网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (1): 15-29.doi: 10.11959/j.issn.2096-109x.2022003
傅建明1,2, 刘畅1,2, 解梦飞1,2, 罗陈可1,2
修回日期:
2021-03-23
出版日期:
2022-02-15
发布日期:
2022-02-01
作者简介:
傅建明(1969− ),男,湖南宁乡人,博士,武汉大学教授、博士生导师,主要研究方向为系统安全、移动安全基金资助:
Jianming FU1,2, Chang LIU1,2, Mengfei XIE1,2, Chenke LUO1,2
Revised:
2021-03-23
Online:
2022-02-15
Published:
2022-02-01
Supported by:
摘要:
高级持续威胁(APT,advanced persistent threats)会使用漏洞实现攻击代码的自动加载和攻击行为的隐藏,并通过复用代码攻击绕过堆栈的不可执行限制,这是网络安全的重要威胁。传统的控制流完整性和地址随机化技术虽然有效抑制了APT的步伐,但软件的复杂性和攻击演化使软件仍存在被攻击的时间窗口。为此,以资源为诱饵的诱捕防御是确保网络安全的必要补充。诱捕机制包含诱饵设计和攻击检测两部分,通过感知与诱饵的交互行为,推断可能的未授权访问或者恶意攻击。针对文件、数据、代码3种诱饵类型,设计诱饵的自动构造方案并进行部署,从真实性、可检测性、诱惑性等方面对诱饵的有效程度进行度量。基于诱捕防御的勒索软件检测注重诱饵文件的部署位置,在漏洞检测领域,通过注入诱饵代码来检测代码复用攻击。介绍了在 APT 攻击各个阶段实施诱捕防御的相关研究工作,从诱饵类型、诱饵生成、诱饵部署、诱饵度量方面刻画了诱捕防御的机理;同时,剖析了诱捕防御在勒索软件检测、漏洞检测、Web安全方面的应用。针对现有的勒索软件检测研究在诱饵文件设计与部署方面的不足,提出了用于检测勒索软件的诱饵动态更新方法。讨论了诱捕防御面临的挑战,希望诱捕防御可以为发现未知攻击、溯源攻击意图提供理论和技术支持。
中图分类号:
傅建明, 刘畅, 解梦飞, 罗陈可. 基于诱捕的软件异常检测综述[J]. 网络与信息安全学报, 2022, 8(1): 15-29.
Jianming FU, Chang LIU, Mengfei XIE, Chenke LUO. Survey of software anomaly detection based on deception[J]. Chinese Journal of Network and Information Security, 2022, 8(1): 15-29.
表1
诱饵类型、使用方式和用途Table 1 Types, usages and uses of bait"
诱饵 | 诱饵类型 | 使用方式 | 用途 | 备注 |
E-mail地址、登录凭证 | Data | Remote | 异常告警 | |
HoneyFile | File+Data | Local+Remote | 文件和数据非授权访问 | |
Decoy-document | File+Data | Local+Remote | 文件和数据非授权访问 | Beacon |
honeytable | Data | Remote | DB的非授权访问 | |
Bogus-program | File+Data | Local+Remote | 软件盗版 | Beacon |
HoneyWord | Data | Remote | 口令猜测 | 口令 |
Honey-patches | Data | Remote | 漏洞攻击重定向 | |
Honey-pot、Mobipot | Data | Remote | 钓鱼/推销电话 | 电话号码 |
R-locker | File | Local | 勒索软件 | 管道 |
Trap、Codearmor | Code | Local | 漏洞检测 | ROP gadget虚假指针 |
[1] | FORCE J T , INITIATIVE T . Security and privacy controls for federal information systems and organizations[J]. NIST Special Publication, 2013,800(53): 8-13. |
[2] | MONIKA , ZAVARSKY P , LINDSKOG D . Experimental analysis of ransomware on windows and android platforms:evolution and characterization[J]. Procedia Computer Science, 2016,94: 465-472. |
[3] | YE Y F , LI T , ADJEROH D ,et al. A survey on malware detection using data mining techniques[J]. ACM Computing Surveys, 2017,50(3): 1-40. |
[4] | 诸葛建伟, 唐勇, 韩心慧 ,等. 蜜罐技术研究与应用进展[J]. 软件学报, 2013,24(4): 825-842. |
ZHUGE J W , TANG Y , HAN X H ,et al. Honeypot technology re-search and application[J]. Journal of Software, 2013,24(4): 825-842. | |
[5] | 杨德全, 刘卫民, 俞宙 . 基于蜜罐的主动防御应用研究[J]. 网络与信息安全学报, 2018,4(1): 57-62,78. |
YANG D Q , LIU W M , YU Z . Research on active defense applica-tion based on honeypot[J]. Chinese Journal of Network and Infor-mation Security, 2018,4(1): 57-62,78. | |
[6] | JAJODIA S , SUBRAHMANIAN V S , SWARUP V ,et al. Cyber deception[M]. Cham: Springer, 2016. |
[7] | 贾召鹏, 方滨兴, 刘潮歌 ,等. 网络欺骗技术综述[J]. 通信学报, 2017,38(12): 128-143. |
JIA Z P , FANG B X , LIU C G ,et al. Survey on cyber deception[J]. Journal on Communications, 2017,38(12): 128-143. | |
[8] | MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. HOLMES:real-time APT detection through correlation of suspicious information flows[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). 2019: 1137-1152. |
[9] | FU J M , LI L , WANG Y J ,et al. Web scanner detection based on behavioral differences[M]// Communications in Computer and Information Science, 2019: 1-16. |
[10] | JUELS A , RIVEST R L . Honeywords:making password-cracking detectable[C]// Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 2013: 145-160. |
[11] | ARAUJO F , HAMLEN K W , BIEDERMANN S ,et al. From patches to honey-patches:lightweight attacker misdirection,deception,and disinformation[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 942-953. |
[12] | 乔向东, 郭戎潇, 赵勇 . 代码复用对抗技术研究进展[J]. 网络与信息安全学报, 2018,4(3): 1-12. |
QIAO X D , GUO R X , ZHAO Y . Research progress in code reuse attacking and defending[J]. Chinese Journal of Network and Infor-mation Security, 2018,4(3): 1-12. | |
[13] | 彭国军, 梁玉, 张焕国 ,等. 软件二进制代码重用技术综述[J]. 软件学报, 2017,28(8): 2026-2045. |
PENG G J , LIANG Y , ZHANG H G ,et al. Survey on software bi-nary code reuse technologies[J]. Journal of Software, 2017,28(8): 2026-2045. | |
[14] | 梁玉, 傅建明, 彭国军 ,等. S-Tracker:基于栈异常的 Shellcode检测方法[J]. 华中科技大学学报(自然科学版), 2014,42(11): 39-46. |
LIANG Y , FU J M , PENG G J ,et al. S-Tracker:attribution of Shellcode exploiting stack[J]. Journal of Huazhong University of Science and Technology (Natural Science Edition), 2014,42(11): 39-46. | |
[15] | ABADI M , BUDIU M H , ERLINGSSON ú ,, et al . Control-flow integrity[C]// Proceedings of the 12th ACM conference on Computer and Communications Security. 2005: 340-353. |
[16] | 王丰峰, 张涛, 徐伟光 ,等. 进程控制流劫持攻击与防御技术综述[J]. 网络与信息安全学报, 2019,5(6): 10-20. |
WANG F F , ZHANG T , XU W G ,et al. Overview of control-flow hijacking attack and defense techniques for process[J]. Chinese Journal of Network and Information Security, 2019,5(6): 10-20. | |
[17] | SNOW K Z , MONROSE F , DAVI L ,et al. Just-in-time code reuse:on the effectiveness of fine-grained address space layout randomization[C]// Proceedings of 2013 IEEE Symposium on Security and Privacy. 2013: 574-588. |
[18] | CRANE S , LARSEN P , BRUNTHALER S ,et al. Booby trapping software[C]// Proceedings of the 2013 Workshop on New Security Paradigms Workshop -NSPW'13. 2013: 95-106. |
[19] | DING S , FU J M , PENG B C . ModuleGuard:a gatekeeper for dynamic module loading against malware[J]. Wuhan University Journal of Natural Sciences, 2013,18(6): 489-498. |
[20] | GEN?Z A , LENZINI G , SGANDURRA D . On deception-based protection against cryptographic ransomware[M]// Detection of Intrusions and Malware,and Vulnerability Assessment. Cham: Springer, 2019: 219-239. |
[21] | 姚兰, 王新梅 . 基于欺骗的网络主动防御技术研究[J]. 国防科技大学学报, 2008,30(3): 65-69. |
YAO L , WANG X M . A study on the network active defense tech-nology based on deception[J]. Journal of National University of Defense Technology, 2008,30(3): 65-69. | |
[22] | WANG W , BICKFORD J , MURYNETS I ,et al. Detecting targeted attacks by multilayer deception[J]. Journal of Cyber Security and Mobility, 2013,2(2): 175-199. |
[23] | 刘秀文, 傅建明, 黎琳 ,等. 面向用户交互场景的信息欺骗分类及其威胁抑制机制[J]. 武汉大学学报(理学版), 2019,65(2): 126-138. |
LIU X W , FU J M , LI L ,et al. Taxonomy and threat suppression mechanism of user interactive scenario oriented information decep-tion attacks[J]. Journal of Wuhan University (Natural Science Edi-tion), 2019,65(2): 126-138. | |
[24] | LIAO X J , YUAN K , WANG X F ,et al. Acing the IOC game:toward automatic discovery and analysis of open-source cyber threat intelligence[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016: 755-766. |
[25] | SPITZNER L , . Honeypots:catching the insider threat[C]// Proceedings of 19th Annual Computer Security Applications Conference,2003. 2003: 170-179. |
[26] | YUILL J , ZAPPE M , DENNING D ,et al. Honeyfiles:deceptive files for intrusion detection[C]// Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop,2004. 2004: 116-122. |
[27] | BOWEN B M , HERSHKOP S , KEROMYTIS A D ,et al. Baiting inside attackers using decoy documents[M]// /Lecture Notes of the Institute for Computer Sciences,Social Informatics and Telecommunications Engineering. Berlin,Heidelberg: Springer Berlin Heidelberg, 2009: 51-70. |
[28] | PARK Y , STOLFO S . Software-based decoy system for insider threats[C]// ASIACCS’12. 2012. |
[29] | GUPTA P , SRINIVASAN B , BALASUBRAMANIYAN V ,et al. Phoneypot:data-driven understanding of telephony threats[C]// Proceedings of 2015 Network and Distributed System Security Symposium. 2015. |
[30] | BALDUZZI M , GUPTA P , GU L ,et al. Mobipot:understanding mobile telephony threats with honeycards[C]// Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. 2016: 723-734. |
[31] | MEHNAZ S , MUDGERIKAR A , BERTINO E . RWGuard:A real-time detection system against cryptographic ransomware[M]// Research in Attacks,Intrusions,and Defenses. Cham: Springer, 2018: 114-136. |
[32] | TAYLOR T , ARAUJO F , KOHLBRENNER A ,et al. Hidden in plain sight:filesystem view separation for data integrity and deception[M]// Detection of Intrusions and Malware,and Vulnerability Assessment. Cham: Springer, 2018: 256-278. |
[33] | CRANE S J , VOLCKAERT S , SCHUSTER F ,et al. It's a TRaP:table randomization and protection against function-reuse attacks[C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 243-255. |
[34] | CHEN X , BOS H , GIUFFRIDA C . CodeArmor:virtualizing the code space to counter disclosure attacks[C]// Proceedings of 2017 IEEE European Symposium on Security and Privacy (EuroS&P). 2017: 514-529. |
[35] | ?ENYS A , RAINYS D , RADVILAVI?IUS L , ,et al. Implementation of honeytoken module in DBMS oracle 9ir2 enterprise edition for internal malicious activity detection[J]. IEEE Computer Society’s TC on Security and Privacy, 2005: 1-13. |
[36] | WHITE J . Creating personally identifiable honeytokens[M]// Innovations and Advances in Computer Sciences and Engineering. Dordrecht: Springer Netherlands, 2009: 227-232. |
[37] | BERCOVITCH M , RENFORD M , HASSON L ,et al. HoneyGen:an automated honeytokens generator[C]// Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics. IEEE, 2011: 131-136. |
[38] | BEN SALEM M , STOLFO S J . Decoy document deployment for effective masquerade attack detection[M]// Detection of Intrusions and Malware,and Vulnerability Assessment. Berlin,Heidelberg: Springer, 2011: 35-54. |
[39] | KHARRAZ A , ROBERTSON W , BALZAROTTI D ,et al. Cutting the gordian knot:A look under the hood of ransomware attacks[M]// Detection of Intrusions and Malware,and Vulnerability Assessment. Cham: Springer, 2015: 3-24. |
[40] | MIRAMIRKHANI N , APPINI M P , NIKIFORAKIS N ,et al. Spotless sandboxes:evading malware analysis systems using wear-and-tear artifacts[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). 2017: 1009-1024. |
[41] | SCAIFE N , CARTER H , TRAYNOR P ,et al. CryptoLock (and drop it):stopping ransomware attacks on user data[C]// Proceedings of 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). 2016: 303-312. |
[42] | CONTINELLA A , GUAGNELLI A , ZINGARO G ,et al. ShieldFS:a self-healing,ransomware-aware filesystem[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. 2016: 336-347. |
[43] | KHARRAZ A , KIRDA E . Redemption:real-time protection against ransomware at end-hosts[M]// Research in Attacks,Intrusions,and Defenses. Cham: Springer, 2017: 98-119. |
[44] | KHARAZ A , ARSHAD S , MULLINER C ,et al. {UNVEIL}:A large-scale,automated approach to detecting ransomware[C]// Proceedings of 25th USENIX Security Symposium. 2016: 757-772. |
[45] | GóMEZ-HERNáNDEZ J AL , LVAREZ-GONZáLEZ áL , GARCíA-TEODORO P , . R-Locker:thwarting ransomware action through a honeyfile-based approach[J]. Computers & Security, 2018,73: 389-398. |
[46] | LEE J , LEE J , HONG J M . How to make efficient decoy files for ransomware detection[C]// Proceedings of the International Conference on Research in Adaptive and Convergent Systems. 2017: 208-212. |
[47] | EL-KOSAIRY A , AZER M A . Intrusion and ransomware detection system[C]// Proceedings of 2018 1st International Conference on Computer Applications & Information Security (ICCAIS). 2018: 1-7. |
[48] | VORIS J , SONG Y B , SALEM M B ,et al. Active authentication using file system decoys and user behavior modeling:results of a large scale study[J]. Computers & Security, 2019,87:101412. |
[49] | 杨铮, 傅建明, 罗陈可 ,等. 一种基于诱饵文件的勒索软件及时检测方法[J]. 武汉大学学报(理学版), 2020,66(5): 473-482. |
YANG Z , FU J M , LUO C K ,et al. A method of timely detection of ransomware based on decoy file[J]. Journal of Wuhan University (Natural Science Edition), 2020,66(5): 473-482. | |
[50] | SZEKERES L , PAYER M , WEI T ,et al. SoK:eternal war in memory[C]// Proceedings of 2013 IEEE Symposium on Security and Privacy. 2013: 48-62. |
[51] | SHACHAM H , . The geometry of innocent flesh on the bone:return-into-libc without function calls (on the x86)[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. 2007: 552-561. |
[52] | BUCHANAN E , ROEMER R , SAVAGE S ,et al. Return-oriented programming:Exploitation without code injection[J]. Black Hat, 2008,8. |
[53] | ROEMER R , BUCHANAN E , SHACHAM H ,et al. Return-oriented programming:systems,languages,and applications[J]. ACM Transactions on Information and System Security, 2012,15(1): 2. |
[54] | BLETSCH T , JIANG X X , FREEH V W ,et al. Jump-oriented programming:a new class of code-reuse attack[C]// Proceedings of the 6th ACM Symposium on Information,Computer and Communications Security. 2011: 30-40. |
[55] | SCHUSTER F , TENDYCK T , LIEBCHEN C ,et al. Counterfeit object-oriented programming:on the difficulty of preventing code reuse attacks in C++ applications[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 745-762. |
[56] | HU H , QIAN C X , YAGEMANN C ,et al. Enforcing unique code target property for control-flow integrity[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018: 1470-1486. |
[57] | XU X , GHAFFARINIA M , WANG W ,et al. {CONFIRM}:evaluating compatibility and relevance of control-flow integrity protections for modern software[C]// 28th USENIX Security Symposium. 2019: 1805-1821. |
[58] | 傅建明, 林艳, 刘秀文 ,等. 云计算环境下基于随机化的安全防御研究[J]. 计算机学报, 2018,41(6): 987-1004. |
FU J M , LIN Y , LIU X W ,et al. Survey of randomization defenses on cloud computing[J]. Chinese Journal of Computers, 2018,41(6): 987-1004. | |
[59] | SEIBERT J , OKHRAVI H , S?DERSTR?M E , . Information leaks without memory disclosures:remote side channel attacks on diversified code[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 54-65. |
[60] | 傅建明, 刘秀文, 汤毅 ,等. 内存地址泄漏分析与防御[J]. 计算机研究与发展, 2016,53(8): 1829-1849. |
FU J M , LIU X W , TANG Y ,et al. Survey of memory address lea-kage and its defense[J]. Journal of Computer Research and Devel-opment, 2016,53(8): 1829-1849. | |
[61] | BIGELOW D , HOBSON T , RUDD R ,et al. Timely rerandomization for mitigating memory disclosures[C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 268-279. |
[62] | CHEN Y , WANG Z , WHALLEY D ,et al. Remix:on-demand live randomization[C]// Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. 2016: 50-61. |
[63] | LU K J , NüRNBERGER S , BACKES M ,et al. How to make ASLR win the clone wars:runtime Re-randomization[C]// Proceedings of 2016 Network and Distributed System Security Symposium. Reston,VA:Internet Society, 2016. |
[64] | WILLIAMS-KING D , GOBIESKI G , WILLIAMS-KING K ,et al. Shuffler:fast and deployable continuous code re-randomization[C]// Proceedings of 12th USENIX Symposium on Operating Systems Design and Implementation {OSDI}. 2016: 367-382. |
[65] | HUANG X , YAN F , ZHANG L Q ,et al. HoneyGadget:A deception based ROP detection scheme[M]// Science of Cyber Security. Cham: Springer, 2019: 121-135. |
[66] | HAN X , KHEIR N , BALZAROTTI D . Phisheye:live monitoring of sandboxed phishing kits[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016: 1402-1413. |
[67] | DEBLASIO J , SAVAGE S , VOELKER G M ,et al. Tripwire:Inferring internet site compromise[C]// Proceedings of the 2017 Internet Measurement Conference. 2017: 341-354. |
[68] | QUINKERT F , LEONHARDT E , HOLZ T . Dorkpot:a honeypotbased analysis of google dorks[C]// Proceedings of the Workshop on Measurements,Attacks,and Defenses for the Web (MADWeb ‘19). 2019. |
[69] | PA Y M P , SUZUKI S , YOSHIOKA K ,et al. IoTPOT:analysing the rise of IoT compromises[C]// USENIX WOOT 2015. 2015. |
[70] | DANG F , LI Z H , LIU Y H ,et al. Understanding fileless attacks on linux-based IoT devices with HoneyCloud[C]// Proceedings of the 17th Annual International Conference on Mobile Systems,Applications,and Services. 2019: 482-493. |
[71] | TIAN D J , BATES A , BUTLER K . Defending against malicious USB firmware with GoodUSB[C]// Proceedings of the 31st Annual Computer Security Applications Conference. 2015: 261-270. |
[72] | XIE M F , FU J M , HE J ,et al. JTaint:finding privacy-leakage in chrome extensions[M]// Information Security and Privacy. 2020: 563-583. |
[73] | CHEN Q , KAPRAVELOS A . Mystique:uncovering information leakage from browser extensions[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018: 1687-1700. |
[1] | 王丰峰,张涛,徐伟光,孙蒙. 进程控制流劫持攻击与防御技术综述[J]. 网络与信息安全学报, 2019, 5(6): 10-20. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|