• 中国计算机学会会刊
  • 中国科技核心期刊
  • 中文核心期刊

J4 ›› 2015, Vol. 37 ›› Issue (08): 1458-1464.

• 论文 • 上一篇    下一篇

面向APT攻击的关联分析检测模型研究

李杰,楼芳,金渝筌,董智馨   

  1. (中国工程物理研究院计算机应用研究所,四川 绵阳 621900)
  • 收稿日期:2014-08-15 修回日期:2014-10-11 出版日期:2015-08-25 发布日期:2015-08-25

Research on an APT attack-oriented detection
model with association analysis  

LI Jie,LOU Fang,JIN Yuquan,DONG Zhixin   

  1. (Institute of Computer Application,China Academy of Engineering Physics,Mianyang 621900,China)
  • Received:2014-08-15 Revised:2014-10-11 Online:2015-08-25 Published:2015-08-25

摘要:

近年来随着Flame、Duqu以及Stuxnet等病毒攻击的曝光,高级持续性威胁(APT)攻击已引起社会各界的广泛重视。APT攻击相比传统攻击具有目标性、持续性、隐蔽性以及复杂性,具有很强的破坏性,造成的攻击后果十分严重。然而,由于APT攻击方式多样化,具有很强的隐蔽性,传统的防护机制,包括防火墙、杀毒软件、入侵检测等很难发现APT攻击,或者发现时可能已经完成了攻击目的。在研究APT攻击特性的基础上建立APT攻击检测模型;同时设定时间窗,对多种攻击检测方法得到的攻击事件进行关联分析,并与APT攻击检测模型进行路径匹配,通过攻击路径的匹配度来判断系统受到的攻击中是否存在APT攻击。实验表明,在攻击检测模型相对完整的情况下,对APT攻击的检测能够达到较高的准确率。

关键词: APT攻击检测, 关联分析, 路径匹配, 时间窗

Abstract:

As Flame, Duqu, Stuxnet and other virus attacks have been reported in these years, the whole society has laid more emphasis on APT attacks. Compared with traditional attacks, APT attacks are more targeted, persistent, hidden and complex; they are also destructive and can cause serious consequences. However, because APT attacks can happen in lots of ways and are deeply hidden, and traditional detections, including firewall, antivirus, IDS and so on, can hardly discover APT attacks, or the attack goals have been reached long before the detection. To solve theses problems, we design an APT attack detection model based on the research of the features of APT attacks. Besides, with proper time threshold, we conduct association analysis of the attacks detected by various detection methods, and the attack paths can be matched with the attack detection model. Based on the matching degree of the intrusion paths, we can make a judgment about the existence of APT attacks. And experimental results show that with a relatively complete ATP attack detection model, the detection precision of APT attacks is higher.

Key words: APT attack detection;association analysis;path matching;time threshold