通信学报 ›› 2022, Vol. 43 ›› Issue (12): 66-76.doi: 10.11959/j.issn.1000-436x.2022238
谢丽霞1, 李雪鸥1, 杨宏宇1,2, 张良1, 成翔4,5
修回日期:
2022-11-01
出版日期:
2022-12-25
发布日期:
2022-12-01
作者简介:
谢丽霞(1974- ),女,重庆人,博士,中国民航大学教授,主要研究方向为网络信息安全基金资助:
Lixia XIE1, Xueou LI1, Hongyu YANG1,2, Liang ZHANG1, Xiang CHENG4,5
Revised:
2022-11-01
Online:
2022-12-25
Published:
2022-12-01
Supported by:
摘要:
针对高级持续性威胁(APT)攻击检测方法普遍缺乏对APT攻击多阶段流量特征多样性的感知,对持续时间较长的APT攻击序列检测效果不佳且难以检测处于不同攻击阶段的多类潜在APT攻击等不足,提出一种基于样本特征强化的APT攻击多阶段检测方法。首先,根据APT攻击特点,将恶意流量划分至不同攻击阶段并构建APT攻击标识序列。其次,通过序列生成对抗网络模拟生成APT攻击多个阶段的标识序列,增加不同阶段序列样本数量实现样本特征强化并提高多阶段样本特征的多样性。最后,提出一种多阶段检测网络模型,基于多阶段感知注意力机制对提取的多阶段流量特征与标识序列进行注意力计算,得到阶段特征向量,并作为辅助信息与标识序列进行拼接操作,增强检测模型对不同阶段感知能力并提高检测精度。实验结果表明,所提方法在2个基准数据集上均有良好的检测效果,对多类潜在APT攻击的检测效果优于其他模型。
中图分类号:
谢丽霞, 李雪鸥, 杨宏宇, 张良, 成翔. 基于样本特征强化的APT攻击多阶段检测方法[J]. 通信学报, 2022, 43(12): 66-76.
Lixia XIE, Xueou LI, Hongyu YANG, Liang ZHANG, Xiang CHENG. Multi-stage detection method for APT attack based on sample feature reinforcement[J]. Journal on Communications, 2022, 43(12): 66-76.
表1
不同阶段部分流量特征"
APT攻击阶段 | 发送流量数据包数量/个 | 接收流量数据包数量/个 | 目标端口号 | 传输时间/s | 发送流量数据量/个 |
侦察 | 306 | 509 | 9000 | 268 855 | 21 189 |
106 | 104 | 80 | 450 907 | 10 327 | |
288 | 514 | 9000 | 357 079 | 17 044 | |
建立立足点 | 17 | 17 | 9003 | 44 446 | 1 536 |
15 | 15 | 9003 | 44 103 | 1 310 | |
37 | 37 | 9003 | 110 140 | 3 706 | |
横向移动 | 10 | 12 | 4444 | 78 313 266 | 429 |
20 | 18 | 9002 | 10 524 518 | 2 222 | |
4 | 6 | 9000 | 8 148 840 | 441 | |
窃取信息或破坏系统 | 1 | 1 | 40310 | 3 494 | 0 |
1 | 1 | 46400 | 3 692 | 0 | |
1 | 1 | 47274 | 3 546 | 0 | |
继续攻击或清除攻击痕迹 | 1 | 1 | 59430 | 3 602 | 0 |
1 | 1 | 59622 | 3 377 | 0 | |
1 | 1 | 40310 | 3 494 | 0 |
表3
5类APT攻击序列"
APT攻击序列类型 | APT攻击序列 |
APT1 | [[49192, 443, 6, …, 0, 0],[46190, 9000, 268855, …, 269, 0],[68, 67, 17, 1…, -1, 0]] |
APT2 | [[443, 50064, 6, …, 0, 0],[57296, 80, 450907, …, 57, 0],…,[58822, 53, 17, …, -1, 0]] |
APT3 | [[45988, 9000, 357079, …, 269, 0],[443, 58188, 6, …, 0, 0],…,[48067, 53, 17, …, -1, 0]] |
APT4 | [[46190, 9000, 268855, …, 269, 0],[54036, 9003, 44103, &, 0, 0],…,[60709, 53, 17, …, -1, 0]] |
APT5 | [[57296, 80, 450907, …, 57, 0],[443, 39654, 6, …, 0, 0],…,[28643, 59622, 3377, …, 1, 1452]] |
[1] | ZHANG J , PAN L , HAN Q L ,et al. Deep learning based attack detection for cyber-physical system cybersecurity:a survey[J]. IEEE/CAA Journal of Automatica Sinica, 2022,9(3): 377-391. |
[2] | AHMAD A , WEBB J , DESOUZA K C ,et al. Strategically-motivated advanced persistent threat:definition,process,tactics and a disinformation model of counterattack[J]. Computers & Security, 2019,86: 402-418. |
[3] | 杨秀璋, 彭国军, 李子川 ,等. 基于 Bert 和 BiLSTM-CRF 的 APT攻击实体识别及对齐研究[J]. 通信学报, 2022,43(6): 58-70. |
YANG X Z , PENG G J , LI Z C ,et al. Research on entity recognition and alignment of APT attack based on Bert and BiLSTM-CRF[J]. Journal on Communications, 2022,43(6): 58-70. | |
[4] | MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. HOLMES:real-time APT detection through correlation of suspicious information flows[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 1137-1152. |
[5] | NIU W N , ZHANG X S , YANG G W ,et al. Modeling attack process of advanced persistent threat using network evolution[J]. IEICE Transactions on Information and Systems, 2017,100(10): 2275-2286. |
[6] | LIN G J , WEN S , HAN Q L ,et al. Software vulnerability detection using deep neural networks:a survey[J]. Proceedings of the IEEE, 2020,108(10): 1825-1848. |
[7] | YANG H Y , ZHANG Z X , XIE L X ,et al. Network security situation assessment with network attack behavior classification[J]. International Journal of Intelligent Systems, 2022,37(10): 6909-6927. |
[8] | ALREHAILI M , ALSHAMRANI A , ESHMAWI A . A hybrid deep learning approach for advanced persistent threat attack detection[C]// Proceedings of the 5th International Conference on Future Networks & Distributed Systems. New York:ACM Press, 2021: 78-86. |
[9] | 刘海波, 武天博, 沈晶 ,等. 基于GAN-LSTM的APT攻击检测[J]. 计算机科学, 2020,47(1): 281-286. |
LIU H B , WU T B , SHEN J ,et al. Advanced persistent threat detection based on generative adversarial networks and long short-term memory[J]. Computer Science, 2020,47(1): 281-286. | |
[10] | 董济源 . 基于GAN的APT攻击序列的生成与检测方法研究[D]. 哈尔滨:哈尔滨工程大学, 2020. |
DONG J Y . Research on generation and detection of APT attack sequence based on GAN[D]. Harbin:Harbin Engineering University, 2020. | |
[11] | JOHNSON R , ZHANG T . Deep pyramid convolutional neural networks for text categorization[C]// Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics. Stroudsburg:Association for Computational Linguistics, 2017: 562-570. |
[12] | AKBAR K A , WANG Y G , ISLAM M S ,et al. Identifying tactics of advanced persistent threats with limited attack traces[C]// Information Systems Security. Berlin:Springer, 2021: 3-25. |
[13] | LAI S W , XU L H , LIU K ,et al. Recurrent convolutional neural networks for text classification[C]// Proceedings of the Twenty-ninth AAAI Conference on Artificial Intelligence. Palo Alto:AAAI Press, 2015: 2267-2273. |
[14] | ALSHAMRANI A , MYNENI S , CHOWDHARY A ,et al. A survey on advanced persistent threats:techniques,solutions,challenges,and research opportunities[J]. IEEE Communications Surveys & Tutorials, 2019,21(2): 1851-1877. |
[15] | QUINTERO-BONILLA S , MARTíN D R A . A new proposal on the advanced persistent threat:a survey[J]. Applied Sciences, 2020,10(11): 3874-3896. |
[16] | SHANG L K . Discovering unknown advanced persistent threat using shared features mined by neural networks[J]. Computer Networks, 2021,189:107937. |
[17] | YU L T , ZHANG W N , WANG J ,et al. SeqGAN:sequence generative adversarial nets with policy gradient[C]// Proceedings of the AAAI Conference on Artificial Intelligence. Palo Alto:AAAI Press, 2017: 1-7. |
[18] | VASWANI A , SHAZEER N , PARMAR N ,et al. Attention is all you need[J]. Advances in neural information processing systems, 2017,30(1): 5998-6008. |
[19] | SHARAFALDIN I , HABIBI L A , GHORBANI A A . Toward generating a new intrusion detection dataset and intrusion traffic characterization[C]// Proceedings of the 4th International Conference on Information Systems Security and Privacy. Southampton:Science and Technology Publications, 2018: 108-116. |
[20] | MYNENI S , CHOWDHARY A , SABUR A ,et al. DAPT 2020 - constructing a benchmark dataset for advanced persistent threats[C]// Deployable Machine Learning for Security Defense. Berlin:Springer, 2020: 138-163. |
[1] | 李竟博, 马礼, 李阳, 傅颖勋, 马东超. 感传算协同工业互联网优化设计[J]. 通信学报, 2023, 44(6): 12-22. |
[2] | 赵仕祺, 黄小红, 钟志港. 基于信誉的域间路由选择机制的研究与实现[J]. 通信学报, 2023, 44(6): 47-56. |
[3] | 陈真, 陈文辉, 刘啸威, 尤殿龙, 刘林林, 申利民. 功能互补关系增强的云API推荐方法[J]. 通信学报, 2023, 44(6): 125-137. |
[4] | 魏德宾, 潘成胜, 杨力, 颜佐任. 基于网络流量水平等级预测的自适应随机早期检测算法[J]. 通信学报, 2023, 44(6): 154-166. |
[5] | 李元诚, 秦永泰. 基于深度强化学习的软件定义安全中台QoS实时优化算法[J]. 通信学报, 2023, 44(5): 181-192. |
[6] | 夏莹杰, 朱思雨, 刘雪娇. 区块链架构下具有条件隐私的车辆编队跨信任域高效群组认证研究[J]. 通信学报, 2023, 44(4): 111-123. |
[7] | 谢人超, 文雯, 唐琴琴, 刘云龙, 谢高畅, 黄韬. 轨道交通移动边缘计算网络安全综述[J]. 通信学报, 2023, 44(4): 201-215. |
[8] | 罗智勇, 张玉, 王青, 宋伟伟. 基于贝叶斯攻击图的SDN入侵意图识别算法的研究[J]. 通信学报, 2023, 44(4): 216-225. |
[9] | 王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊, 周永良, 马佳利. 基于对比增量学习的细粒度恶意流量分类方法[J]. 通信学报, 2023, 44(3): 1-11. |
[10] | 张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44. |
[11] | 经普杰, 王良民, 董学文, 张玉书, 王骞, Muhammad Sohail. 分层跨链结构:一种面向区块链系统监管的可行架构[J]. 通信学报, 2023, 44(3): 93-104. |
[12] | 舒坚, 史佳伟, 刘琳岚, Manar Al-Kali. 基于时空卷积的机会网络拓扑预测[J]. 通信学报, 2023, 44(3): 145-156. |
[13] | 王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11. |
[14] | 康海燕, 龙墨澜. 基于吸收马尔可夫链攻击图的网络攻击分析方法研究[J]. 通信学报, 2023, 44(2): 122-135. |
[15] | 张云涛, 方滨兴, 杜春来, 王忠儒, 崔志坚, 宋首友. 基于异构观测链的容器逃逸检测方法[J]. 通信学报, 2023, 44(1): 49-63. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|