基于网络通信异常识别的多步攻击检测方法

doi:10.11959/j.issn.1000-436x.2019142

Abstract

Abstract:

In view of the characteristics of internal fixed business logic,inbound and outbound network access behavior,two classes and four kinds of abnormal behaviors were defined firstly,and then a multi-step attack detection method was proposed based on network communication anomaly recognition.For abnormal sub-graphs and abnormal communication edges detection,graph-based anomaly analysis and wavelet analysis method were respectively proposed to identify abnormal behaviors in network communication,and detect multi-step attacks through anomaly correlation analysis.Experiments are carried out on the DARPA 2000 data set and LANL data set to verify the results.The experimental results show that the proposed method can effectively detect and reconstruct multi-step attack scenarios.The proposed method can effectively monitor multi-step attacks including unknown feature types.It provides a feasible idea for detecting complex multi-step attack patterns such as APT.And the network communication graph greatly reduces the data size,it is suitable for large-scale enterprise network environments.

Key words: multi-step attack, network anomaly, communication graph, wavelet analysis

CLC Number:

TP309

Ankang JU,Yuanbo GUO,Tao LI,Ziwei YE. Multi-step attack detection method based on network communication anomaly recognition[J]. Journal on Communications, 2019, 40(7): 57-66.

Figures/Tables 14

References 15

[16]	MCHUGH J . Testing intrusion detection systems:a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory[J]. ACM Transactions on Information and System Security, 2000,3(4): 262-294.
[17]	KENT A D . Cyber security data sources for dynamic network research[M]. World Scientific Publishing. 2016: 37-65
[18]	CSUBáK D , SZüCS K , V?R?S P ,et al. big data testbed for network attack detection[J]. Acta Polytechnica Hungarica, 2016,13(2): 47-57
[1]	NAVARRO J , DERUYVER A , PARREND P . A systematic survey on multi-step attack detection[J]. Computers ＆ Security, 2018,76(6): 214-249.
[2]	王莉 . 网络多步攻击识别方法研究[D]. 武汉:华中科技大学, 2007.
	WANG L . Study on method of network multi-stage attack plan recognition[D]. Wuhan:Huazhong University of Science and Technology, 2007.
[3]	GREGORIO-DE S I , BERK V H , GIANI A ,et al. Detection of complex cyber attacks[C]// Sensors,and Command,Control,Communications,and Intelligence (C3I) Technologies for Homeland Security and Homeland Defense V. International Society for Optics and Photonics, 2006: 6201-6209.
[4]	CHEN P , DESMET L , HUYGENS C . Study on advanced persistent threats[M]. Berlin: SpringerPress, 2014: 63-72.
[5]	MA Z , SMITH P . Determining risks from advanced multi-step attacks to critical information infrastructures[C]// International Workshop on Critical Information Infrastructures Security. Springer, 2013: 142-154.
[6]	HOLGADO P , VILLAGRA V A , VAZQUEZ L . Real-time multistep attack prediction based on hidden Markov models[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2017,PP(99):1.
[7]	刘威歆, 郑康锋, 武斌 ,等. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015,36(9): 135-144.
	LIU W X , ZHENG K D , WU B ,et al. Alert processing based on attack graph and multi-source analyzing[J]. Journal on Communications, 2015,36(9): 135-144.
[8]	ELSHOUSH H T , OSMAN I M . Alert correlation in collaborative intelligent intrusion detection systems-a survey[J]. Applied Soft Computing, 2011,11(7): 4349-4365.
[9]	WANG L , ISLAM T , LONG T ,et al. Attack graph-based probabilistic security metric[C]// XXII,IFIP WG 11.3 Working Conference on Data and Applications Security. DBLP, 2008: 283-296.
[10]	AKOGLU L , TONG H , KOUTRA D . Graph based anomaly detection and description:a survey[J]. Data Mining and Knowledge Discovery, 2015,29(3): 626-688.
[11]	HUTCHINS E M , CLOPPERT M J , AMIN R M . Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains[J]. Leading Issues in Information Warfare ＆ Security Research, 2011,1(1):80.
[12]	KIM Y H , PARK W H . A study on cyber threat prediction based on intrusion detection event for APT attack detection[J]. Multimedia Tools and Applications, 2014,71(2): 685-698.
[13]	NEIL J , HASH C , BRUGH A ,et al. Scan statistics for the onlinedetection of locally anomalous subgraphs[J]. Technometrics, 2013,55(4): 403-414.
[14]	NEIL J , STORLIE C . Statistical detection of intruders within computer networks using scan statistics[M]. London: Imperial College PressPress, 2014: 71-104.
[15]	钱叶魁, 陈鸣, 叶立新 ,等. 基于多尺度主成分分析的全网络异常检测方法[J]. 软件学报, 2012(2): 361-377.
	QIAN Y Q , CHEN M , YE L X ,et al. Network-wide anomaly detection method based on multiscale principal component analysis[J]. Journal of Software, 2012(2): 361-377.

Metrics

Recommended 0

No Suggested Reading articles found!

攻击阶段	阶段描述	异常通信特征
扫描探测	目标网络扫描探测，获取网络拓扑及漏洞信息	out-star
内网迁移	以Web服务器为立足点，逐步渗透侵入内部关键数据节点	k-path
建立通道	在内部数据节点与外部主机之间创建网络隧道	k-path
攻击达成	关键文件或数据通过各个跳板传输至外部站点	red-edge、in-star

数据来源	数据集名称简称
	DARPA1998 TCPDump数据集DARPA98 TCPDump
网络流量	DARPA 1999 TCPDump数据集DARPA99 TCPDump
	KDD99数据集KDD99
	10% KDD99数据集KDD99-10
	Internet Exploration Shootout Dataset IES
用户行为	Unix User DatasetUNIXDS
系统调用序列	DARPA 1998 BSM数据集DARPA98 BSM
	DARPA 1999 BSM数据集DARPA99 BSM
	University of New Mexico DatasetUNM

Multi-step attack detection method based on network communication anomaly recognition

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 14

References 15

Related Articles 4

Metrics

Recommended 0

[1]	Hao-pu YANG,Hui QIU,Kun WANG. Network security situation evaluation method for multi-step attack [J]. Journal on Communications, 2017, 38(1): 187-198.
[2]	. Neural network recognition algorithm of breath sounds based on SVM [J]. Journal on Communications, 2014, 35(10): 25-222.
[3]	Gou-dong LIU,Jing XU. Neural network recognition algorithm of breath sounds based on SVM [J]. Journal on Communications, 2014, 35(10): 218-222.
[4]	Hai-bin MEI,Jian GONG,Ming-hua ZHANG. Research on discovering multi-step attack patterns based on clustering IDS alert sequences [J]. Journal on Communications, 2011, 32(5): 63-69.