• •
冷涛 1,2,31,2,3, 蔡利君 1, 于爱民 1,21,2, 朱子元 1,21,2, 马建刚 1,李超飞 1,21,2, 牛瑞丞 1,21,2, 孟丹 1,2
作者简介:
冷涛(1986年− ),男,四川合江人,中国科学院大学博士生,四川警察学院副教授,主要研究方向为APT攻击检测、取证分析。
蔡利君(1988年− ),男,河南汝南人,博士,中科院信息工程研究所助理研究员,主要研究方向为攻击检测、内部威胁检测。
于爱民(1980年− ),男,山西临汾人,博士,中国科学院信息工程研究所正高级工程师、博士生导师,主要研究方向为可信软件测评、基于大数据的行为异常检测。
朱子元(1980年− ),男,河南汝州人,博士,中国科学院信息工程研究所研究员、博士生导师,主要研究方向为处理器安全技术、系统安全理论与技术等。
Based Approach for Robust Cyber Threat Hunting[
EB /OL].
arXiv preprint a rXiv:2104.09806, 2021.
[89] Noel S, Harley E, Tam K H, et al. CyGraph: graph graph-based
analytics and visualization for cybersecurity[M].Handbook of
Statistics. Elsevier, 2016, 35: 117 117-167.
[90] Shu X, Araujo F, Schales D L, et al. Threat intelligence
computing [ Proce edings of the 2018 ACM SIGSAC
Conference on Computer and Communications Security. 2018:
18831883-1898.
[91] Karuna P, Hemberg E, O'Reilly U M, et al. Automating Cyber
Threat Hunting Using NLP, Automated Query Generation, and
Genetic Perturbation[ J]. arXiv preprint arXiv:2104.11576, 2021.
[92] Milajerdi S M, Eshete B, Gjomemo R, et al. Propatrol: Attack
investigation via extracted high high-level tasks [ International
Conference on Information Systems Security. Springer, Cham,
2018: 107 107-126.
[93] Allen J, Yang Z, Landen M, et al . Mnemosyne: An Effective and
Efficient Postmortem Watering Hole Attack Investigation
System [ Proceedings of the 2020 ACM SIGSAC Conference
on Computer and Communications Security. 2020: 787 787-802.
[94] Newsome J, Song D X. Dynamic Taint Analysis for Automatic
Detection, Analysis, and SignatureGeneration of Exploits on
Commodity Software [ NDSS. 2005, 5: 3 3-4.
[95] Yin H, Song D, Egele M, et al. Panorama: capturing system system-wide
information flow for malware detection and
analysis [ Proceedings of the 14th ACM confe rence on
Computer and communications security. 2007: 116 116-127.
[96] Ji Y, Lee S, Downing E, et al. Rain: Refinable attack
investigation with on on-demand inter inter-process information flow
tracking[C]//Proceedings of the 2017 ACM SIGSAC Conference
on Computer and Commu nications Security. 2017: 377 377-390.
[97] Kwon Y, Kim D, Sumner W N, et al. Ldx: Causality inference by
lightweight dual execution [ Proceedings of the Twenty Twenty-First
International Conference on Architectural Support for
Programming Languages and Operating System s. 2016: 503 503-515.
[98] Kwon Y, Wang F, Wang W, et al. MCI: Modeling Modeling-based Causality
Inference in Audit Logging for Attack Investigation [ NDSS.
2018.
[99] Pei K, Gu Z, Saltaformaggio B, et al. Hercule: Attack story
reconstruction via community discovery on correla ted log
graph [ Proceedings of the 32Nd Annual Conference on
Computer Security Applications. 2016: 583 583-595.
[100] Shen Y, Mariconti E, Vervier P A, et al. Tiresias: Predicting
security events through deep learning [ Proceedings of the
2018 ACM SIGSAC Confere nce on Computer and
Communications Security. 2018: 592 592-605.
[101] Shen Y, Stringhini G. Attack2vec: Leveraging temporal word
embeddings to understand the evolution of cyberattacks
[ 28th
{USENIX} Security Symposium ({USENIX} Security 19). 2019:
905905-921.
[102] Alsahe el A, Nan Y, Ma S, et al. {ATLAS}: A Sequence Sequence-based
Learning Approach for Attack Investigation[C]//30th {USENIX}
Security Symposium ({USENIX} Security 21). 2021.
[103] Zong B, Xiao X, Li Z, et al. Behavior query discovery in
systemsystem-generated temporal graphs[ J].a rXiv preprint
arXiv:1511.05911, 2015.
[104] 潘亚峰 ,周天阳 ,朱俊虎 ,曾子懿 .基于 ATT&CK 的 APT 攻击语 义规则构建 [ 信息安全学报 ,2021,6(03):77 77-90.
Pan Yafeng,Zhou Tianyang,Zhu Junhu,Zeng Ziyi. Semantic rule
construction for APT attacks based on ATT&CK[J]. Journal of
Information Security,2021,6(03):7 77-90.
[105] R. Yang et al.RATScope: Recording and Reconstructing Missing
RAT Semantic Behaviors for Forensic Analysis on
Windows[J] J].IEEE Trans. Dependable and Secure Comput..2020:
1–1
[作者简介 ]
《通信学报》
李超飞(1994年− ),男,河南汝州人,中国科学院大学博士生,主要研究方向为加密流量、深度学习等。
牛瑞丞(1994年− ),男,云南昆明人,中国科学院大学博士生,主要研究方向为恶意代码检测、深度学习等。
孟丹(1965年− ),男,黑龙江人,博士,中国科学院信息工程研究所所长、研究员、博士生导师,主要研究方向为计算机系统安全、云计算安全等。
LENG T Tao 1,2,3 ,CAI lijun lijun1,YU Aimin 1,2 ,ZHU ziyuan 1,21,2, M A Jian ganggang1,LI Caofei 1,2 ,NIU Ruicheng 1,2 ,MENG Dan 1,2#br#
摘要: 通过调研 溯源图研究相关的文献,提出了基于系统溯源图的网络威胁发现和取证分析研究框架 。详细 综述 了基于溯源图的 数据采集 、数据管理 、数据查询和可视化方法 ;提出基于 规则、基于异常和基于学习的威胁检测分
类方法 ;概括了基于威胁情报 或基于战略、技术、过程驱动的威胁狩猎方法 ;总结 出基于因果关系、序列学习、特
殊领域语言查询 和语义重建的取证分析方法 ;最后 指出 未来的研究 趋势 。
冷涛, 蔡利君, 于爱民, 朱子元, 马建刚, 李超飞, 牛瑞丞, 孟丹, . 基于系统溯源图的威胁发现与取证分析综述[J]. 通信学报.
LENG T Tao , , CAI lijun lijun, YU Aimin , , ZHU ziyuan , M A Jian ganggang, LI Caofei , , NIU Ruicheng , , MENG Dan , . A Review of Threat Discovery and Forensic Analysis Based on System-level Provenance Graphs[J]. Journal on Communications.
1] Binde B E,MccRee R,O'Connor TJ.Assessing Outbound Traffic to Uncover Advanced Persistent Threat [R]. Maryland:SANS Technology Institute,2011. [2] Eshete B, Gjomemo R, Hossain M N, et al. Attack analysis results for adversarial engagement 1 of the darpa transparent computing program[J]. arXiv preprint arXiv:1610.06936, 2016. [3] Han X, Pasquier T, Seltzer M. Prov enanceenance-based intrusion detection: opportunities and challenges [ 10th {USENIX} Workshop on the Theory and Practice of Provenance (TaPP 2018)2018).2018. [4] Zafar F, Khan A, Suhail S, et al. Trustworthy data: A survey, taxonomy and future trends of secure provenan ce schemes[J]. Journal of Network and Computer Applications, 2017, 94: 50 50-68. [5] Tan C, Wang Q, Wang L, et al. Attack Provenance Tracing in Cyberspace: Solutions, Challenges and Future Directions[J]. IEEE Network, 2018, 33(2): 174 174-180. [6] Li Z, Chen Q A, Yang R, et al. Threat detection and investigation with system system-level provenance graphs: a survey[J].Computers & Security, 2021: 102282. [7] 潘亚峰 ,朱俊虎 ,周天阳 .APT 攻击场景重构方法综述 [ 信息工 程大学学报 ,2021,22(01):55 55-60+80. Pan Yafeng, Zhu Junhu, Zhou Tianyang. Overview of APT attack scenari o reconstruction methods[J]. Journal of Information 《通信学报》 Engineering University, 2021, 22 Engineering University, 2021, 22(01):55(01):55-60+80.60+80. [8] King S T, Chen P M. Backtracking intrusionsKing S T, Chen P M. Backtracking intrusions[C]//[C]//Proceedings of Proceedings of the nineteenth ACM symposium on Operating systems principles. the nineteenth ACM symposium on Operating systems principles. 2003: 2232003: 223-236.236. [9] 蹇诗婕蹇诗婕,卢志刚卢志刚,杜丹 ,姜波 ,刘宝旭刘宝旭.网络入侵检测技术综述网络入侵检测技术综述[J].[J].信息安全学报信息安全学报,2020,5(04):96,2020,5(04):96-122.122. Jian Shijie, Lu Zhigang, Du Dan, Jiang Bo, Liu Baoxu. A review Jian Shijie, Lu Zhigang, Du Dan, Jiang Bo, Liu Baoxu. A review of network intrusion detection techniques[J]. Journal of of network intrusion detection techniques[J]. Journal of Information Security,2020,5(04):96Information Security,2020,5(04):96-122.122. [10] 徐嘉涔 ,王轶骏 ,薛质 .网络空间威胁狩猎的研究综述网络空间威胁狩猎的研究综述[J].[J].通信技通信技术,2020,53(01):1,2020,53(01):1-8 Xu jia Xu jiacen, Wang Yijun, Xue Zhi. A review of cyberspace threat cen, Wang Yijun, Xue Zhi. A review of cyberspace threat hunting [J]. Communication technology, 2020,53 (01): 1hunting [J]. Communication technology, 2020,53 (01): 1-8 [11] Palacín, Valentina.Practical Threat Intelligence and DataPalacín, Valentina.Practical Threat Intelligence and Data-Driven Driven Threat HuntingThreat Hunting[M]. Packt Publishing,2021:398M]. Packt Publishing,2021:398 [12] secjuice.secjuice.Breach Detection | ContrBreach Detection | Controlling Dwell Time Is Aboutolling Dwell Time Is About Much More Than ComplianceMuch More Than Compliance[EB /OL/OL]. http://medium.com/shttp://medium.com/secjuice/controllingecjuice/controlling-dwelldwell-timetime-its -aboutabout-muchmuch-moremore-thanthan-complcomplianceance-23a2149e590e23a2149e590e.2021021-07 -10 [13] secjuice.secjuice.5 TYPES OF THREAT HUNTING5 TYPES OF THREAT HUNTING[EB /OL/OL]. http ://w://www.cybersecurityww.cybersecurity-insiders.com/5insiders.com/5-typestypes-of -threatthreat-hunting/hunting/(2021021-07 -10 ) [14] Can Sar and Cao Pei. Lineage File SystemCan Sar and Cao Pei. Lineage File System[EB /OL/OL]. http://crypto.stanford.edu/~cao/lineagehttp://crypto.stanford.edu/~cao/lineage.2021021-07 -10 [15] MuniswamyMuniswamy-Reddy K K, Holland D A, Braun U, et al. Reddy K K, Holland D A, Braun U, et al. ProvenanceProvenance-aware storage systemsaware storage systems[C]//[C]//Usenix annual technical Usenix annual technical conference, general track. 2006: 43conference, general track. 2006: 43-56.56. [16] MuniswamyMuniswamy-Reddy K K, Braun U J, Holland D A, et al. Reddy K K, Braun U J, Holland D A, et al. Layering in provenance systemsayering in provenance systems[C]//[C]//Proceedings of the 2009 Proceedings of the 2009 USENIX Annual Technical Conference (USENIX'09).USENIX Annual Technical Conference (USENIX'09). USENIX USENIX Association, 2009. Association, 2009. [17] Gehani A, Tariq D. SPADE: Support for provenance auditing in Gehani A, Tariq D. SPADE: Support for provenance auditing in distributed environmentsdistributed environments[C]//[C]//ACM/IFIP/USENIX International ACM/IFIP/USENIX International ConConference on Distributed Systems Platforms andference on Distributed Systems Platforms and Open Open Distributed Processing. Springer, Berlin, Heidelberg, 2012: Distributed Processing. Springer, Berlin, Heidelberg, 2012: 101101-120.120. [18] Pohly D J, McLaughlin S, McDaniel P, et al. HiPohly D J, McLaughlin S, McDaniel P, et al. Hi-fi: collecting fi: collecting highhigh-fidelity wholefidelity whole-system provenancesystem provenance[C]//[C]// Proceedings of the Proceedings of the 28th Annual C28th Annual Computer Security Applications Conference. 2012: omputer Security Applications Conference. 2012: 259259-268.268. [19] Bates A, Tian D J, Butler K R B, et al. Trustworthy wholeBates A, Tian D J, Butler K R B, et al. Trustworthy whole-system system provenance for the linux kernelprovenance for the linux kernel[C]//[C]//24th {USENIX} Security 24th {USENIX} Security Symposium ({USENIX} Security 15). 2015: 319Symposium ({USENIX} Security 15). 2015: 319-334.334. [20] Bates A, Butler K, Dobra ABates A, Butler K, Dobra A, et al. Retrofitting Applications with , et al. Retrofitting Applications with Provenance Provenance-Based Security Monitoring[Based Security Monitoring[J]. arXiv preprint ]. arXiv preprint arXiv:1609.00266, 2016. arXiv:1609.00266, 2016. [21] Pasquier T, Han X, Goldstein M, et al. Practical wholePasquier T, Han X, Goldstein M, et al. Practical whole-system system provenance captureprovenance capture[C]//[C]//Proceedings of the 2017 Symposium on Proceedings of the 2017 Symposium on Cloud ComputiCloud Computing. 2017: 405ng. 2017: 405-418.418. [22] Hassan W U, Noureddine M A, Datta P, et al. OmegaLog: Hassan W U, Noureddine M A, Datta P, et al. OmegaLog: HighHigh-fidelity attack investigation via transparent multifidelity attack investigation via transparent multi-layer log layer log analysisanalysis[C]//[C]///Network and Distributed System Security /Network and Distributed System Security Symposium. 2020.Symposium. 2020. [23] Yu L, Ma S, Zhang Z, et al. ALchemist: FusingYu L, Ma S, Zhang Z, et al. ALchemist: Fusing Application and Application and Audit Logs for Precise Attack Provenance without Audit Logs for Precise Attack Provenance without Instrumentation[J]. 2021.Instrumentation[J]. 2021. [24] Xie Y, Feng D, Liao X, et al. Efficient monitoring and forensic Xie Y, Feng D, Liao X, et al. Efficient monitoring and forensic analysis via accurate networkanalysis via accurate network-attached provenance collection attached provenance collection with minimal storage overhead[J]. Digitwith minimal storage overhead[J]. Digital Investigation, 2018, 26: al Investigation, 2018, 26: 19 -28. 28. [25] Haas S, Sommer R, Fischer M. ZeekHaas S, Sommer R, Fischer M. Zeek-Osquery: HostOsquery: Host-Network Network Correlation for Advanced Monitoring and Intrusion Correlation for Advanced Monitoring and Intrusion DetectionDetection[C]//[C]//IFIP International Conference on ICT Systems IFIP International Conference on ICT Systems Security and Privacy Protection. Springer, Cham, 2020: Security and Privacy Protection. Springer, Cham, 2020: 248 -262.262. [26] Ji Y, Lee S, Fazzini M, et al. Enabling refinable crossJi Y, Lee S, Fazzini M, et al. Enabling refinable cross-host attack host attack investigation with efficient data flow tagging and investigation with efficient data flow tagging and trackingtracking[C]//[C]//27th {USENIX} Security Symposium ({USENIX} 27th {USENIX} Security Symposium ({USENIX} Security 18). 2018: 1705Security 18). 2018: 1705-1722.1722. [27] Ji Y. Efficient and refinable attack inveJi Y. Efficient and refinable attack investigation[D]. Georgia stigation[D]. Georgia Institute of Technology, 2019.Institute of Technology, 2019. [28] Lee K H, Zhang X, Xu D. High Accuracy Attack Provenance via Lee K H, Zhang X, Xu D. High Accuracy Attack Provenance via BinaryBinary-based Execution Partitionbased Execution Partition[C]//[C]//NDSS. 2013. NDSS. 2013. [29] Ma S, Zhang X, Xu D. Protracer: Towards Practical Provenance Ma S, Zhang X, Xu D. Protracer: Towards Practical Provenance Tracing by Alternating Between LTracing by Alternating Between Logging and Taintingogging and Tainting[C]//[C]//NDSS. NDSS. 2016.2016. [30] Ma S, Zhai J, Wang F, et al. {MPI}: Multiple perspective attack Ma S, Zhai J, Wang F, et al. {MPI}: Multiple perspective attack investigation with semantic aware execution investigation with semantic aware execution partitioningpartitioning[C]//[C]//26th {USENIX} Security Symposium 26th {USENIX} Security Symposium ({USENIX} Security 17). 2017: 1111({USENIX} Security 17). 2017: 1111-1128.1128. [31] Ma S, Lee K H, Kim C Ma S, Lee K H, Kim C H, et al. Accurate, low cost and H, et al. Accurate, low cost and instrumentationinstrumentation-free security audit logging for free security audit logging for windowswindows[C]//[C]//Proceedings of the 31st Annual Computer Security Proceedings of the 31st Annual Computer Security Applications Conference. 2015: 401Applications Conference. 2015: 401-410.410. [32] Lee K H, Zhang X, Xu D. LogGC: garbage collecting audit Lee K H, Zhang X, Xu D. LogGC: garbage collecting audit loglog[C]//[C]//ProceedingProceedings of the 2013 ACM SIGSAC conference on s of the 2013 ACM SIGSAC conference on Computer & communications security. 2013: 1005Computer & communications security. 2013: 1005-1016.1016. [33] Yang R, Ma S, Xu H, et al. Uiscope: Accurate, Yang R, Ma S, Xu H, et al. Uiscope: Accurate, instrumentationinstrumentation-free, and visible attack investigation for gui free, and visible attack investigation for gui applicationsapplications[C]//[C]//Network and Distributed Systems SymposNetwork and Distributed Systems Symposium. ium. 2020.2020. [34] Manzoor E, Milajerdi S M, Akoglu L. Fast memoryManzoor E, Milajerdi S M, Akoglu L. Fast memory-efficient efficient anomaly detection in streaming heterogeneous anomaly detection in streaming heterogeneous graphsgraphs[C]//[C]//Proceedings of the 22nd ACM SIGKDD International Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2016: Conference on Knowledge Discovery and Data Mining. 2016: 《通信学报》 1035 1035-1044. 1044. [35] The CERT DiviThe CERT Division. 2018. Insider Threat Tools. sion. 2018. Insider Threat Tools. httpttp://www.cert.org/insider://www.cert.org/insider-threat/tools/threat/tools/ [36] Kent A D. Comprehensive, multiKent A D. Comprehensive, multi-source cybersource cyber-security events security events data set[R]. Los Alamos National Lab.(LANL), Los Alamos, NM data set[R]. Los Alamos National Lab.(LANL), Los Alamos, NM (United States), 2015.(United States), 2015. [37] Transparent computing engagement 5 daTransparent computing engagement 5 data ta release.hrelease.httpttp://drive.google.co://drive.google.co-m/drive/folders/1okt4AYElyBohWm/drive/folders/1okt4AYElyBohW4XiOBqmsvjwXsnUjLVf, 20194XiOBqmsvjwXsnUjLVf, 2019 [38] Angelos Keromytis. Transparent compuAngelos Keromytis. Transparent computing engagement 3 data ting engagement 3 data release.release.http://github.com/ttp://github.com/darpaarpa-i2o/Transparenti2o/Transparent-Computing,2Computing,2018018 [39] Anjum M M, Iqbal S, Hamelin B. Analyzing theAnjum M M, Iqbal S, Hamelin B. Analyzing the Usefulness of Usefulness of the DARPA OpTC Dataset in Cyber Threat Detection the DARPA OpTC Dataset in Cyber Threat Detection ResearchResearch[C]//[C]//Proceedings of the 26th ACM Symposium on Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. 2021: 27Access Control Models and Technologies. 2021: 27-32.32. [40] Li Z, Cheng X, Sun L, et al. A Hierarchical Approach for Li Z, Cheng X, Sun L, et al. A Hierarchical Approach for Advanced Persistent Threat DAdvanced Persistent Threat Detection with Attentionetection with Attention-Based Based Graph Neural Networks[J]. Security and Communication Graph Neural Networks[J]. Security and Communication Networks, 2021, 2021.Networks, 2021, 2021. [41] Li M, Li Q, Xuan G, et al. Identifying compromised hosts under Li M, Li Q, Xuan G, et al. Identifying compromised hosts under APT using DNS request sequences[J]. Journal of Parallel and APT using DNS request sequences[J]. Journal of Parallel and Distributed Computing, 2021,Distributed Computing, 2021, 152: 67152: 67-78. [42] Liu F, Wen Y, Zhang D, et al. Log2vec: a heterogeneous graph Liu F, Wen Y, Zhang D, et al. Log2vec: a heterogeneous graph embedding based approach for detecting cyber threats within embedding based approach for detecting cyber threats within enterprise[C]// Proceedings of the 2019 ACM SIGSAC enterprise[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: Conference on Computer and Communications Security. 2019: 17771777-1794.1794. [43] Li u F, Wen Y, Wu Y, et al. MLTracer: Malicious Logins Detection u F, Wen Y, Wu Y, et al. MLTracer: Malicious Logins Detection System via Graph Neural Network[C]//2020 IEEE 19th System via Graph Neural Network[C]//2020 IEEE 19th International Conference on Trust, Security and Privacy in International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE, 2020: Computing and Communications (TrustCom). IEEE, 2020: 715715-726.726. [44] Cochrane T, Foster P, Cochrane T, Foster P, Chhabra V, et al. SKChhabra V, et al. SK-Tree: a systematic Tree: a systematic malware detection algorithm on streaming trees via the signature malware detection algorithm on streaming trees via the signature kernel[C]//2021 IEEE International Conference on Cyber kernel[C]//2021 IEEE International Conference on Cyber Security and Resilience (CSR). IEEE, 2021: 35Security and Resilience (CSR). IEEE, 2021: 35-40. 40. [45] Hossain M N, Milajerdi S M, Wang J, et al. {SHossain M N, Milajerdi S M, Wang J, et al. {SLEUTH}: LEUTH}: RealReal-time attack scenario reconstruction from {COTS} audit time attack scenario reconstruction from {COTS} audit datadata[C]//[C]//26th {USENIX} Security Symposium ({USENIX} 26th {USENIX} Security Symposium ({USENIX} Security 17). 2017: 487Security 17). 2017: 487-504.504. [46] Hossain M N, Sheikhi S, Sekar R. Combating dependence Hossain M N, Sheikhi S, Sekar R. Combating dependence explosion in forensic analysis using alternative tag pexplosion in forensic analysis using alternative tag propagation ropagation semanticssemantics[C]//[C]//2020 IEEE Symposium on Security and Privacy 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 2020: 1139(SP). IEEE, 2020: 1139-1155.1155. [47] Setayeshfar O, Adkins C, Jones M, et al. Graalf: Supporting Setayeshfar O, Adkins C, Jones M, et al. Graalf: Supporting graphical analysis of audit logs for forensics[J]. Software Impacts, graphical analysis of audit logs for forensics[J]. Software Impacts, 2021, 8: 100068.2021, 8: 100068. [48] Milajerdi S Milajerdi S M, Gjomemo R, Eshete B, et al. Holmes: realM, Gjomemo R, Eshete B, et al. Holmes: real-time time apt detection through correlation of suspicious information apt detection through correlation of suspicious information flowsflows[C]//[C]//2019 IEEE Symposium on Security and Privacy (SP). 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019: 1137 IEEE, 2019: 1137-1152.1152. [49] Hossain M N, Wang J, Weisse O, et al. DependenceHossain M N, Wang J, Weisse O, et al. Dependence-preserving preserving datadata compaction for scalable forensic analysiscompaction for scalable forensic analysis[C]//[C]//27th 27th {USENIX} Security Symposium ({USENIX} Security 18). 2018: {USENIX} Security Symposium ({USENIX} Security 18). 2018: 17231723-1740.1740. [50] Zeng J, Chua Z L, Chen Y, et al. Watson: Abstracting behaviors Zeng J, Chua Z L, Chen Y, et al. Watson: Abstracting behaviors from audit logs via aggregation of contextual from audit logs via aggregation of contextual semantics[C]//Proceedings semantics[C]//Proceedings of the 28th Annual Network and of the 28th Annual Network and Distributed System Security Symposium, NDSS. 2021.Distributed System Security Symposium, NDSS. 2021. [51] Berrada G, Cheney J, Benabderrahmane S, et al. A baseline for Berrada G, Cheney J, Benabderrahmane S, et al. A baseline for unsupervised advanced persistent threat detection in systemunsupervised advanced persistent threat detection in system-level level provenance[J]. Future Generation Computer Systprovenance[J]. Future Generation Computer Systems, 2020, 108: ems, 2020, 108: 401401-413.413. [52] Benabderrahmane S, Berrada G, Cheney J, et al. A Rule Benabderrahmane S, Berrada G, Cheney J, et al. A Rule MiningMining-Based Advanced Persistent Threats Detection System[Based Advanced Persistent Threats Detection System[J]. ]. arXiv preprint arXiv:2105.10053, 2021.arXiv preprint arXiv:2105.10053, 2021. [53] Hassan W U, Guo S, Li D, et al. Nodoze: Combatting threat alert Hassan W U, Guo S, Li D, et al. Nodoze: Combatting threat alert fatigue withfatigue with automated provenance triageautomated provenance triage[C]//[C]//Network and Network and Distributed Systems Security Symposium. 2019.Distributed Systems Security Symposium. 2019. [54] Myneni S, Chowdhary A, Sabur A, et al. Dapt 2020Myneni S, Chowdhary A, Sabur A, et al. Dapt 2020-constructing constructing a benchmark dataset for advanced persistent a benchmark dataset for advanced persistent threats[C]//International Workshop on Deployable Machine threats[C]//International Workshop on Deployable Machine Le arning for Security Defense. Springer, Cham, 2020: 138arning for Security Defense. Springer, Cham, 2020: 138-163.163. [55] Liu Y, Zhang M, Li D, et al. Towards a Timely Causality Liu Y, Zhang M, Li D, et al. Towards a Timely Causality Analysis for Enterprise SecurityAnalysis for Enterprise Security[C]//[C]//NDSS. 2018. NDSS. 2018. [56] Gui J, Li D, Chen Z, et al. APTrace: A Responsive System for Gui J, Li D, Chen Z, et al. APTrace: A Responsive System for Agile Enterprise Level CausalAgile Enterprise Level Causality Analysisity Analysis[C]//[C]//2020 IEEE 36th 2020 IEEE 36th International Conference on Data Engineering (ICDE). IEEE, International Conference on Data Engineering (ICDE). IEEE, 2020: 17012020: 1701-1712.1712. [57] Xu Z, Wu Z, Li Z, et al. High fidelity data reduction for big data Xu Z, Wu Z, Li Z, et al. High fidelity data reduction for big data security dependency analysessecurity dependency analyses[C]//[C]//Proceedings of the 2016 ACM Proceedings of the 2016 ACM SIGSAC Conference onSIGSAC Conference on Computer and Communications Security. Computer and Communications Security. 2016: 5042016: 504-516.516. [58] Michael N, Mink J, Liu J, et al. On the Forensic Validity of Michael N, Mink J, Liu J, et al. On the Forensic Validity of Approximated Audit LogsApproximated Audit Logs[C]//[C]//Annual Computer Security Annual Computer Security Applications Conference. 2020: 189Applications Conference. 2020: 189-202.202. [59] Tang Y, Li D, Li Z, et al. Nodemerge: Template bTang Y, Li D, Li Z, et al. Nodemerge: Template based efficient ased efficient data reduction for bigdata reduction for big-data causality analysisdata causality analysis[C]//[C]//Proceedings of Proceedings of the 2018 ACM SIGSAC Conference on Computer and the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018: 1324Communications Security. 2018: 1324-1337.1337. [60] Hassan W U, Bates A, Marino D. Tactical provenance analysis Hassan W U, Bates A, Marino D. Tactical provenance analysis for endpoint detection andfor endpoint detection and response systemsresponse systems[C]//[C]//2020 IEEE 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 2020: Symposium on Security and Privacy (SP). IEEE, 2020: 11721172-1189. 1189. [61] Fei P, Li Z, Wang Z, et al. {SEAL}: StorageFei P, Li Z, Wang Z, et al. {SEAL}: Storage-efficient Causality efficient Causality Analysis on Enterprise Logs with QueryAnalysis on Enterprise Logs with Query-friendly friendly CompressionCompression[C]//[C]//30th {USENIX} Security Symposium30th {USENIX} Security Symposium ({USENIX} Security 21). 2021.({USENIX} Security 21). 2021. 《通信学报》 [62] Zhu T, Wang J, Ruan L, et al. General, Efficient, and RealZhu T, Wang J, Ruan L, et al. General, Efficient, and Real-time time Data Compaction Strategy for APT Forensic Analysis[J]. IEEE Data Compaction Strategy for APT Forensic Analysis[J]. IEEE Transactions on Information Forensics and Security, 2021.Transactions on Information Forensics and Security, 2021. [63] Gao P, Shao F, Liu X, et al. A system for eGao P, Shao F, Liu X, et al. A system for efficiently hunting for fficiently hunting for cyber threats in computer systems using threat cyber threats in computer systems using threat intelligenceintelligence[C]//[C]//2021 IEEE 37th International Conference on 2021 IEEE 37th International Conference on Data Engineering (ICDE). IEEE, 2021: 2705Data Engineering (ICDE). IEEE, 2021: 2705-2708. 2708. [64] Milajerdi S M, Eshete B, Gjomemo R, et al. Poirot: Aligning Milajerdi S M, Eshete B, Gjomemo R, et al. Poirot: Aligning attack behavior wattack behavior with kernel audit records for cyber threat ith kernel audit records for cyber threat hunting[C]//Proceedings of the 2019 ACM SIGSAC Conference hunting[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: 1795on Computer and Communications Security. 2019: 1795-1812.1812. [65] Hassan W U, Li D, Jee K, et al. This is Why We Can’t Cache Hassan W U, Li D, Jee K, et al. This is Why We Can’t Cache Nice Things: LightningNice Things: Lightning-Fast Threat HuntFast Threat Hunting using ing using SuspicionSuspicion-Based Hierarchical StorageBased Hierarchical Storage[C]//[C]//Annual Computer Annual Computer Security Applications Conference. 2020: 165Security Applications Conference. 2020: 165-178. 178. [66] Ma S, Zhai J, Kwon Y, et al. KernelMa S, Zhai J, Kwon Y, et al. Kernel-supported costsupported cost-effective effective audit logging for causality trackingaudit logging for causality tracking[C]//[C]//2018 {USENIX} Annual 2018 {USENIX} Annual Technical ConferTechnical Conference ({USENIX}{ATC} 18). 2018: 241ence ({USENIX}{ATC} 18). 2018: 241-254.254. [67] Xie Y, Feng D, Tan Z, et al. Unifying intrusion detection and Xie Y, Feng D, Tan Z, et al. Unifying intrusion detection and forensic analysis via provenance awareness[J]. Future Generation forensic analysis via provenance awareness[J]. Future Generation Computer Systems, 2016, 61: 26Computer Systems, 2016, 61: 26-36.36. [68] Xie Y, Feng D, Hu Y, et al. Pagoda: A hybrid approach Xie Y, Feng D, Hu Y, et al. Pagoda: A hybrid approach to enable to enable efficient realefficient real-time provenance based intrusion detection in big time provenance based intrusion detection in big data environments[J]. IEEE Transactions on Dependable and data environments[J]. IEEE Transactions on Dependable and Secure Computing, 2018, 17(6): 1283Secure Computing, 2018, 17(6): 1283-1296.1296. [69] Gao P, Xiao X, Li Z, et al. A query system for efficiently Gao P, Xiao X, Li Z, et al. A query system for efficiently investigating complex ainvestigating complex attack behaviors for enterprise security[J]. ttack behaviors for enterprise security[J]. arXiv preprint arXiv:1810.03464, 2018. arXiv preprint arXiv:1810.03464, 2018. [70] Pasquier T, Han X, Moyer T, et al. Runtime analysis of Pasquier T, Han X, Moyer T, et al. Runtime analysis of wholewhole-system provenance[C]//Proceedings of the 2018 ACM system provenance[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. SIGSAC Conference on Computer and Communications Security. 20 18: 160118: 1601-1616. 1616. [71] Gao P, Xiao X, Li Z, et al. {AIQL}: Enabling efficient attack Gao P, Xiao X, Li Z, et al. {AIQL}: Enabling efficient attack investigation from system monitoring datainvestigation from system monitoring data[C]//[C]//2018 {USENIX} 2018 {USENIX} Annual Technical Conference ({USENIX}{ATC} 18). 2018: Annual Technical Conference ({USENIX}{ATC} 18). 2018: 113113-126.126. [72] Gao P, Xiao X, Li D, et al. {SAQL}: A streamGao P, Xiao X, Li D, et al. {SAQL}: A stream-based querbased query system for realsystem for real-time abnormal system behavior time abnormal system behavior detectiondetection[C]//[C]//27th {USENIX} Security Symposium ({USENIX} 27th {USENIX} Security Symposium ({USENIX} Security 18). 2018: 639Security 18). 2018: 639-656.656. [73] Gao P, Shao F, Liu X, et al. Enabling efficient cyber threat Gao P, Shao F, Liu X, et al. Enabling efficient cyber threat hunting with cyber threat intelligencehunting with cyber threat intelligence[C]//[C]//2021 IEEE 37th 2021 IEEE 37th IntInternational Conference on Data Engineering (ICDE). IEEE, ernational Conference on Data Engineering (ICDE). IEEE, 2021: 1932021: 193-204.204. [74] Gao P, Xiao X, Li D, et al. Querying Streaming System Gao P, Xiao X, Li D, et al. Querying Streaming System Monitoring Data for Enterprise System Anomaly Monitoring Data for Enterprise System Anomaly DetectionDetection[C]//[C]//2020 IEEE 36th International Conference on Data 2020 IEEE 36th International Conference on Data Engineering (ICDE). IEEEngineering (ICDE). IEEE, 2020: 1774E, 2020: 1774-1777.1777. [75] Xiong C, Zhu T, Dong W, et al. CONAN: A practical realXiong C, Zhu T, Dong W, et al. CONAN: A practical real-time time APT detection system with high accuracy and efficiency[J]. APT detection system with high accuracy and efficiency[J]. IEEE Transactions on Dependable and Secure Computing, 2020.IEEE Transactions on Dependable and Secure Computing, 2020. [76] Ding X, Liu B, Jiang Z, et al. Spear Phishing Emails DeteDing X, Liu B, Jiang Z, et al. Spear Phishing Emails Detection ction Based on Machine Learning[C]//2021 IEEE 24th International Based on Machine Learning[C]//2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design Conference on Computer Supported Cooperative Work in Design (CSCWD). IEEE, 2021: 354(CSCWD). IEEE, 2021: 354-359.359. [77] Dai J, Sun X, Liu P. Patrol: Revealing zeroDai J, Sun X, Liu P. Patrol: Revealing zero-day attack paths day attack paths through networkthrough network-wide system object depenwide system object dependenciesdencies[C]//[C]//European European Symposium on Research in Computer Security. Springer, Berlin, Symposium on Research in Computer Security. Springer, Berlin, Heidelberg, 2013: 536Heidelberg, 2013: 536-555. 555. [78] Han X, Pasquier T, Ranjan T, et al. Frappuccino: FaultHan X, Pasquier T, Ranjan T, et al. Frappuccino: Fault-detection detection through runtime analysis of provenance[C]//9th {USENIX} through runtime analysis of provenance[C]//9th {USENIX} Workshop on Hot Topics iWorkshop on Hot Topics in Cloud Computing (HotCloud 17). n Cloud Computing (HotCloud 17). 2017.2017. [79] Xie Y, Wu Y, Feng D, et al. PXie Y, Wu Y, Feng D, et al. P-Gaussian: ProvenanceGaussian: Provenance-Based Based Gaussian Distribution for Detecting Intrusion Behavior Variants Gaussian Distribution for Detecting Intrusion Behavior Variants Using High Efficient and Real Time Memory Databases[J]. IEEE Using High Efficient and Real Time Memory Databases[J]. IEEE Transactions on Dependable and SecuTransactions on Dependable and Secure Computing, 2019.re Computing, 2019. [80] Han X, Pasquier T, Bates A, et al. Unicorn: Runtime Han X, Pasquier T, Bates A, et al. Unicorn: Runtime provenanceprovenance-based detector for advanced persistent based detector for advanced persistent threats[EB/OL]. arXiv preprint arXiv:2001.01525, 2020.threats[EB/OL]. arXiv preprint arXiv:2001.01525, 2020. [81] Sun X, Dai J, Liu P, et al. Using Bayesian networks for Sun X, Dai J, Liu P, et al. Using Bayesian networks for probabilistic identificprobabilistic identification of zeroation of zero-day attack paths[J]. IEEE day attack paths[J]. IEEE Transactions on Information Forensics and Security, 2018, Transactions on Information Forensics and Security, 2018, 13(10): 250613(10): 2506-2521.2521. [82] Han X, Yu X, Pasquier T, et al. {SIGL}: Securing Software Han X, Yu X, Pasquier T, et al. {SIGL}: Securing Software Installations Through Deep Graph LearningInstallations Through Deep Graph Learning[C]//[C]//30th {USENIX} 30th {USENIX} Security Symposium ({Security Symposium ({USENIX} Security 21). 2021.USENIX} Security 21). 2021. [83] Ayoade G, Akbar K A, Sahoo P, et al. Evolving Advanced Ayoade G, Akbar K A, Sahoo P, et al. Evolving Advanced Persistent Threat Detection using Provenance Graph and Metric Persistent Threat Detection using Provenance Graph and Metric LearningLearning[C]//[C]//2020 IEEE Conference on Communications and 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 2020: 1Network Security (CNS). IEEE, 2020: 1-9. [84] Wang Q, HassanWang Q, Hassan W U, Li D, et al. You Are What You Do: W U, Li D, et al. You Are What You Do: Hunting Stealthy Malware via Data Provenance Hunting Stealthy Malware via Data Provenance AnalysisAnalysis[C]//[C]//NDSS. 2020.NDSS. 2020. [85] Satvat K, Gjomemo R, Venkatakrishnan V N. EXTRACTOR: Satvat K, Gjomemo R, Venkatakrishnan V N. EXTRACTOR: Extracting Attack Behavior from Threat Reports[Extracting Attack Behavior from Threat Reports[J]. arXiv ]. arXiv preprint arXiv:2104.08618, 2021.preprint arXiv:2104.08618, 2021. [86] ZhaZhao J, Yan Q, Liu X, et al. Cyber Threat Intelligence Modeling o J, Yan Q, Liu X, et al. Cyber Threat Intelligence Modeling Based on Heterogeneous Graph Convolutional Network[C]//23rd Based on Heterogeneous Graph Convolutional Network[C]//23rd International Symposium on Research in Attacks, Intrusions and International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2020). 2020: 241Defenses ({RAID} 2020). 2020: 241-256.256. [87] Gao P, Liu X, Choi E, et al. A SyGao P, Liu X, Choi E, et al. A System for Automated stem for Automated OpenOpen-Source Threat Intelligence Gathering and Source Threat Intelligence Gathering and Management[EB/OL]. arXiv preprint arXiv:2101.07769, 2021.Management[EB/OL]. arXiv preprint arXiv:2101.07769, 2021. [88] Wei R, Cai L, Yu A, et al. DeepHunter: A Graph Neural Network Wei R, Cai L, Yu A, et al. DeepHunter: A Graph Neural Network 《通信学报》 冷涛(1986年− ),男,四川合江人,中国科学院大学博士生,四川警察学院副教授,主要研究方向为APT攻击检测、取证分析。 蔡利君(1988年− ),男,河南汝南人,博士,中科院信息工程研究所助理研究员,主要研究方向为攻击检测、内部威胁检测。 于爱民(1980年− ),男,山西临汾人,博士,中国科学院信息工程研究所正高级工程师、博士生导师,主要研究方向为可信软件测评、基于大数据的行为异常检测。 朱子元(1980年− ),男,河南汝州人,博士,中国科学院信息工程研究所研究员、博士生导师,主要研究方向为处理器安全技术、系统安全理论与技术等。 Based Approach for Robust Cyber Threat Hunting[ Based Approach for Robust Cyber Threat Hunting[EB /OL]. /OL]. arXiv preprint aarXiv preprint arXiv:2104.09806, 2021.rXiv:2104.09806, 2021. [89] Noel S, Harley E, Tam K H, et al. CyGraph: graphNoel S, Harley E, Tam K H, et al. CyGraph: graph-based based analytics and visualization for cybersecurity[M].Handbook of analytics and visualization for cybersecurity[M].Handbook of Statistics. Elsevier, 2016, 35: 117Statistics. Elsevier, 2016, 35: 117-167. [90] Shu X, Araujo F, Schales D L, et al. Threat intelligence Shu X, Araujo F, Schales D L, et al. Threat intelligence computingcomputing[C]//[C]//ProceProceedings of the 2018 ACM SIGSAC edings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018: Conference on Computer and Communications Security. 2018: 18831883-1898. 1898. [91] Karuna P, Hemberg E, O'Reilly U M, et al. Automating Cyber Karuna P, Hemberg E, O'Reilly U M, et al. Automating Cyber Threat Hunting Using NLP, Automated Query Generation, and Threat Hunting Using NLP, Automated Query Generation, and Genetic Perturbation[Genetic Perturbation[J]. arXiv preprint]. arXiv preprint arXiv:2104.11576, 2021.arXiv:2104.11576, 2021. [92] Milajerdi S M, Eshete B, Gjomemo R, et al. Propatrol: Attack Milajerdi S M, Eshete B, Gjomemo R, et al. Propatrol: Attack investigation via extracted highinvestigation via extracted high-level taskslevel tasks[C]//[C]//International International Conference on Information Systems Security. Springer, Cham, Conference on Information Systems Security. Springer, Cham, 2018: 1072018: 107-126.126. [93] Allen J, Yang Z, Landen M, et alAllen J, Yang Z, Landen M, et al. Mnemosyne: An Effective and . Mnemosyne: An Effective and Efficient Postmortem Watering Hole Attack Investigation Efficient Postmortem Watering Hole Attack Investigation SystemSystem[C]//[C]//Proceedings of the 2020 ACM SIGSAC Conference Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 787on Computer and Communications Security. 2020: 787-802.802. [94] Newsome J, Song D X. Dynamic Taint Analysis for AutomaticNewsome J, Song D X. Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Detection, Analysis, and SignatureGeneration of Exploits on Commodity SoftwareCommodity Software[C]//[C]//NDSS. 2005, 5: 3NDSS. 2005, 5: 3-4. [95] Yin H, Song D, Egele M, et al. Panorama: capturing systemYin H, Song D, Egele M, et al. Panorama: capturing system-wide wide information flow for malware detection and information flow for malware detection and analysisanalysis[C]//[C]//Proceedings of the 14th ACM confeProceedings of the 14th ACM conference on rence on Computer and communications security. 2007: 116Computer and communications security. 2007: 116-127.127. [96] Ji Y, Lee S, Downing E, et al. Rain: Refinable attack Ji Y, Lee S, Downing E, et al. Rain: Refinable attack investigation with oninvestigation with on-demand interdemand inter-process information flow process information flow tracking[C]//Proceedings of the 2017 ACM SIGSAC Conference tracking[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Commuon Computer and Communications Security. 2017: 377nications Security. 2017: 377-390.390. [97] Kwon Y, Kim D, Sumner W N, et al. Ldx: Causality inference by Kwon Y, Kim D, Sumner W N, et al. Ldx: Causality inference by lightweight dual executionlightweight dual execution[C]//[C]//Proceedings of the TwentyProceedings of the Twenty-First First International Conference on Architectural Support for International Conference on Architectural Support for Programming Languages and Operating SystemProgramming Languages and Operating Systems. 2016: 503s. 2016: 503-515.515. [98] Kwon Y, Wang F, Wang W, et al. MCI: ModelingKwon Y, Wang F, Wang W, et al. MCI: Modeling-based Causality based Causality Inference in Audit Logging for Attack InvestigationInference in Audit Logging for Attack Investigation[C]//[C]//NDSS. NDSS. 2018.2018. [99] Pei K, Gu Z, Saltaformaggio B, et al. Hercule: Attack story Pei K, Gu Z, Saltaformaggio B, et al. Hercule: Attack story reconstruction via community discovery on correlareconstruction via community discovery on correlated log ted log graphgraph[C]//[C]//Proceedings of the 32Nd Annual Conference on Proceedings of the 32Nd Annual Conference on Computer Security Applications. 2016: 583Computer Security Applications. 2016: 583-595.595. [100] Shen Y, Mariconti E, Vervier P A, et al. Tiresias: Predicting Shen Y, Mariconti E, Vervier P A, et al. Tiresias: Predicting security events through deep learningsecurity events through deep learning[C]//[C]//Proceedings of the Proceedings of the 2018 ACM SIGSAC Confere2018 ACM SIGSAC Conference on Computer and nce on Computer and Communications Security. 2018: 592Communications Security. 2018: 592-605.605. [101] Shen Y, Stringhini G. Attack2vec: Leveraging temporal word Shen Y, Stringhini G. Attack2vec: Leveraging temporal word embeddings to understand the evolution of cyberattacks embeddings to understand the evolution of cyberattacks[C]//[C]//28th 28th {USENIX} Security Symposium ({USENIX} Security 19). 2019: {USENIX} Security Symposium ({USENIX} Security 19). 2019: 905905-921.921. [102] AlsaheAlsaheel A, Nan Y, Ma S, et al. {ATLAS}: A Sequenceel A, Nan Y, Ma S, et al. {ATLAS}: A Sequence-based based Learning Approach for Attack Investigation[C]//30th {USENIX} Learning Approach for Attack Investigation[C]//30th {USENIX} Security Symposium ({USENIX} Security 21). 2021.Security Symposium ({USENIX} Security 21). 2021. [103] Zong B, Xiao X, Li Z, et al. Behavior query discovery in Zong B, Xiao X, Li Z, et al. Behavior query discovery in systemsystem-generated temporal graphs[generated temporal graphs[J].a].arXiv preprint rXiv preprint arXiv:1511.05911, 2015.arXiv:1511.05911, 2015. [104] 潘亚峰 ,周天阳 ,朱俊虎朱俊虎,曾子懿曾子懿.基于 ATT&CKATT&CK的 APTAPT攻击语 义规则构建义规则构建[J].[J].信息安全学报信息安全学报,2021,6(03):77,2021,6(03):77-90.90. Pan Yafeng,Zhou Tianyang,Zhu Junhu,Zeng Ziyi. Semantic rule Pan Yafeng,Zhou Tianyang,Zhu Junhu,Zeng Ziyi. Semantic rule construction for APT attacks based on ATT&CK[J]. Journal of construction for APT attacks based on ATT&CK[J]. Journal of Information Security,2021,6(03):7Information Security,2021,6(03):77-90.90. [105] R. Yang et al.RATScope: Recording and Reconstructing Missing R. Yang et al.RATScope: Recording and Reconstructing Missing RATRAT Semantic Behaviors for Forensic Analysis on Semantic Behaviors for Forensic Analysis on Windows[J]Windows[J].IEEE Trans. Dependable and Secure Comput..2020: IEEE Trans. Dependable and Secure Comput..2020: 1–1 [作者简介作者简介] 《通信学 |
No related articles found! |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|