一种基于同源行为分析的APT异常发现策略

doi:10.11959/j.issn.1000-0801.2016012

电信科学 ›› 2016, Vol. 32 ›› Issue (1): 82-87.doi: 10.11959/j.issn.1000-0801.2016012

一种基于同源行为分析的APT异常发现策略

俞艺涵,付钰,吴晓平,李洪成

海军工程大学信息安全系，湖北武汉430033

出版日期:2016-01-20 发布日期:2017-06-23
基金资助:
国家自然科学基金资助项目;湖北省自然科学基金资助项目;信息保障技术国防重点实验室基金资助项目

A discovery strategy for APT anomaly based on homologous behavior analysis

Yihan YU,Yu FU,Xiaoping WU,Hongcheng LI

Department of Information Security,Naval University of Engineering,Wuhan 430033,China

Online:2016-01-20 Published:2017-06-23
Supported by:
The National Natural Science Foundation of China;The Natrual Science Foudation of Hubei;Project of National Defense Key Laboratory of Information Security Technology

摘要/Abstract

摘要：

APT（advanced persistent threat）攻击的日益频繁对APT攻击行为的检测提出了更高的要求，对同源行为进行分析是尽早发现APT攻击行为的一种有效方法。针对数据量过大造成数据对比认证效率低下的难题，提出了借助数据标签技术，建立历史同源行为数据库，并将数据库存储到云端；依托Hadoop平台和MapReduce聚合计算能力，基于伪随机置换技术完成网络全流量并行检测，通过与数据库中的数据标签进行对比验证，来判断是否有APT攻击行为。测试结果表明，该方法可尽早从网络中发现APT异常行为，提高全数据流检测的效率。

关键词: APT防御, 同源策略, 实时检测, 数据标签, 伪随机置换

Abstract:

As APT（advanced persistent threat）attacks are increasingly frequently,higher requirements for the detection of APT attacks were proposed.It was an effective method to early discover the attack behavior of APT based on homologous behavior analysis.Aiming at the problem of low efficiency of data authentication caused by excessive data,the historical behavior database with data label technology was established and the database was stored in the cloud.Relying on the Hadoop platform and the aggregate computing ability of MapReduce and the pseudorandom permutation technique,the whole traffic parallel detection of the network was realized.In order to determine whether there was a APT attack behavior,the detection of APT attacks was implemented by comparing the data labels in the database.Test results show that the proposed method can detect the abnormal behavior of APT from the network as soon as possibleand improve the efficiency of the whole data flow detection.

Key words: APT defense, homologous strategy, real-time detection, data label, pseudorandom permutation

俞艺涵,付钰,吴晓平,李洪成. 一种基于同源行为分析的APT异常发现策略[J]. 电信科学, 2016, 32(1): 82-87.

Yihan YU,Yu FU,Xiaoping WU,Hongcheng LI. A discovery strategy for APT anomaly based on homologous behavior analysis[J]. Telecommunications Science, 2016, 32(1): 82-87.

图/表 5

图1

图2

图3

表1

表2

参考文献 10

[1]	CHEN P , DESMET L , HUYGENS C . A study on advanced persistent threats[C]// Proceedings of the 15th International Conference Conference on Communications and Multimedia Security, September 25-26, 2014, Aveiro,Portugal. Berlin: Springer Press, 2014: 56-73.
[2]	NIKOS V , DIMITRI G . The big four-what we did wrong in advanced persistent threat detection [C]// Proceedings of International Conference on Availability,Reliability and Security, September 2-6, 2013, Washington DC,USA. New Jersey: IEEE Press, 2013: 248-254.
[3]	YANG G M Z , TIAN Z H , DUAN W L . The prevent of advanced persistent threat[J]. Journal of Chemical and Pharmaceutical Research, 2015,6（1）:572-576.
[4]	杜跃进，翟立东，李跃，等. 一种应对APT 攻击的安全架构：异常发现[J]. 计算机研究与发展， 2014,7（7）:1633-1645. DU Y J , ZHAI L D , LI Y , et al. Security architecture to deal with APT attacks:abnormal discovery[J]. Journal of Computer Research and Development, 2014,7（7）:1633-1645.
[5]	李凤海，李爽，张佰龙，等. 高等级安全网络抗APT攻击方案研究[J]. 信息网络安全， 2014（9）:109-114. LI F H , LI S , ZHANG B L , et al. An anti-APT scheme research for high-security network[J]. Netinfo Security, 2014（9）:109-114.
[6]	COLE E . Advanced Persistent Threat:Understanding the Danger and How to Protect Your Organization[M]. Boca Raton: CRC Press, 2012:1-280.
[7]	郑黎明，邹鹏，贾焰，等. 网络流量异常检测中分类器的提取与训练方法研究[J]. 计算机学报， 2012（4）:719-729. ZHENG L M , ZOU P , JIA Y , et al. How to extract and train the classifier in traffic anomaly detection system[J]. Chinese Journal of Computers, 2012（4）:719-729.
[8]	许婷 . 一种有效防范APT攻击的网络安全架构[J]. 信息安全与通信保密， 2013（6）:65-67. XU T . A hierarchical-centralized network security architecture effectively preventing APT attacks[J]. China Information Security, 2012（4）:65-67.
[9]	SEJONG O , SEOG P . Task-role-based access control model[J]. Information System, 2003（28）:533-562.
[10]	张鸽 . 基于网络行为分析的跨站攻防技术的研究[D]. 郑州：解放军信息工程大学， 2012:46. ZHANG G . Analysis of offensive and defensive techniques cross station based on network behavior[D]. Zhengzhou: PLA Information Engineering University, 2012:46.

历史同源行为文件大小/GB	实时同源行为文件大小/MB	基于本文策略对比验证耗时/ms	一般对比验证耗时/ms
1	0.1	122	4
	0.5	198	20
	1	278	45
	4	465	180
	16	745	645
4	0.1	319	17
	0.5	416	78
	1	678	204
	4	1 452	746
	16	1 671	2 559
16	0.1	1 467	72
	0.5	1 612	323
	1	2 788	852
	4	3 678	2 265
	16	4 121	9 743
64	0.1	2 678	345
	0.5	3 832	1 546
	1	5 897	3 567
	4	7 653	9 078
	16	13 234	45 342
512	0.1	3 456	3 423
	0.5	4 563	14 356
	1	6 784	26 789
	4	11 481	78 906
	16	18 145	401 456

实时同源行为文件大小/MB	误报率	漏报率
0.1	0	0
0.5	0	0
1	1%	0
4	1%	0
16	3%	0

一种基于同源行为分析的APT异常发现策略

A discovery strategy for APT anomaly based on homologous behavior analysis

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 10

相关文章 0

Metrics

推荐阅读 0