基于诱捕的软件异常检测综述

doi:10.11959/j.issn.2096-109x.2022003

摘要/Abstract

摘要：

高级持续威胁（APT，advanced persistent threats）会使用漏洞实现攻击代码的自动加载和攻击行为的隐藏，并通过复用代码攻击绕过堆栈的不可执行限制，这是网络安全的重要威胁。传统的控制流完整性和地址随机化技术虽然有效抑制了APT的步伐，但软件的复杂性和攻击演化使软件仍存在被攻击的时间窗口。为此，以资源为诱饵的诱捕防御是确保网络安全的必要补充。诱捕机制包含诱饵设计和攻击检测两部分，通过感知与诱饵的交互行为，推断可能的未授权访问或者恶意攻击。针对文件、数据、代码3种诱饵类型，设计诱饵的自动构造方案并进行部署，从真实性、可检测性、诱惑性等方面对诱饵的有效程度进行度量。基于诱捕防御的勒索软件检测注重诱饵文件的部署位置，在漏洞检测领域，通过注入诱饵代码来检测代码复用攻击。介绍了在 APT 攻击各个阶段实施诱捕防御的相关研究工作，从诱饵类型、诱饵生成、诱饵部署、诱饵度量方面刻画了诱捕防御的机理；同时，剖析了诱捕防御在勒索软件检测、漏洞检测、Web安全方面的应用。针对现有的勒索软件检测研究在诱饵文件设计与部署方面的不足，提出了用于检测勒索软件的诱饵动态更新方法。讨论了诱捕防御面临的挑战，希望诱捕防御可以为发现未知攻击、溯源攻击意图提供理论和技术支持。

关键词: 高级持续威胁, 代码复用攻击, 控制流完整性, 地址随机化, 诱捕防御

Abstract:

Advanced persistent threats (APT) will use vulnerabilities to automatically load attack code and hide attack behavior, and exploits code reuse to bypass the non-executable stack ＆amp; heap protection, which is an essential threat to network security.Traditional control flow integrity and address space randomization technologies have effectively prevented the pace of APT.However, the complexity of the software and the evolution of attacks make the software still being vulnerable.For this reason, deception defense with resources as bait is an indispensable supplement for network security.The trapping mechanism consists of bait design and attack detection, which infer possible unauthorized access or malicious attacks by sensing the interaction behavior with the bait.According to the three types of bait, which are file, data and code, the automatic construction scheme of bait is designed and deployed, and the effectiveness of bait is measured from the aspects of believability, detectability and enticement, etc.Ransom ware detection based on deception defense focuses on the deployment location of bait files, and in the area of vulnerability detection, code reuse attacks are detected by injecting bait code.Research work related to the implementation of deception defense in each phase of APT attacks was introduced, and the mechanism of deception defense from bait type, bait generation, bait deployment, and bait measurement was described.Simultaneously, deception defense applications in ransom ware detection, vulnerability detection, and Web security were analyzed.In response to the shortcomings of existing ransom ware detection research in terms of bait file design and deployment, a dynamic update method of bait for ransom ware detection was proposed.The deception defense challenges were discussed and hoped that deception defense can provide theoretical and technical support for discovering unknown attacks and attack attribution.

Key words: advanced persistent threat, code reuse attack, control flow integrity, address randomization, deception defense

中图分类号:

TP393

傅建明, 刘畅, 解梦飞, 罗陈可. 基于诱捕的软件异常检测综述[J]. 网络与信息安全学报, 2022, 8(1): 15-29.

Jianming FU, Chang LIU, Mengfei XIE, Chenke LUO. Survey of software anomaly detection based on deception[J]. Chinese Journal of Network and Information Security, 2022, 8(1): 15-29.

图/表 6

图1

表1

图2

表2

图3

表3

参考文献 73

[1]	FORCE J T , INITIATIVE T . Security and privacy controls for federal information systems and organizations[J]. NIST Special Publication, 2013,800(53): 8-13.
[2]	MONIKA , ZAVARSKY P , LINDSKOG D . Experimental analysis of ransomware on windows and android platforms:evolution and characterization[J]. Procedia Computer Science, 2016,94: 465-472.
[3]	YE Y F , LI T , ADJEROH D ,et al. A survey on malware detection using data mining techniques[J]. ACM Computing Surveys, 2017,50(3): 1-40.
[4]	诸葛建伟, 唐勇, 韩心慧 ,等. 蜜罐技术研究与应用进展[J]. 软件学报, 2013,24(4): 825-842.
	ZHUGE J W , TANG Y , HAN X H ,et al. Honeypot technology re-search and application[J]. Journal of Software, 2013,24(4): 825-842.
[5]	杨德全, 刘卫民, 俞宙 . 基于蜜罐的主动防御应用研究[J]. 网络与信息安全学报, 2018,4(1): 57-62,78.
	YANG D Q , LIU W M , YU Z . Research on active defense applica-tion based on honeypot[J]. Chinese Journal of Network and Infor-mation Security, 2018,4(1): 57-62,78.
[6]	JAJODIA S , SUBRAHMANIAN V S , SWARUP V ,et al. Cyber deception[M]. Cham: Springer, 2016.
[7]	贾召鹏, 方滨兴, 刘潮歌 ,等. 网络欺骗技术综述[J]. 通信学报, 2017,38(12): 128-143.
	JIA Z P , FANG B X , LIU C G ,et al. Survey on cyber deception[J]. Journal on Communications, 2017,38(12): 128-143.
[8]	MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. HOLMES:real-time APT detection through correlation of suspicious information flows[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). 2019: 1137-1152.
[9]	FU J M , LI L , WANG Y J ,et al. Web scanner detection based on behavioral differences[M]// Communications in Computer and Information Science, 2019: 1-16.
[10]	JUELS A , RIVEST R L . Honeywords:making password-cracking detectable[C]// Proceedings of the 2013 ACM SIGSAC conference on Computer ＆ communications security. 2013: 145-160.
[11]	ARAUJO F , HAMLEN K W , BIEDERMANN S ,et al. From patches to honey-patches:lightweight attacker misdirection,deception,and disinformation[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 942-953.
[12]	乔向东, 郭戎潇, 赵勇 . 代码复用对抗技术研究进展[J]. 网络与信息安全学报, 2018,4(3): 1-12.
	QIAO X D , GUO R X , ZHAO Y . Research progress in code reuse attacking and defending[J]. Chinese Journal of Network and Infor-mation Security, 2018,4(3): 1-12.
[13]	彭国军, 梁玉, 张焕国 ,等. 软件二进制代码重用技术综述[J]. 软件学报, 2017,28(8): 2026-2045.
	PENG G J , LIANG Y , ZHANG H G ,et al. Survey on software bi-nary code reuse technologies[J]. Journal of Software, 2017,28(8): 2026-2045.
[14]	梁玉, 傅建明, 彭国军 ,等. S-Tracker:基于栈异常的 Shellcode检测方法[J]. 华中科技大学学报(自然科学版), 2014,42(11): 39-46.
	LIANG Y , FU J M , PENG G J ,et al. S-Tracker:attribution of Shellcode exploiting stack[J]. Journal of Huazhong University of Science and Technology (Natural Science Edition), 2014,42(11): 39-46.
[15]	ABADI M , BUDIU M H , ERLINGSSON ú ,, et al . Control-flow integrity[C]// Proceedings of the 12th ACM conference on Computer and Communications Security. 2005: 340-353.
[16]	王丰峰, 张涛, 徐伟光 ,等. 进程控制流劫持攻击与防御技术综述[J]. 网络与信息安全学报, 2019,5(6): 10-20.
	WANG F F , ZHANG T , XU W G ,et al. Overview of control-flow hijacking attack and defense techniques for process[J]. Chinese Journal of Network and Information Security, 2019,5(6): 10-20.
[17]	SNOW K Z , MONROSE F , DAVI L ,et al. Just-in-time code reuse:on the effectiveness of fine-grained address space layout randomization[C]// Proceedings of 2013 IEEE Symposium on Security and Privacy. 2013: 574-588.
[18]	CRANE S , LARSEN P , BRUNTHALER S ,et al. Booby trapping software[C]// Proceedings of the 2013 Workshop on New Security Paradigms Workshop -NSPW'13. 2013: 95-106.
[19]	DING S , FU J M , PENG B C . ModuleGuard:a gatekeeper for dynamic module loading against malware[J]. Wuhan University Journal of Natural Sciences, 2013,18(6): 489-498.
[20]	GEN?Z A , LENZINI G , SGANDURRA D . On deception-based protection against cryptographic ransomware[M]// Detection of Intrusions and Malware,and Vulnerability Assessment. Cham: Springer, 2019: 219-239.
[21]	姚兰, 王新梅 . 基于欺骗的网络主动防御技术研究[J]. 国防科技大学学报, 2008,30(3): 65-69.
	YAO L , WANG X M . A study on the network active defense tech-nology based on deception[J]. Journal of National University of Defense Technology, 2008,30(3): 65-69.
[22]	WANG W , BICKFORD J , MURYNETS I ,et al. Detecting targeted attacks by multilayer deception[J]. Journal of Cyber Security and Mobility, 2013,2(2): 175-199.
[23]	刘秀文, 傅建明, 黎琳 ,等. 面向用户交互场景的信息欺骗分类及其威胁抑制机制[J]. 武汉大学学报(理学版), 2019,65(2): 126-138.
	LIU X W , FU J M , LI L ,et al. Taxonomy and threat suppression mechanism of user interactive scenario oriented information decep-tion attacks[J]. Journal of Wuhan University (Natural Science Edi-tion), 2019,65(2): 126-138.
[24]	LIAO X J , YUAN K , WANG X F ,et al. Acing the IOC game:toward automatic discovery and analysis of open-source cyber threat intelligence[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016: 755-766.
[25]	SPITZNER L , . Honeypots:catching the insider threat[C]// Proceedings of 19th Annual Computer Security Applications Conference,2003. 2003: 170-179.
[26]	YUILL J , ZAPPE M , DENNING D ,et al. Honeyfiles:deceptive files for intrusion detection[C]// Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop,2004. 2004: 116-122.
[27]	BOWEN B M , HERSHKOP S , KEROMYTIS A D ,et al. Baiting inside attackers using decoy documents[M]// /Lecture Notes of the Institute for Computer Sciences,Social Informatics and Telecommunications Engineering. Berlin,Heidelberg: Springer Berlin Heidelberg, 2009: 51-70.
[28]	PARK Y , STOLFO S . Software-based decoy system for insider threats[C]// ASIACCS’12. 2012.
[29]	GUPTA P , SRINIVASAN B , BALASUBRAMANIYAN V ,et al. Phoneypot:data-driven understanding of telephony threats[C]// Proceedings of 2015 Network and Distributed System Security Symposium. 2015.
[30]	BALDUZZI M , GUPTA P , GU L ,et al. Mobipot:understanding mobile telephony threats with honeycards[C]// Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. 2016: 723-734.
[31]	MEHNAZ S , MUDGERIKAR A , BERTINO E . RWGuard:A real-time detection system against cryptographic ransomware[M]// Research in Attacks,Intrusions,and Defenses. Cham: Springer, 2018: 114-136.
[32]	TAYLOR T , ARAUJO F , KOHLBRENNER A ,et al. Hidden in plain sight:filesystem view separation for data integrity and deception[M]// Detection of Intrusions and Malware,and Vulnerability Assessment. Cham: Springer, 2018: 256-278.
[33]	CRANE S J , VOLCKAERT S , SCHUSTER F ,et al. It's a TRaP:table randomization and protection against function-reuse attacks[C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 243-255.
[34]	CHEN X , BOS H , GIUFFRIDA C . CodeArmor:virtualizing the code space to counter disclosure attacks[C]// Proceedings of 2017 IEEE European Symposium on Security and Privacy (EuroS＆P). 2017: 514-529.
[35]	?ENYS A , RAINYS D , RADVILAVI?IUS L , ,et al. Implementation of honeytoken module in DBMS oracle 9ir2 enterprise edition for internal malicious activity detection[J]. IEEE Computer Society’s TC on Security and Privacy, 2005: 1-13.
[36]	WHITE J . Creating personally identifiable honeytokens[M]// Innovations and Advances in Computer Sciences and Engineering. Dordrecht: Springer Netherlands, 2009: 227-232.
[37]	BERCOVITCH M , RENFORD M , HASSON L ,et al. HoneyGen:an automated honeytokens generator[C]// Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics. IEEE, 2011: 131-136.
[38]	BEN SALEM M , STOLFO S J . Decoy document deployment for effective masquerade attack detection[M]// Detection of Intrusions and Malware,and Vulnerability Assessment. Berlin,Heidelberg: Springer, 2011: 35-54.
[39]	KHARRAZ A , ROBERTSON W , BALZAROTTI D ,et al. Cutting the gordian knot:A look under the hood of ransomware attacks[M]// Detection of Intrusions and Malware,and Vulnerability Assessment. Cham: Springer, 2015: 3-24.
[40]	MIRAMIRKHANI N , APPINI M P , NIKIFORAKIS N ,et al. Spotless sandboxes:evading malware analysis systems using wear-and-tear artifacts[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). 2017: 1009-1024.
[41]	SCAIFE N , CARTER H , TRAYNOR P ,et al. CryptoLock (and drop it):stopping ransomware attacks on user data[C]// Proceedings of 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). 2016: 303-312.
[42]	CONTINELLA A , GUAGNELLI A , ZINGARO G ,et al. ShieldFS:a self-healing,ransomware-aware filesystem[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. 2016: 336-347.
[43]	KHARRAZ A , KIRDA E . Redemption:real-time protection against ransomware at end-hosts[M]// Research in Attacks,Intrusions,and Defenses. Cham: Springer, 2017: 98-119.
[44]	KHARAZ A , ARSHAD S , MULLINER C ,et al. {UNVEIL}:A large-scale,automated approach to detecting ransomware[C]// Proceedings of 25th USENIX Security Symposium. 2016: 757-772.
[45]	GóMEZ-HERNáNDEZ J AL , LVAREZ-GONZáLEZ áL , GARCíA-TEODORO P , . R-Locker:thwarting ransomware action through a honeyfile-based approach[J]. Computers ＆ Security, 2018,73: 389-398.
[46]	LEE J , LEE J , HONG J M . How to make efficient decoy files for ransomware detection[C]// Proceedings of the International Conference on Research in Adaptive and Convergent Systems. 2017: 208-212.
[47]	EL-KOSAIRY A , AZER M A . Intrusion and ransomware detection system[C]// Proceedings of 2018 1st International Conference on Computer Applications ＆ Information Security (ICCAIS). 2018: 1-7.
[48]	VORIS J , SONG Y B , SALEM M B ,et al. Active authentication using file system decoys and user behavior modeling:results of a large scale study[J]. Computers ＆ Security, 2019,87:101412.
[49]	杨铮, 傅建明, 罗陈可 ,等. 一种基于诱饵文件的勒索软件及时检测方法[J]. 武汉大学学报(理学版), 2020,66(5): 473-482.
	YANG Z , FU J M , LUO C K ,et al. A method of timely detection of ransomware based on decoy file[J]. Journal of Wuhan University (Natural Science Edition), 2020,66(5): 473-482.
[50]	SZEKERES L , PAYER M , WEI T ,et al. SoK:eternal war in memory[C]// Proceedings of 2013 IEEE Symposium on Security and Privacy. 2013: 48-62.
[51]	SHACHAM H , . The geometry of innocent flesh on the bone:return-into-libc without function calls (on the x86)[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. 2007: 552-561.
[52]	BUCHANAN E , ROEMER R , SAVAGE S ,et al. Return-oriented programming:Exploitation without code injection[J]. Black Hat, 2008,8.
[53]	ROEMER R , BUCHANAN E , SHACHAM H ,et al. Return-oriented programming:systems,languages,and applications[J]. ACM Transactions on Information and System Security, 2012,15(1): 2.
[54]	BLETSCH T , JIANG X X , FREEH V W ,et al. Jump-oriented programming:a new class of code-reuse attack[C]// Proceedings of the 6th ACM Symposium on Information,Computer and Communications Security. 2011: 30-40.
[55]	SCHUSTER F , TENDYCK T , LIEBCHEN C ,et al. Counterfeit object-oriented programming:on the difficulty of preventing code reuse attacks in C++ applications[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 745-762.
[56]	HU H , QIAN C X , YAGEMANN C ,et al. Enforcing unique code target property for control-flow integrity[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018: 1470-1486.
[57]	XU X , GHAFFARINIA M , WANG W ,et al. {CONFIRM}:evaluating compatibility and relevance of control-flow integrity protections for modern software[C]// 28th USENIX Security Symposium. 2019: 1805-1821.
[58]	傅建明, 林艳, 刘秀文 ,等. 云计算环境下基于随机化的安全防御研究[J]. 计算机学报, 2018,41(6): 987-1004.
	FU J M , LIN Y , LIU X W ,et al. Survey of randomization defenses on cloud computing[J]. Chinese Journal of Computers, 2018,41(6): 987-1004.
[59]	SEIBERT J , OKHRAVI H , S?DERSTR?M E , . Information leaks without memory disclosures:remote side channel attacks on diversified code[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 54-65.
[60]	傅建明, 刘秀文, 汤毅 ,等. 内存地址泄漏分析与防御[J]. 计算机研究与发展, 2016,53(8): 1829-1849.
	FU J M , LIU X W , TANG Y ,et al. Survey of memory address lea-kage and its defense[J]. Journal of Computer Research and Devel-opment, 2016,53(8): 1829-1849.
[61]	BIGELOW D , HOBSON T , RUDD R ,et al. Timely rerandomization for mitigating memory disclosures[C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 268-279.
[62]	CHEN Y , WANG Z , WHALLEY D ,et al. Remix:on-demand live randomization[C]// Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. 2016: 50-61.
[63]	LU K J , NüRNBERGER S , BACKES M ,et al. How to make ASLR win the clone wars:runtime Re-randomization[C]// Proceedings of 2016 Network and Distributed System Security Symposium. Reston,VA:Internet Society, 2016.
[64]	WILLIAMS-KING D , GOBIESKI G , WILLIAMS-KING K ,et al. Shuffler:fast and deployable continuous code re-randomization[C]// Proceedings of 12th USENIX Symposium on Operating Systems Design and Implementation {OSDI}. 2016: 367-382.
[65]	HUANG X , YAN F , ZHANG L Q ,et al. HoneyGadget:A deception based ROP detection scheme[M]// Science of Cyber Security. Cham: Springer, 2019: 121-135.
[66]	HAN X , KHEIR N , BALZAROTTI D . Phisheye:live monitoring of sandboxed phishing kits[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016: 1402-1413.
[67]	DEBLASIO J , SAVAGE S , VOELKER G M ,et al. Tripwire:Inferring internet site compromise[C]// Proceedings of the 2017 Internet Measurement Conference. 2017: 341-354.
[68]	QUINKERT F , LEONHARDT E , HOLZ T . Dorkpot:a honeypotbased analysis of google dorks[C]// Proceedings of the Workshop on Measurements,Attacks,and Defenses for the Web (MADWeb ‘19). 2019.
[69]	PA Y M P , SUZUKI S , YOSHIOKA K ,et al. IoTPOT:analysing the rise of IoT compromises[C]// USENIX WOOT 2015. 2015.
[70]	DANG F , LI Z H , LIU Y H ,et al. Understanding fileless attacks on linux-based IoT devices with HoneyCloud[C]// Proceedings of the 17th Annual International Conference on Mobile Systems,Applications,and Services. 2019: 482-493.
[71]	TIAN D J , BATES A , BUTLER K . Defending against malicious USB firmware with GoodUSB[C]// Proceedings of the 31st Annual Computer Security Applications Conference. 2015: 261-270.
[72]	XIE M F , FU J M , HE J ,et al. JTaint:finding privacy-leakage in chrome extensions[M]// Information Security and Privacy. 2020: 563-583.
[73]	CHEN Q , KAPRAVELOS A . Mystique:uncovering information leakage from browser extensions[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018: 1687-1700.

诱饵	诱饵类型	使用方式	用途	备注
E-mail地址、登录凭证	Data	Remote	异常告警
HoneyFile	File+Data	Local+Remote	文件和数据非授权访问
Decoy-document	File+Data	Local+Remote	文件和数据非授权访问	Beacon
honeytable	Data	Remote	DB的非授权访问
Bogus-program	File+Data	Local+Remote	软件盗版	Beacon
HoneyWord	Data	Remote	口令猜测	口令
Honey-patches	Data	Remote	漏洞攻击重定向
Honey-pot、Mobipot	Data	Remote	钓鱼/推销电话	电话号码
R-locker	File	Local	勒索软件	管道
Trap、Codearmor	Code	Local	漏洞检测	ROP gadget虚假指针

诱饵文件	真实性	动态性	诱惑性	醒目性	无干扰	可检测性
RWGuard^[31]	√	×	√	√	×	√
DcyFS^[32]	√	√	√	√	×	√
UNVEIL^[44]	√	×	√	√	×	√
R-Locker^[45]	×	√	×	√	×	√
Decoy Files^[46]	√	×	×	√	√	√
IRDS^[47]	√	×	×	√	×	√
DDT^[48]	√	×	√	√	×	√
注：“√”表示工具满足该项指标，“×”表示不满足该项指标。

勒索软件家族（样本量）	平均已加密文件数
Reveton(102)	4.8
CoinVault(87)	0.0
Onion(115)	5.2
WannaCry(204)	0.0
Ryuk(48)	11.3
Sodinokibi(90)	0.6