WANG F , WANG W H ,et al. MCI:modeling-based causality inference in audit logging for attack investigation[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Reston:Internet Society, 2018: 1-15. |
[99] | PEI K X , GU Z S , SALTAFORMAGGIO B ,et al. HERCULE:attack story reconstruction via community discovery on correlated log graph[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. New York:ACM Press, 2016: 583-595. |
[100] | SHEN Y , MARICONTI E , VERVIER P A ,et al. Tiresias:predicting security events through deep learning[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 592-605. |
[101] | SHEN Y , STRINGHINI G . ATTACK2VEC:leveraging temporal word embeddings to understand the evolution of cyberattacks[C]// Proceedings of the 28th USENIX Security Symposium. Berkeley:USENIX Association, 2019: 905-921. |
[102] | ALSAHEEL A , NAN Y H , MA S Q ,et al. ATLAS:a sequence-based learning approach for attack investigation[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 1-18. |
[103] | ZONG B , XIAO X S , LI Z C ,et al. Behavior query discovery in system-generated temporal graphs[C]// Proceedings of the VLDB Endowment.[S.l.]: VLDB Endowment, 2015: 240-251. |
[104] | 潘亚峰, 周天阳, 朱俊虎 ,等. 基于ATT&CK的APT攻击语义规则构建[J]. 信息安全学报, 2021,6(3): 77-90. |
PAN Y F , ZHOU T Y , ZHU J H ,et al. Construction of APT attack se-mantic rules based on ATT & CK[J]. Journal of Cyber Security, 2021,6(3): 77-90. | |
[105] | YANG R Q , CHEN X T , XU H T ,et al. RATScope:recording and reconstructing missing RAT semantic behaviors for forensic analysis on windows[J]. IEEE Transactions on Dependable and Secure Computing, 2022,19(3): 1621-1638. |
[1] | 陈晋音, 熊海洋, 马浩男, 郑雅羽. 基于对比学习的图神经网络后门攻击防御方法[J]. 通信学报, 2023, 44(4): 154-166. |
[2] | 何世文, 袁军, 安振宇, 张敏, 黄永明, 张尧学. 基于图神经网络的联合用户调度与波束成形优化算法[J]. 通信学报, 2022, 43(7): 73-84. |
[3] | 吴翼腾, 刘伟, 于洪涛. 图神经网络的标签翻转对抗攻击[J]. 通信学报, 2021, 42(9): 65-74. |
[4] | 刁嘉文, 方滨兴, 崔翔, 王忠儒, 甘蕊灵, 冯林, 姜海. DNS隐蔽信道综述[J]. 通信学报, 2021, 42(5): 164-178. |
[5] | 刘晨曦, 王东, 陈慧玲, 李仁发. 多源异构数据融合的城市私家车流量预测研究[J]. 通信学报, 2021, 42(3): 54-64. |
[6] | 丁绍虎,齐宁,郭义伟. 基于M-FlipIt博弈模型的拟态防御策略评估[J]. 通信学报, 2020, 41(7): 186-194. |
[7] | 付 钰,李洪成,吴晓平,王甲生. 基于大数据分析的APT攻击检测研究综述[J]. 通信学报, 2015, 36(11): 1-14. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|