基于指标依赖模型构建与监控的攻击检测方法
作者:
作者单位:

作者简介:

王立敏(1994-),男,博士生,CCF学生会员,主要研究领域为软件分析,系统安全;卜磊(1983-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为形式化方法,复杂软件系统分析与验证;马乐之(2000-),男,博士生,CCF学生会员,主要研究领域为软件分析与测试

通讯作者:

卜磊,bulei@nju.edu.cn

中图分类号:

基金项目:

国家自然科学基金(62232008,62172200);江苏省前沿引领技术基础研究专项(BK20202001)


Attack Detection Method Based on Indicator-dependent Model Construction and Monitoring
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    随着攻击技术的不断演进,防御的难度也与日俱增.为了及时、有效地识别和阻断攻击的实施,学术界与工业界已提出众多基于攻击检测的防御技术.现有的攻击检测方法主要着眼于攻击事件,通过识别攻击特征或者定位异常活动来发现攻击,分别具有泛化性和攻击导向性不足的局限性,容易被攻击者精心构造的攻击变种绕过,造成漏报和误报.然而,根据观察发现:尽管攻击及其变种可能采用众多不同的攻击机制来绕过一些防御措施,以实现同一攻击目的,但是由于攻击目的不变,这些攻击对系统的影响依然具有相似性,因此,所造成的系统影响并不会随攻击手段的大量增多而随之产生对应的增长.针对这一特点,提出了基于攻击指标依赖模型的攻击检测方法,以更有效地应对攻击变种.所提出的指标依赖模型着眼于漏洞利用后对系统的影响而非变化多样的攻击行为,因此具有更强的泛化能力.基于模型指导,进一步采用多层次监控技术,以迅速捕获定位攻击迹,最终实现对目标攻击与变种的精确检测,有效降低攻击检测的误报率.在DARPA透明计算项目以及典型APT攻击组成的测试集上,与现有的基于攻击事件分析的检测方法进行实验对比,结果表明:在预设场景下,所提出的方法可以根据可接受的性能损耗实现99.30%的检出率.

    Abstract:

    With the continuous evolution of attack techniques, the difficulty of defense is increasing rapidly. In order to identify and block the attacks in a timely and effective manner, numerous detection-based defenses have been proposed in academia and industry. The current attack detection methods mainly focus on attack behaviors, and find attacks by identifying attack signals or locating abnormal activities. These solutions have the limitation of insufficient generalization and attack-orientation respectively and are easily bypassed by attackers' well-crafted behaviors, resulting in false positives and false negatives. Nevertheless, it is observed that the attacks and their variants usually leverage different attack mechanisms to bypass some defenses and achieve the same attack purpose. Since the attack purpose remains the same, the impact of these attacks on the system is still similar, so the caused system impact will not increase correspondingly with the large increase in attack methods. Based on the observation, an indicator-dependent model-based attack detection method is proposed to detect the attack variants more effectively. The proposed model focuses on the impact of the exploits on the system rather than the various attack behaviors, which is more generalizable. Based on the model, the multi-level monitoring technology is further adopted to quickly capture and locate attack traces, and finally the accurate detection of target attacks and variants is achieved, which effectively reduces the false alarm rate. The effectiveness of the proposed method is verified by the experiment, compared with existing attack behavior-based detection methods on the attack set composed of the DARPA transparent computing project and typical APT attacks. The experimental results show that the proposed solution is able to achieve 99.30% detection accuracy with an acceptable performance cost.

    参考文献
    相似文献
    引证文献
引用本文

王立敏,卜磊,马乐之,于笑丰,沈宁国.基于指标依赖模型构建与监控的攻击检测方法.软件学报,2023,34(6):2641-2668

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2022-09-05
  • 最后修改日期:2022-12-14
  • 录用日期:
  • 在线发布日期: 2023-01-13
  • 出版日期:
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号