基于系统溯源图的威胁发现与取证分析综述

doi:10.11959/j.issn.1000-436x.2022105

通信学报 ›› 2022, Vol. 43 ›› Issue (7): 172-188.doi: 10.11959/j.issn.1000-436x.2022105

基于系统溯源图的威胁发现与取证分析综述

冷涛¹^,²^,², 蔡利君¹, 于爱民¹^,², 朱子元¹^,², 马建刚¹, 李超飞¹^,², 牛瑞丞¹^,², 孟丹¹^,²

¹ 中国科学院信息工程研究所，北京 100093
² 中国科学院大学网络空间安全学院，北京 100049
³ 四川警察学院智能警务四川省重点实验室，四川泸州 646000

修回日期:2022-04-20 出版日期:2022-07-25 发布日期:2022-06-01
作者简介:冷涛（1986- ），男，四川合江人，中国科学院大学博士生，四川警察学院副教授，主要研究方向为APT攻击检测、取证分析
蔡利君（1988- ），女，河南汝南人，博士，中国科学院信息工程研究所助理研究员，主要研究方向为攻击检测、内部威胁检测
于爱民（1980- ），男，山西临汾人，博士，中国科学院信息工程研究所正高级工程师、博士生导师，主要研究方向为可信软件测评、基于大数据的行为异常检测
朱子元（1980- ），男，河南汝州人，博士，中国科学院信息工程研究所研究员、博士生导师，主要研究方向为处理器安全技术、系统安全理论与技术等
马建刚（1990- ），男，河北衡水人，中国科学院信息工程研究所高级工程师，主要研究方向为对抗网络高仿真、数据安全
李超飞（1994- ），男，河南汝州人，中国科学院大学博士生，主要研究方向为加密流量、深度学习等
牛瑞丞（1994- ），男，云南昆明人，中国科学院大学博士生，主要研究方向为恶意代码检测、深度学习等
孟丹（1965- ），男，黑龙江哈尔滨人，博士，中国科学院信息工程研究所所长、研究员、博士生导师，主要研究方向为计算机系统安全、云计算安全等
基金资助:
中科院战略性先导科技专项基金资助项目(XDC02040200);智能警务四川省重点实验室资助项目(ZNJW2022ZZQN002)

Review of threat discovery and forensic analysis based on system provenance graph

Tao LENG¹^,²^,², Lijun CAI¹, Aimin YU¹^,², Ziyuan ZHU¹^,², Jian’gang MA¹, Chaofei LI¹^,², Ruicheng NIU¹^,², Dan MENG¹^,²

¹ Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
² School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
³ Intelligent Policing Key Laboratory of Sichuan Province, Sichuan Police College, Luzhou 646000, China

Revised:2022-04-20 Online:2022-07-25 Published:2022-06-01
Supported by:
The Strategic Priority Research Program of Chinese Academy of Sciences(XDC02040200);Intelligent Po-licing Key Laboratory of Sichuan Province(ZNJW2022ZZQN002)

摘要/Abstract

摘要：

通过调研溯源图研究相关的文献，提出了基于系统溯源图的网络威胁发现和取证分析研究框架。详细综述了基于溯源图的数据采集、数据管理、数据查询和可视化方法；提出了基于规则、基于异常和基于学习的威胁检测分类方法；概括了基于威胁情报或基于战略、技术、过程驱动的威胁狩猎方法；总结了基于因果关系、序列学习、特殊领域语言查询和语义重建的取证分析方法；最后指出了未来的研究趋势。

关键词: 溯源图, 高级持续性威胁, 威胁发现, 取证分析, 图神经网络

Abstract:

By investigating works of literature related to provenance graph research, a research framework for network threat discovery and forensic analysis based on system-level provenance graph was proposed.A detailed overview of data collection, data management, data query, and visualization methods based on provenance graphs was provided.The rule-based, anomaly-based, and learning-based threat detection classification methods were proposed.Threats based on threat intelligence or based on strategy, technology, and process-driven threats hunting methods were summarized.Forensic analysis methods based on causality, sequence learning, language query and semantic reconstruction in special fields were summarized.Finally, the future research trends were pointed out.

Key words: provenance graph, advanced persistent threat, threat discovery, forensic analysis, graph neural network

中图分类号:

TP391

冷涛, 蔡利君, 于爱民, 朱子元, 马建刚, 李超飞, 牛瑞丞, 孟丹. 基于系统溯源图的威胁发现与取证分析综述[J]. 通信学报, 2022, 43(7): 172-188.

Tao LENG, Lijun CAI, Aimin YU, Ziyuan ZHU, Jian’gang MA, Chaofei LI, Ruicheng NIU, Dan MENG. Review of threat discovery and forensic analysis based on system provenance graph[J]. Journal on Communications, 2022, 43(7): 172-188.

图/表 7

图1

图2

图3

表1

表2

表3

表4

取证分析相关研究"

分类方法		文献	方法	案例研究	评价方案（结果）
	执行单元分区	Ma等^[31]	解析ETW日志为单元，执行后向追踪/前向追踪	错误配置，钓鱼攻击，信息泄露，间谍软件	有效性：匹配正确
		ProPatrol^[92]	应用程序执行单元分区（浏览器、邮件等客户端）	远程访问木马，挂马，CSRF and DNS 重定向，即时消息客户端	找出根源，给出还原的因果关系图
	污点分析	Morse^[46] Newsome等^[94] Yin等^[95]	标签传播，重构场景图入口点识别（后向查询），前向分析	Firefox 后门，浏览器扩展，恶意http请求，CCleaner，勒索软件，横向移动，内核恶意软件	给出攻击案例的溯源场景图（入口点和前向分析）
基于因果关系	记录和重放	RTAG^[26]	跨主机调查	6个攻击场景	信息流匹配事实真相（100%）
	模型推断	LDX^[97],MCI^[98]	代码双执行，MCI利用LDX	钓鱼邮件和伪装的FTP服务器利用InfoZip进行信息窃取	给出利用MCI模型生成的因果图
		PrioTracker^[55]	优先考虑异常依赖边前向追踪	3 个案例攻击图（数据窃取、钓鱼邮件、Shellshock后门）	给出缩减版前向溯源图
	通用溯源	NoDoze^[53]	考虑整个事件链条异常后向查询/前向查询	10 个攻击（数据窃取、Shellshock后门等）	完整性：通过溯源图能找到攻击依赖图的比率。生成精确的警告依赖图（1个88%，9个100%）
		OmegaLog^[22]	修改整个系统溯源图，增加app 日志顶点，形成富含语义、执行分区的通用溯源图	信息泄露攻击，钓鱼邮件	给出传统溯源图和基于OmegaLog的语义溯源图对比
基于序列学习		ATLAS^[102]	序列词法化，采样，序列嵌入，模型学习调查：攻击实体识别，关联攻击事件	10个攻击场景（单主机和跨主机2种场景），1个案例调查（Pony campaign）	实体识别和事件识别的精确率、召回率和 F1 值，案例调查给出恢复攻击序列和溯源图
		AIQL^[71]	AIQL查询语言	APT攻击（5个步骤）	完整攻击：查询次数、事件匹配、调查时间
基于特定领域语言查询		GrAALF^[47]	GrAALF查询语言	3个攻击调查案例（DARPA TC 3）	查询结果图
		APTrace^[56]	BDL查询语言	5 个攻击实例，其中钓鱼邮件和恶意Excel宏病毒作为攻击案例	攻击的分析时间，BDL查询语句，生成依赖图
		WATSON^[50]	上下文语义聚合抽象行为	4个数据集，其中DARPA TC 3 trace，恶意数据集（8个实例）调查案例：配置泄露，内容销毁	行为抽象：F1值为92.8%，精确率为92.8%，召回率为94.2%可视化总结行为实例的信息流
		OmegaLog^[22]	多层日志，执行分区	信息泄露攻击，钓鱼邮件	给出OmegaLog的语义溯源图
基于语义重建		UIScope^[33]	关联系统事件和UI事件	6个真实攻击（钓鱼邮件、远程代码执行、Office 宏病毒、基于凭证的攻击、水坑攻击、内部攻击）	判断是否找到入侵的根源（均正确），提供1个案例（远程代码执行）的溯源图
					1) 攻击取证有效性
		ALchemist^[23]	应用程序日志和系统审计	14个攻击实例（含DARPA TC）	审计级日志：精度为 92.8%，召回率为99.6%
				攻击案例调查：渗出攻击、Azazel攻击	应用级日志：精度为 97.7%，召回率为100%
					2) 攻击案例调查的ALchemist因果图

表4

参考文献 105

[1]	BINDE B E , MCCREE R , O’CONNOR T J , . Assessing outbound traffic to uncover advanced persistent threat[R]. 2011.
[2]	ESHETE B , GJOMEMO R , HOSSAIN M N ,et al. Attack analysis results for adversarial engagement 1 of the DARPA transparent computing program[J]. arXiv Preprint,arXiv:1610.06936, 2016.
[3]	HAN X Y , PASQUIER T , SELTZER M . Provenance-based intrusion detection:opportunities and challenges[C]// Proceedings of the 10th USENIX Conference on Theory and Practice of Provenance. Berkeley:USENIX Association, 2018: 1-3.
[4]	ZAFAR F , KHAN A , SUHAIL S ,et al. Trustworthy data:a survey,taxonomy and future trends of secure provenance schemes[J]. Journal of Network and Computer Applications, 2017,94: 50-68.
[5]	TAN C , WANG Q , WANG L N ,et al. Attack provenance tracing in cyberspace:solutions,challenges and future directions[J]. IEEE Network, 2019,33(2): 174-180.
[6]	LI Z Y , CHEN Q A , YANG R Q ,et al. Threat detection and investigation with system-level provenance graphs:a survey[J]. Computers ＆Security, 2021,106:102282.
[7]	潘亚峰, 朱俊虎, 周天阳 . APT 攻击场景重构方法综述[J]. 信息工程大学学报, 2021,22(1): 55-60,80.
	PAN Y F , ZHU J H , ZHOU T Y . Survey on APT attack scenario reconstruction methods[J]. Journal of Information Engineering University, 2021,22(1): 55-60,80.
[8]	KING S T , CHEN P M . Backtracking intrusions[C]// Proceedings of the 19th ACM Symposium on Operating Systems Principles. New York:ACM Press, 2003: 223-236.
[9]	蹇诗婕, 卢志刚, 杜丹 ,等. 网络入侵检测技术综述[J]. 信息安全学报, 2020,5(4): 96-122.
	JIAN S J , LU Z G , DU D ,et al. Overview of network intrusion detection technology[J]. Journal of Cyber Security, 2020,5(4): 96-122.
[10]	徐嘉涔, 王轶骏, 薛质 . 网络空间威胁狩猎的研究综述[J]. 通信技术, 2020,53(1): 1-8.
	XU J C , WANG Y J , XUE Z . Research on threat hunting in cyberspace[J]. Communications Technology, 2020,53(1): 1-8.
[11]	VALENTINA P . Practical threat intelligence and data-driven threat hunting[M]. Birmingham: Packt Publishing, 2021.
[12]	Secjuice. 5 types of threat hunting[EB]. 2021.
[13]	Secjuice. Breach detection-controlling dwell time is about much more than compliance[EB]. 2021.
[14]	CAN S , CAO P . Lineage file system[EB]. 2021.
[15]	MUNISWAMY-REDDY K K , HOLLAND D A , BRAUN U ,et al. Provenance-aware storage systems[C]// Proceedings of the Annual Conference on USENIX’06 Annual Technical Conference. Berkeley:USENIX Association, 2006: 43-56.
[16]	MUNISWAMY-REDDY K K , BRAUN U , HOLLAND D A ,et al. Layering in provenance systems[C]// Proceedings of the 2009 Conference on USENIX Annual Technical Conference. Berkeley:USENIX Association, 2009: 1-10.
[17]	GEHANI A , TARIQ D . SPADE:support for provenance auditing in distributed environments[C]// Lecture Notes in Computer Science. Berlin:Springer, 2012: 101-120.
[18]	POHLY D J , MCLAUGHLIN S , MCDANIEL P ,et al. Hi-Fi:collecting high-fidelity whole-system provenance[C]// Proceedings of the 28th Annual Computer Security Applications Conference. New York:ACM Press, 2012: 259-268.
[19]	BATES A , TIAN D J , BUTLER K R B ,et al. Trustworthy whole-system provenance for the linux kernel[C]// Proceedings of the 24th USENIX Security Symposium. Berkeley:USENIX Association, 2015: 319-334.
[20]	BATES A , BUTLER K , DOBRA A ,et al. Retrofitting applications with provenance-based security monitoring[J]. arXiv Preprint,arXiv:1609.00266, 2016.
[21]	PASQUIER T , HAN X Y , GOLDSTEIN M ,et al. Practical whole-system provenance capture[C]// Proceedings of the 2017 Symposium on Cloud Computing. New York:ACM Press, 2017: 405-418.
[22]	HASSAN W U , NOUREDDINE M A , DATTA P ,et al. OmegaLog:high-fidelity attack investigation via transparent multi-layer log analysis[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-16.
[23]	YU L , MA S Q , ZHANG Z ,et al. ALchemist:fusing application and audit logs for precise attack provenance without instrumentation[C]// Proceedings of 2021 Network and Distributed System Security Symposium. Reston:Internet Society, 2021: 1-18.
[24]	XIE Y L , FENG D , LIAO X L ,et al. Efficient monitoring and forensic analysis via accurate network-attached provenance collection with minimal storage overhead[J]. Digital Investigation, 2018,26: 19-28.
[25]	HAAS S , SOMMER R , FISCHER M . Zeek-Osquery:host-network correlation for advanced monitoring and intrusion detection[C]// ICT Systems Security and Privacy Protection. Berlin:Springer, 2020: 248-262.
[26]	JI Y , LEE S , FAZZINI M ,et al. Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 1705-1722.
[27]	JI Y . Efficient and refinable attack investigation[D]. Atlanta:Georgia Institute of Technology, 2019.
[28]	LEE K H , ZHANG X , XU D Y . High accuracy attack provenance via binary-based execution partition[C]// Proceedings of the 20th Network and Distributed System Security Symposium (NDSS’13). Reston:Internet Society, 2013: 1-16.
[29]	MA S Q , ZHANG X Y , XU D Y . ProTracer:towards practical provenance tracing by alternating between logging and tainting[C]// Proceedings of 2016 Network and Distributed System Security Symposium. Reston:Internet Society, 2016: 1-15.
[30]	MA S Q , ZHAI J , WANG F ,et al. MPI:multiple perspective attack investigation with semantic aware execution partitioning[C]// Proceedings of the 26th USENIX Security Symposium. Berkeley:USENIX Association, 2017: 1111-1128.
[31]	MA S Q , LEE K H , KIM C H ,et al. Accurate,low cost and instrumentation-free security audit logging for windows[C]// Proceedings of the 31st Annual Computer Security Applications Conference. New York:ACM Press, 2015: 401-410.
[32]	LEE K H , ZHANG X Y , XU D Y . LogGC:garbage collecting audit log[C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer ＆ Communications Security. New York:ACM Press, 2013: 1005-1016.
[33]	YANG R Q , MA S Q , XU H T ,et al. UIScope:accurate,instrumentation-free,and visible attack investigation for GUI applications[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-18.
[34]	MANZOOR E , MILAJERDI S M , AKOGLU L . Fast memory-efficient anomaly detection in streaming heterogeneous graphs[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York:ACM Press, 2016: 1035-1044.
[35]	The CERT Division. Insider threat tools[EB]. 2018.
[36]	KENT A D . Comprehensive,multi-source cyber-security events data set[R]. 2015.
[37]	Transparent computing engagement 5 data release[EB]. 2019.
[38]	ANGELOS K . Transparent computing engagement 3 data release[EB]. 2018.
[39]	ANJUM M M , IQBAL S , HAMELIN B . Analyzing the usefulness of the DARPA OpTC dataset in cyber threat detection research[C]// Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. New York:ACM Press, 2021: 27-32.
[40]	LI Z T , CHENG X , SUN L X ,et al. A hierarchical approach for advanced persistent threat detection with attention-based graph neural networks[J]. Security and Communication Networks,2021, 2021:9961342.
[41]	LI M , LI Q , XUAN G Z ,et al. Identifying compromised hosts under APT using DNS request sequences[J]. Journal of Parallel and Distributed Computing, 2021,152: 67-78.
[42]	LIU F C , WEN Y , ZHANG D X ,et al. Log2vec:a heterogeneous graph embedding based approach for detecting cyber threats within enterprise[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1777-1794.
[43]	LIU F C , WEN Y , WU Y N ,et al. MLTracer:malicious logins detection system via graph neural network[C]// Proceedings of 2020 IEEE 19th International Conference on Trust,Security and Privacy in Computing and Communications (TrustCom). Piscataway:IEEE Press, 2021: 715-726.
[44]	COCHRANE T , FOSTER P , CHHABRA V ,et al. SK-Tree:a systematic malware detection algorithm on streaming trees via the signature kernel[C]// Proceedings of 2021 IEEE International Conference on Cyber Security and Resilience. Piscataway:IEEE Press, 2021: 35-40.
[45]	HOSSAIN M N , MILAJERDI S M , WANG J ,et al. SLEUTH:Real-time attack scenario reconstruction from COTS audit data[C]// Proceedings of the 26th USENIX Security Symposium. Berkeley:USENIX Association, 2017: 487-504.
[46]	HOSSAIN M N , SHEIKHI S , SEKAR R . Combating dependence explosion in forensic analysis using alternative tag propagation semantics[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1139-1155.
[47]	SETAYESHFAR O , ADKINS C , JONES M ,et al. GrAALF:supporting graphical analysis of audit logs for forensics[J]. Software Impacts, 2021,8:100068.
[48]	MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. HOLMES:real-time APT detection through correlation of suspicious information flows[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 1137-1152.
[49]	HOSSAIN M N , WANG J , WEISSE O ,et al. Dependence-preserving data compaction for scalable forensic analysis[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 1723-1740.
[50]	ZENG J , CHUA Z L , CHEN Y F ,et al. WATSON:abstracting behaviors from audit logs via aggregation of contextual semantics[C]// Proceedings of 2021 Network and Distributed System Security Symposium. Reston:Internet Society, 2021: 1-18.
[51]	BERRADA G , CHENEY J , BENABDERRAHMANE S ,et al. A baseline for unsupervised advanced persistent threat detection in system-level provenance[J]. Future Generation Computer Systems, 2020,108: 401-413.
[52]	BENABDERRAHMANE S , BERRADA G , CHENEY J ,et al. A rule mining-based advanced persistent threats detection system[J]. arXiv Preprint,arXiv:2105.10053, 2021.
[53]	HASSAN W U , GUO S J , LI D ,et al. NoDoze:combatting threat alert fatigue with automated provenance triage[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 1-15.
[54]	MYNENI S , CHOWDHARY A , SABUR A ,et al. DAPT 2020 - constructing a benchmark dataset for advanced persistent threats[C]// Deployable Machine Learning for Security Defense. Berlin:Springer, 2020: 138-163.
[55]	LIU Y S , ZHANG M , LI D ,et al. Towards a timely causality analysis for enterprise security[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Reston:Internet Society, 2018: 1-15.
[56]	GUI J P , LI D , CHEN Z Z ,et al. APTrace:a responsive system for agile enterprise level causality analysis[C]// Proceedings of 2020 IEEE 36th International Conference on Data Engineering. Piscataway:IEEE Press, 2020: 1701-1712.
[57]	XU Z , WU Z Y , LI Z C ,et al. High fidelity data reduction for big data security dependency analyses[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 504-516.
[58]	MICHAEL N , MINK J , LIU J ,et al. On the forensic validity of approximated audit logs[C]// Proceedings of Annual Computer Security Applications Conference. New York:ACM Press, 2020: 189-202.
[59]	TANG Y T , LI D , LI Z C ,et al. NodeMerge:template based efficient data reduction for big-data causality analysis[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1324-1337.
[60]	HASSAN W U , BATES A , MARINO D . Tactical provenance analysis for endpoint detection and response systems[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1172-1189.
[61]	FEI P , LI Z , WANG Z ,et al. SEAL:storage-efficient causality analysis on enterprise logs with query-friendly compression[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 2987-3004.
[62]	ZHU T T , WANG J Y , RUAN L Q ,et al. General,efficient,and real-time data compaction strategy for APT forensic analysis[J]. IEEE Transactions on Information Forensics and Security, 2021,16: 3312-3325.
[63]	GAO P , SHAO F , LIU X Y ,et al. A system for efficiently hunting for cyber threats in computer systems using threat intelligence[C]// Proceedings of 2021 IEEE 37th International Conference on Data Engineering. Piscataway:IEEE Press, 2021: 2705-2708.
[64]	MILAJERDI S M , ESHETE B , GJOMEMO R ,et al. POIROT:aligning attack behavior with kernel audit records for cyber threat hunting[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1795-1812.
[65]	HASSAN W U , LI D , JEE K ,et al. This is why we can’t cache nice things:lightning-fast threat hunting using suspicion-based hierarchical storage[C]// Proceedings of Annual Computer Security Applications Conference. New York:ACM Press, 2020: 165-178.
[66]	MA S Q , ZHAI J , KWON Y ,et al. Kernel-supported cost-effective audit logging for causality tracking[C]// Proceedings of the 2018 USENIX Conference on Usenix Annual Technical Conference. Berkeley:USENIX Association, 2018: 241-254.
[67]	XIE Y L , FENG D , TAN Z P ,et al. Unifying intrusion detection and forensic analysis via provenance awareness[J]. Future Generation Computer Systems, 2016,61: 26-36.
[68]	XIE Y L , FENG D , HU Y C ,et al. Pagoda:a hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments[J]. IEEE Transactions on Dependable and Secure Computing, 2020,17(6): 1283-1296.
[69]	GAO P , XIAO X S , LI Z C ,et al. A query system for efficiently investigating complex attack behaviors for enterprise security[J]. arXiv Preprint,arXiv:1810.03464, 2018.
[70]	PASQUIER T , HAN X Y , MOYER T ,et al. Runtime analysis of whole-system provenance[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1601-1616.
[71]	GAO P , XIAO X S , LI Z C ,et al. AIQL:enabling efficient attack investigation from system monitoring data[C]// Proceedings of 2018 USENIX Annual Technical Conference. Berkeley:USENIX Association, 2018: 113-126.
[72]	GAO P , XIAO X S , LI D . SAQL:a stream-based query system for real-time abnormal system behavior detection[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 639-656.
[73]	GAO P , SHAO F , LIU X Y ,et al. Enabling efficient cyber threat hunting with cyber threat intelligence[C]// Proceedings of 2021 IEEE 37th International Conference on Data Engineering. Piscataway:IEEE Press, 2021: 193-204.
[74]	GAO P , XIAO X S , LI D ,et al. Querying streaming system monitoring data for enterprise system anomaly detection[C]// Proceedings of 2020 IEEE 36th International Conference on Data Engineering. Piscataway:IEEE Press, 2020: 1774-1777.
[75]	XIONG C L , ZHU T T , DONG W H ,et al. Conan:a practical real-time APT detection system with high accuracy and efficiency[J]. IEEE Transactions on Dependable and Secure Computing, 2022,19(1): 551-565.
[76]	DING X , LIU B X , JIANG Z W ,et al. Spear phishing emails detection based on machine learning[C]// Proceedings of 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design. Piscataway:IEEE Press, 2021: 354-359.
[77]	DAI J , SUN X Y , LIU P . Patrol:revealing zero-day attack paths through network-wide system object dependencies[C]// European Symposium on Research in Computer Security. Berlin:Springer, 2013: 536-555.
[78]	HAN X Y , PASQUIER T , RANJAN T ,et al. FRAPpuccino:Fault-detection through runtime analysis of provenance[C]// Proceedings of the 9th USENIX Conference on Hot Topics in Cloud Computing. Berkeley:USENIX Association, 2017: 1-18.
[79]	XIE Y L , WU Y F , FENG D ,et al. P-Gaussian:provenance-based Gaussian distribution for detecting intrusion behavior variants using high efficient and real time memory databases[J]. IEEE Transactions on Dependable and Secure Computing, 2021,18(6): 2658-2674.
[80]	HAN X Y , PASQUIER T , BATES A ,et al. Unicorn:runtime provenance-based detector for advanced persistent threats[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-18.
[81]	SUN X Y , DAI J , LIU P ,et al. Using Bayesian networks for probabilistic identification of zero-day attack paths[J]. IEEE Transactions on Information Forensics and Security, 2018,13(10): 2506-2521.
[82]	HAN X Y , YU X , PASQUIER T ,et al. SIGL:securing software installations through deep graph learning[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 2345-2362.
[83]	AYOADE G , AKBAR K A , SAHOO P ,et al. Evolving advanced persistent threat detection using provenance graph and metric learning[C]// Proceedings of 2020 IEEE Conference on Communications and Network Security. Piscataway:IEEE Press, 2020: 1-9.
[84]	WANG Q , HASSAN W U , LI D ,et al. You are what you do:hunting stealthy malware via data provenance analysis[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-17.
[85]	SATVAT K , GJOMEMO R , VENKATAKRISHNAN V N . Extractor:extracting attack behavior from threat reports[C]// 2021 IEEE European Symposium on Security and Privacy (EuroS＆P). Piscataway:IEEE Press, 2021: 598-615.
[86]	ZHAO J , YAN Q B , LIU X D ,et al. Cyber threat intelligence modeling based on heterogeneous graph convolutional network[C]// Proceedings of the 23rd International Symposium on Research in Attacks,Intrusions and Defenses. Berkeley:USENIX Association, 2020: 241-256.
[87]	GAO P , LIU X Y , CHOI E ,et al. A system for automated open-source threat intelligence gathering and management[C]// Proceedings of the 2021 International Conference on Management of Data. New York:ACM Press, 2021: 2716-2720.
[88]	WEI R Z , CAI L J , ZHAO L X ,et al. DeepHunter:a graph neural network based approach for robust cyber threat hunting[C]// Security and Privacy in Communication Networks. Berlin:Springer, 2021: 3-24.
[89]	NOEL S , HARLEY E , TAM K H ,et al. CyGraph:graph-based analytics and visualization for cybersecurity[J]. Handbook of Statistics, 2016,35: 117-167.
[90]	SHU X K , ARAUJO F , SCHALES D L ,et al. Threat intelligence computing[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1883-1898.
[91]	KARUNA P , HEMBERG E , O’REILLY U M , ,et al. Automating cyber threat hunting using NLP,automated query generation,and genetic perturbation[J]. arXiv Preprint,arXiv:2104.11576, 2021.
[92]	MILAJERDI S M , ESHETE B , GJOMEMO R ,et al. ProPatrol:attack investigation via extracted high-level tasks[C]// Information Systems Security. Berlin:Springer, 2018: 107-126.
[93]	ALLEN J , YANG Z , LANDEN M ,et al. Mnemosyne:an effective and efficient postmortem watering hole attack investigation system[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2020: 787-802.
[94]	NEWSOME J , SONG D . Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software[C]// Proceedings of the Network and Distributed System Security Symposium. Reston:Internet Society, 2005: 1-17.
[95]	YIN H , SONG D , EGELE M ,et al. Panorama:capturing system-wide information flow for malware detection and analysis[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. New York:ACM Press, 2007: 116-127.
[96]	JI Y , LEE S , DOWNING E ,et al. RAIN:refinable attack investigation with on-demand inter-process information flow tracking[C]// Pro ceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 377-390.
[97]	KWON Y , KIM D , SUMNER W N ,et al. LDX:causality inference by lightweight dual execution[C]// Proceedings of the 21st International Conference on Architectural Support for Programming Languages and Operating Systems. New York:ACM Press, 2016: 503-515.
[98]	KWON Y , WANG F , WANG W H ,et al. MCI:modeling-based causality inference in audit logging for attack investigation[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Reston:Internet Society, 2018: 1-15.
[99]	PEI K X , GU Z S , SALTAFORMAGGIO B ,et al. HERCULE:attack story reconstruction via community discovery on correlated log graph[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. New York:ACM Press, 2016: 583-595.
[100]	SHEN Y , MARICONTI E , VERVIER P A ,et al. Tiresias:predicting security events through deep learning[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 592-605.
[101]	SHEN Y , STRINGHINI G . ATTACK2VEC:leveraging temporal word embeddings to understand the evolution of cyberattacks[C]// Proceedings of the 28th USENIX Security Symposium. Berkeley:USENIX Association, 2019: 905-921.
[102]	ALSAHEEL A , NAN Y H , MA S Q ,et al. ATLAS:a sequence-based learning approach for attack investigation[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 1-18.
[103]	ZONG B , XIAO X S , LI Z C ,et al. Behavior query discovery in system-generated temporal graphs[C]// Proceedings of the VLDB Endowment.[S.l.]: VLDB Endowment, 2015: 240-251.
[104]	潘亚峰, 周天阳, 朱俊虎 ,等. 基于ATT＆CK的APT攻击语义规则构建[J]. 信息安全学报, 2021,6(3): 77-90.
	PAN Y F , ZHOU T Y , ZHU J H ,et al. Construction of APT attack se-mantic rules based on ATT ＆ CK[J]. Journal of Cyber Security, 2021,6(3): 77-90.
[105]	YANG R Q , CHEN X T , XU H T ,et al. RATScope:recording and reconstructing missing RAT semantic behaviors for forensic analysis on windows[J]. IEEE Transactions on Dependable and Secure Computing, 2022,19(3): 1621-1638.

类型	文献	方法	缩减前与缩减后的比值
		CPR	1.27～3.56
	Xu等^[57]	CPR+PCAR	1.43～5.59
边缩减		CPR+PCAR+DOM	1.46～10.2
	FD-SD^[49]	完全依赖保留	4.46～91.5
		源依赖保留	4.54～122.5
顶点缩减	NodeMerge^[59]	基于模板	4.2～33.7
	Log^[32]	垃圾收集理念	0～77
图缩减	NoDoze^[53]	减掉普通行为	2
	Rapsheet^[60]	2个规则	1.5
图形压缩	SEAL^[61]	友好查询压缩	2.63～12.94
语义保留	GS-SS^[62]	维护全局语义压缩	4.36～13.18
		基于可疑语义压缩	7.86～26.99

方法	论文	检测内容	检测方法/模型	数据集	实时/离线
	SLEUTH^[45]	APT检测	溯源图标签+自定义策略规则	DARPA TC	实时
	Morse^[46]	APT检测（告警）	标签传播，自定义策略规则	DARPA TC	实时
基于规则	HOLMES^[48]	APT检测（多步）	Kill-chain，TTP	DARPA TC	实时
	POIROT^[64]	APT检测（告警）	图模式匹配	DARPA TC	离线
	SAQL^[72]	企业系统异常检测	基于规则查询	采集实时数据	实时
	Patrol^[77]	零日攻击路径	规则匹配	真实企业网络数据	实时
	SteamSpot^[34]	APT检测	聚类：异常分数	SteamSpot	实时
	Pagoda^[68]	检测进程	异常分数（路径异常+图异常）	17个正常和漏洞应用	实时
基于异常	SAQL^[72]	企业系统异常检测	统计异常：基于时间序列、不变值、离群值异常查询	采集实时数据	实时
	FRAPpuccino^[78]	PaaS错误检测	统计异常：时间窗口	CamFlow采集PaaS实例	实时
	P-Gaussian^[79]	检测入侵行为变体	统计异常：（基于证据的高斯分布）	17个正常和漏洞应用+DARPA APT trace	实时
	Unicorn^[80]	APT检测	聚类：图形草图聚类	DARPA TC，StreamSpot	实时
	ZePro^[81]	零日攻击路径	异常路径贝叶斯网络推理	CVE-2008-0166，CVE-2009-2692，CVE-2011-4089	实时
	Li等^[40]	APT检测	注意力图神经网络，深度自编码	LANL，streamspot	离线
基于学习	SIGL^[82]	安全软件安装	Graph LSTM深度自编码	NEC实验室数据	离线
	Ayoade等^[83]	零日攻击	在线度量学习，基于距离的学习	CamFlow采集攻击数据	实时
	ProvDetector^[84]	隐秘的恶意软件	图嵌入，局部离群因子	恶意样本（约15 000个）	实时

文献	实体类型及关系	提取方法	查询方法	数据集	实验评价
POIROT ^[64]	实体类型：进程、文	手动提取查询图	图对齐	MISP、	—
	件、套接字、管道等			STIX
	关系类型：系统调用
ThreatRaptor^[73]	实体类型：进程、文	利用spaCy自动提取IoC和	TBQL查询	DARPA TC3，	实体提取：精确率为 96%，召回率为
	件、套接字	IoC之间的关系，构建威胁		其他CVE案例	97.3%，F1值为96.64%
	关系类型：描述关系	行为图			关系提取：精确率为 96%，召回率为
					89%，F1值为92%
EXTRACTOR^[85]	实体类型：进程、文	自动提取攻击行为图	图对齐	非结构化真实	实体提取：精确率为 90%，召回率为
	件、套接字	实体提取：文本摘要		CTI 报告；	95.8%，F1值为92.8%
	关系类型：系统调用	关系提取：在依赖解析基		DARPATC（公	关系提取：精度为96%，召回率为94%，
		础上，考虑语义角色标签，对应系统审计日志		开数据集）；微软等CTI报告	F1值为95%
HINTI^[86]	实体类型：攻击者、漏	异构信息网络	图卷积网络	安全博客、黑	IoC 实体识别准确率为 98.59%，精确率
	洞、设备、平台、恶意	实体提取：Xpath提取、基		客论坛、cve	为98.72%，微观F1值为98.69%
	文件和攻击类型	于注意力的多粒度识别		数据库等
	关系类型：描述关系	关系提取：定义关系模板
SecurityKG^[87]	实体类型：威胁者、技	自动提取安全知识图	—	OSCTI报告	—
	术、工具、软件、多种类	实体提取：IoC 保护、CRF
	型的IoC	模型关系提取：依赖解析
	关系类型：文本描述

基于系统溯源图的威胁发现与取证分析综述

Review of threat discovery and forensic analysis based on system provenance graph

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 105

相关文章 7

Metrics

推荐阅读 0

[1]	陈晋音, 熊海洋, 马浩男, 郑雅羽. 基于对比学习的图神经网络后门攻击防御方法[J]. 通信学报, 2023, 44(4): 154-166.
[2]	何世文, 袁军, 安振宇, 张敏, 黄永明, 张尧学. 基于图神经网络的联合用户调度与波束成形优化算法[J]. 通信学报, 2022, 43(7): 73-84.
[3]	吴翼腾, 刘伟, 于洪涛. 图神经网络的标签翻转对抗攻击[J]. 通信学报, 2021, 42(9): 65-74.
[4]	刁嘉文, 方滨兴, 崔翔, 王忠儒, 甘蕊灵, 冯林, 姜海. DNS隐蔽信道综述[J]. 通信学报, 2021, 42(5): 164-178.
[5]	刘晨曦, 王东, 陈慧玲, 李仁发. 多源异构数据融合的城市私家车流量预测研究[J]. 通信学报, 2021, 42(3): 54-64.
[6]	丁绍虎,齐宁,郭义伟. 基于M-FlipIt博弈模型的拟态防御策略评估[J]. 通信学报, 2020, 41(7): 186-194.
[7]	付钰，李洪成，吴晓平，王甲生. 基于大数据分析的APT攻击检测研究综述[J]. 通信学报, 2015, 36(11): 1-14.