一种基于同源行为分析的APT异常发现策略

doi:10.11959/j.issn.1000-0801.2016012

Abstract

Abstract:

As APT（advanced persistent threat）attacks are increasingly frequently,higher requirements for the detection of APT attacks were proposed.It was an effective method to early discover the attack behavior of APT based on homologous behavior analysis.Aiming at the problem of low efficiency of data authentication caused by excessive data,the historical behavior database with data label technology was established and the database was stored in the cloud.Relying on the Hadoop platform and the aggregate computing ability of MapReduce and the pseudorandom permutation technique,the whole traffic parallel detection of the network was realized.In order to determine whether there was a APT attack behavior,the detection of APT attacks was implemented by comparing the data labels in the database.Test results show that the proposed method can detect the abnormal behavior of APT from the network as soon as possibleand improve the efficiency of the whole data flow detection.

Key words: APT defense, homologous strategy, real-time detection, data label, pseudorandom permutation

Yihan YU,Yu FU,Xiaoping WU,Hongcheng LI. A discovery strategy for APT anomaly based on homologous behavior analysis[J]. Telecommunications Science, 2016, 32(1): 82-87.

Figures/Tables 5

References 10

[1]	CHEN P , DESMET L , HUYGENS C . A study on advanced persistent threats[C]// Proceedings of the 15th International Conference Conference on Communications and Multimedia Security, September 25-26, 2014, Aveiro,Portugal. Berlin: Springer Press, 2014: 56-73.
[2]	NIKOS V , DIMITRI G . The big four-what we did wrong in advanced persistent threat detection [C]// Proceedings of International Conference on Availability,Reliability and Security, September 2-6, 2013, Washington DC,USA. New Jersey: IEEE Press, 2013: 248-254.
[3]	YANG G M Z , TIAN Z H , DUAN W L . The prevent of advanced persistent threat[J]. Journal of Chemical and Pharmaceutical Research, 2015,6（1）:572-576.
[4]	杜跃进，翟立东，李跃，等. 一种应对APT 攻击的安全架构：异常发现[J]. 计算机研究与发展， 2014,7（7）:1633-1645. DU Y J , ZHAI L D , LI Y , et al. Security architecture to deal with APT attacks:abnormal discovery[J]. Journal of Computer Research and Development, 2014,7（7）:1633-1645.
[5]	李凤海，李爽，张佰龙，等. 高等级安全网络抗APT攻击方案研究[J]. 信息网络安全， 2014（9）:109-114. LI F H , LI S , ZHANG B L , et al. An anti-APT scheme research for high-security network[J]. Netinfo Security, 2014（9）:109-114.
[6]	COLE E . Advanced Persistent Threat:Understanding the Danger and How to Protect Your Organization[M]. Boca Raton: CRC Press, 2012:1-280.
[7]	郑黎明，邹鹏，贾焰，等. 网络流量异常检测中分类器的提取与训练方法研究[J]. 计算机学报， 2012（4）:719-729. ZHENG L M , ZOU P , JIA Y , et al. How to extract and train the classifier in traffic anomaly detection system[J]. Chinese Journal of Computers, 2012（4）:719-729.
[8]	许婷 . 一种有效防范APT攻击的网络安全架构[J]. 信息安全与通信保密， 2013（6）:65-67. XU T . A hierarchical-centralized network security architecture effectively preventing APT attacks[J]. China Information Security, 2012（4）:65-67.
[9]	SEJONG O , SEOG P . Task-role-based access control model[J]. Information System, 2003（28）:533-562.
[10]	张鸽 . 基于网络行为分析的跨站攻防技术的研究[D]. 郑州：解放军信息工程大学， 2012:46. ZHANG G . Analysis of offensive and defensive techniques cross station based on network behavior[D]. Zhengzhou: PLA Information Engineering University, 2012:46.

Metrics

Recommended 0

No Suggested Reading articles found!

历史同源行为文件大小/GB	实时同源行为文件大小/MB	基于本文策略对比验证耗时/ms	一般对比验证耗时/ms
1	0.1	122	4
	0.5	198	20
	1	278	45
	4	465	180
	16	745	645
4	0.1	319	17
	0.5	416	78
	1	678	204
	4	1 452	746
	16	1 671	2 559
16	0.1	1 467	72
	0.5	1 612	323
	1	2 788	852
	4	3 678	2 265
	16	4 121	9 743
64	0.1	2 678	345
	0.5	3 832	1 546
	1	5 897	3 567
	4	7 653	9 078
	16	13 234	45 342
512	0.1	3 456	3 423
	0.5	4 563	14 356
	1	6 784	26 789
	4	11 481	78 906
	16	18 145	401 456

实时同源行为文件大小/MB	误报率	漏报率
0.1	0	0
0.5	0	0
1	1%	0
4	1%	0
16	3%	0

A discovery strategy for APT anomaly based on homologous behavior analysis

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 10

Related Articles 0

Metrics

Recommended 0