基于网络通信异常识别的多步攻击检测方法

doi:10.11959/j.issn.1000-436x.2019142

通信学报 ›› 2019, Vol. 40 ›› Issue (7): 57-66.doi: 10.11959/j.issn.1000-436x.2019142

基于网络通信异常识别的多步攻击检测方法

琚安康,郭渊博,李涛,叶子维

战略支援部队信息工程大学密码工程学院，河南郑州 450001

修回日期:2019-05-22 出版日期:2019-07-25 发布日期:2019-07-30
作者简介:琚安康（1995- ），男，河南辉县人，战略支援部队信息工程大学博士生，主要研究方向为多步攻击检测、异构安全数据融合。|郭渊博（1975- ），男，陕西周至人，博士，战略支援部队信息工程大学教授、博士生导师，主要研究方向为大数据安全、态势感知。|李涛（1992- ），男，甘肃甘谷人，战略支援部队信息工程大学博士生，主要研究方向为网络威胁语义建模。|叶子维（1990- ），男，吉林通化人，战略支援部队信息工程大学博士生，主要研究方向为网络安全、态势感知。
基金资助:
国家自然科学基金资助项目(61501515)

Multi-step attack detection method based on network communication anomaly recognition

Ankang JU,Yuanbo GUO,Tao LI,Ziwei YE

Department of Cryptogram Engineering,Strategic Support Force Information Engineering University,Zhengzhou 450001,China

Revised:2019-05-22 Online:2019-07-25 Published:2019-07-30
Supported by:
The National Natural Science Foundation of China(61501515)

摘要/Abstract

摘要：

针对企业内部业务逻辑固定、进出网络访问行为受控等特点，首先定义了2类共4种异常行为，然后提出了基于网络通信异常识别的多步攻击检测方法。针对异常子图和异常通信边2类异常，分别采用基于图的异常分析和小波分析方法识别网络通信过程中的异常行为，并通过异常关联分析检测多步攻击。分别在DARPA 2000数据集和LANL数据集上进行实验验证，实验结果表明，所提方法可以有效检测并重构出多步攻击场景。所提方法可有效监测包括未知特征攻击类型在内的多步攻击，为检测 APT 等复杂的多步攻击提供了一种可行思路，并且由于网络通信图大大减小了数据规模，因此适用于大规模企业网络环境。

关键词: 多步攻击, 网络异常, 通信子图, 小波变换

Abstract:

In view of the characteristics of internal fixed business logic,inbound and outbound network access behavior,two classes and four kinds of abnormal behaviors were defined firstly,and then a multi-step attack detection method was proposed based on network communication anomaly recognition.For abnormal sub-graphs and abnormal communication edges detection,graph-based anomaly analysis and wavelet analysis method were respectively proposed to identify abnormal behaviors in network communication,and detect multi-step attacks through anomaly correlation analysis.Experiments are carried out on the DARPA 2000 data set and LANL data set to verify the results.The experimental results show that the proposed method can effectively detect and reconstruct multi-step attack scenarios.The proposed method can effectively monitor multi-step attacks including unknown feature types.It provides a feasible idea for detecting complex multi-step attack patterns such as APT.And the network communication graph greatly reduces the data size,it is suitable for large-scale enterprise network environments.

Key words: multi-step attack, network anomaly, communication graph, wavelet analysis

中图分类号:

TP309

琚安康,郭渊博,李涛,叶子维. 基于网络通信异常识别的多步攻击检测方法[J]. 通信学报, 2019, 40(7): 57-66.

Ankang JU,Yuanbo GUO,Tao LI,Ziwei YE. Multi-step attack detection method based on network communication anomaly recognition[J]. Journal on Communications, 2019, 40(7): 57-66.

图/表 14

图1

图2

图3

表1

图4

表2

图5

图6

图7

图8

图9

图10

图11

图12

参考文献 15

[16]	MCHUGH J . Testing intrusion detection systems:a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory[J]. ACM Transactions on Information and System Security, 2000,3(4): 262-294.
[17]	KENT A D . Cyber security data sources for dynamic network research[M]. World Scientific Publishing. 2016: 37-65
[18]	CSUBáK D , SZüCS K , V?R?S P ,et al. big data testbed for network attack detection[J]. Acta Polytechnica Hungarica, 2016,13(2): 47-57
[1]	NAVARRO J , DERUYVER A , PARREND P . A systematic survey on multi-step attack detection[J]. Computers ＆ Security, 2018,76(6): 214-249.
[2]	王莉 . 网络多步攻击识别方法研究[D]. 武汉:华中科技大学, 2007.
	WANG L . Study on method of network multi-stage attack plan recognition[D]. Wuhan:Huazhong University of Science and Technology, 2007.
[3]	GREGORIO-DE S I , BERK V H , GIANI A ,et al. Detection of complex cyber attacks[C]// Sensors,and Command,Control,Communications,and Intelligence (C3I) Technologies for Homeland Security and Homeland Defense V. International Society for Optics and Photonics, 2006: 6201-6209.
[4]	CHEN P , DESMET L , HUYGENS C . Study on advanced persistent threats[M]. Berlin: SpringerPress, 2014: 63-72.
[5]	MA Z , SMITH P . Determining risks from advanced multi-step attacks to critical information infrastructures[C]// International Workshop on Critical Information Infrastructures Security. Springer, 2013: 142-154.
[6]	HOLGADO P , VILLAGRA V A , VAZQUEZ L . Real-time multistep attack prediction based on hidden Markov models[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2017,PP(99):1.
[7]	刘威歆, 郑康锋, 武斌 ,等. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015,36(9): 135-144.
	LIU W X , ZHENG K D , WU B ,et al. Alert processing based on attack graph and multi-source analyzing[J]. Journal on Communications, 2015,36(9): 135-144.
[8]	ELSHOUSH H T , OSMAN I M . Alert correlation in collaborative intelligent intrusion detection systems-a survey[J]. Applied Soft Computing, 2011,11(7): 4349-4365.
[9]	WANG L , ISLAM T , LONG T ,et al. Attack graph-based probabilistic security metric[C]// XXII,IFIP WG 11.3 Working Conference on Data and Applications Security. DBLP, 2008: 283-296.
[10]	AKOGLU L , TONG H , KOUTRA D . Graph based anomaly detection and description:a survey[J]. Data Mining and Knowledge Discovery, 2015,29(3): 626-688.
[11]	HUTCHINS E M , CLOPPERT M J , AMIN R M . Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains[J]. Leading Issues in Information Warfare ＆ Security Research, 2011,1(1):80.
[12]	KIM Y H , PARK W H . A study on cyber threat prediction based on intrusion detection event for APT attack detection[J]. Multimedia Tools and Applications, 2014,71(2): 685-698.
[13]	NEIL J , HASH C , BRUGH A ,et al. Scan statistics for the onlinedetection of locally anomalous subgraphs[J]. Technometrics, 2013,55(4): 403-414.
[14]	NEIL J , STORLIE C . Statistical detection of intruders within computer networks using scan statistics[M]. London: Imperial College PressPress, 2014: 71-104.
[15]	钱叶魁, 陈鸣, 叶立新 ,等. 基于多尺度主成分分析的全网络异常检测方法[J]. 软件学报, 2012(2): 361-377.
	QIAN Y Q , CHEN M , YE L X ,et al. Network-wide anomaly detection method based on multiscale principal component analysis[J]. Journal of Software, 2012(2): 361-377.

攻击阶段	阶段描述	异常通信特征
扫描探测	目标网络扫描探测，获取网络拓扑及漏洞信息	out-star
内网迁移	以Web服务器为立足点，逐步渗透侵入内部关键数据节点	k-path
建立通道	在内部数据节点与外部主机之间创建网络隧道	k-path
攻击达成	关键文件或数据通过各个跳板传输至外部站点	red-edge、in-star

数据来源	数据集名称简称
	DARPA1998 TCPDump数据集DARPA98 TCPDump
网络流量	DARPA 1999 TCPDump数据集DARPA99 TCPDump
	KDD99数据集KDD99
	10% KDD99数据集KDD99-10
	Internet Exploration Shootout Dataset IES
用户行为	Unix User DatasetUNIXDS
系统调用序列	DARPA 1998 BSM数据集DARPA98 BSM
	DARPA 1999 BSM数据集DARPA99 BSM
	University of New Mexico DatasetUNM

基于网络通信异常识别的多步攻击检测方法

Multi-step attack detection method based on network communication anomaly recognition

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 14

参考文献 15

相关文章 15

Metrics

推荐阅读 0

[1]	龙华, 黄张衡, 邵玉斌, 杜庆治, 苏树盟. 基于改进CFCC特征提取的语种识别算法研究[J]. 通信学报, 2022, 43(12): 211-221.
[2]	段雪源, 付钰, 王坤, 刘涛涛, 李彬. 基于多尺度特征的网络流量异常检测方法[J]. 通信学报, 2022, 43(10): 65-76.
[3]	任帅,王震,苏东旭,张弢,慕德俊. 基于三维模型贴图与结构数据的信息隐藏算法[J]. 通信学报, 2019, 40(5): 211-222.
[4]	朱祖勍,孔嘉伟,牛彬,唐绍飞,房红强,刘思祺. 基于深度学习的面向IP-over-EON的可编程跨层网络业务性能感知系统[J]. 通信学报, 2019, 40(11): 171-179.
[5]	牛盼盼,杨思宇,王丽,杨红颖,李丽,王向阳. 基于稳健特征点的平稳小波域数字水印算法[J]. 通信学报, 2019, 40(11): 187-198.
[6]	杨豪璞,邱辉,王坤. 面向多步攻击的网络安全态势评估方法[J]. 通信学报, 2017, 38(1): 187-198.
[7]	王尔馥,郑远硕,陈新武,刘晓珍. 语音信号的混沌遮掩及其正定盲提取算法[J]. 通信学报, 2016, 37(8): 191-198.
[8]	付明哲,王相海,宋传鸣. 基于3D混合树和视觉特性的视频可分级编码算法[J]. 通信学报, 2012, 33(11): 100-107.
[9]	夏楠,邱天爽,李景春. 基于锁相环和小波变换的PSK信号波特率估计[J]. 通信学报, 2012, 33(1): 96-101.
[10]	蔣铭,马兆丰,辛宇,钮心忻,杨义先. 基于DWT和视觉加权的图像质量评价方法研究[J]. 通信学报, 2011, 32(9): 129-136.
[11]	梅海彬,龚俭,张明华. 基于警报序列聚类的多步攻击模式发现研究[J]. 通信学报, 2011, 32(5): 63-69.
[12]	陈晓天,刘静娴. 改进的基于小波变换和FARIMA模型的网络流量预测算法[J]. 通信学报, 2011, 32(4): 153-157.
[13]	岑翼刚,陈晓方,岑丽辉,陈世明. 基于单层小波变换的压缩感知图像处理[J]. 通信学报, 2010, 31(8A): 52-55.
[14]	刘丽,彭代渊,李晓举. 适用于广播监视的安全视频水印方案[J]. 通信学报, 2009, 30(8): 51-55.
[15]	朱铁军,林亚平,周四望,徐小龙. 无线传感器网络中基于小波的自适应多模数据压缩算法[J]. 通信学报, 2009, 30(3): 48-53.