基于分类模型的APT攻击检测与场景构建
首发时间:2019-12-27
摘要:APT全名高级持续性威胁,该攻击从社交工程学出发,利用高端、定向的攻击手段对国家或有影响力的组织机构进行长期的针对性的渗透,以达到窃取信息或毁坏基础设施的目的。因为不同组织的APT攻击具有不同的特点,而同一组织的APT攻击具有一定的相似性,因此需要针对特定组织的APT攻击行为进行检测。本文从得到的某APT组织样本入手,先选取攻击过程产生的DNS、TCP、HTTP/HTTPS流量抽取流量特征序列,然后使用AdaBoostRF算法对正常流量和恶意流量进行分类,得到三种流量的分类状态。最后使用因果知识杀伤链模型对流量节点和状态节点进行攻击场景构建,得到更为细致的C&C阶段划分,从而在DNS连接或TCP连接阶段阻止早期的恶意攻击,防止数据泄露。经实验,针对上述三种流量,利用AdaBoostRF算法分类后得到的F1值分别为0.901、0.893、0.947,关联生成的C&C连接成功及其之后阶段的链共41条,能够有效检测该组织APT攻击。
关键词: 信息安全技术 流量检测 AdaBoostRF 因果知识杀伤链模型
For information in English, please click here
APT Attack Detection and Scenario Construction based on Classification Model
Abstract:The full name of APT attack is Advanced Persistent Threats. This attack starts from social engineering and uses high-end, targeted means permeating states and influential organizations for the purpose of stealing information or destroying infrastructure. Because APT attacks of different organizations have different characteristics, and APT attacks of the same organization have certain similarities, it is necessary to detect APT attack behaviors of specific organizations. This paper starts with the APT samples obtained from the same organization, first select the DNS, TCP, HTTP/HTTPS traffic generated by the attack process to extract the traffic characteristic sequence, and then use the AdaBoostRF algorithm to classify normal traffic and malicious traffic to get the classification status of the three types of traffic. Finally, the causal knowledge killing chain model is used to construct attack scenarios on traffic nodes and state nodes to obtain a more detailed C&C stage division, thereby preventing early malicious attacks and preventing data leakage during the DNS connection or TCP connection stage. According to experiments, for the above three types of traffic, the F1-score of AdaBoostRF algorithm used in this paper are 0.901, 0.893 and 0.947 respectively. There are 41 chains generated by the scene generation algorithm, in which come from the successful C&C connection and beyond. So, the above method can effectively detect the APT attack of this organization.
Keywords: Information Security Technology Flow Detection AdaBoostRF Causal Knowledge Kill Chain Model
引用
No.****
动态公开评议
共计0人参与
勘误表
基于分类模型的APT攻击检测与场景构建
评论
全部评论0/1000