面向APT攻击的关联分析检测模型研究

J4 ›› 2015, Vol. 37 ›› Issue (08): 1458-1464.

面向APT攻击的关联分析检测模型研究

李杰，楼芳，金渝筌，董智馨

（中国工程物理研究院计算机应用研究所，四川绵阳 621900）

收稿日期:2014-08-15 修回日期:2014-10-11 出版日期:2015-08-25 发布日期:2015-08-25

Research on an APT attack-oriented detection
model with association analysis

LI Jie,LOU Fang,JIN Yuquan,DONG Zhixin

(Institute of Computer Application,China Academy of Engineering Physics,Mianyang 621900,China)

Received:2014-08-15 Revised:2014-10-11 Online:2015-08-25 Published:2015-08-25

摘要/Abstract

摘要：

近年来随着Flame、Duqu以及Stuxnet等病毒攻击的曝光，高级持续性威胁（APT）攻击已引起社会各界的广泛重视。APT攻击相比传统攻击具有目标性、持续性、隐蔽性以及复杂性，具有很强的破坏性，造成的攻击后果十分严重。然而，由于APT攻击方式多样化，具有很强的隐蔽性，传统的防护机制，包括防火墙、杀毒软件、入侵检测等很难发现APT攻击，或者发现时可能已经完成了攻击目的。在研究APT攻击特性的基础上建立APT攻击检测模型；同时设定时间窗，对多种攻击检测方法得到的攻击事件进行关联分析，并与APT攻击检测模型进行路径匹配，通过攻击路径的匹配度来判断系统受到的攻击中是否存在APT攻击。实验表明，在攻击检测模型相对完整的情况下，对APT攻击的检测能够达到较高的准确率。

关键词: APT攻击检测, 关联分析, 路径匹配, 时间窗

Abstract:

As Flame, Duqu, Stuxnet and other virus attacks have been reported in these years, the whole society has laid more emphasis on APT attacks. Compared with traditional attacks, APT attacks are more targeted, persistent, hidden and complex; they are also destructive and can cause serious consequences. However, because APT attacks can happen in lots of ways and are deeply hidden, and traditional detections, including firewall, antivirus, IDS and so on, can hardly discover APT attacks, or the attack goals have been reached long before the detection. To solve theses problems, we design an APT attack detection model based on the research of the features of APT attacks. Besides, with proper time threshold, we conduct association analysis of the attacks detected by various detection methods, and the attack paths can be matched with the attack detection model. Based on the matching degree of the intrusion paths, we can make a judgment about the existence of APT attacks. And experimental results show that with a relatively complete ATP attack detection model, the detection precision of APT attacks is higher.

Key words: APT attack detection;association analysis;path matching;time threshold

李杰，楼芳，金渝筌，董智馨. 面向APT攻击的关联分析检测模型研究[J]. J4, 2015, 37(08): 1458-1464.

LI Jie,LOU Fang,JIN Yuquan,DONG Zhixin. Research on an APT attack-oriented detection
model with association analysis [J]. J4, 2015, 37(08): 1458-1464.

[1]	雷轩, 程光, 张玉健, 郭靓, 张付存. 基于电力网络态势感知平台的告警信息关联分析[J]. 计算机工程与科学, 2023, 45(07): 1197-1208.
[2]	赵国生, 王甜甜, 王健. 一种边缘设备动态信任度的评估模型[J]. 计算机工程与科学, 2021, 43(09): 1574-1583.
[3]	张瑾, 洪莉, 戴二壮. 求解带容量和时间窗约束车辆路径问题的改进蝙蝠算法[J]. 计算机工程与科学, 2021, 43(08): 1479-1487.
[4]	李丹莲, 曹倩, 徐菲. 基于改进遗传算法的连锁便利店配送路径优化[J]. 计算机工程与科学, 2020, 42(11): 2096-2102.
[5]	衡红军, 戚馨桐. 考虑任务均衡的加油车动态调度问题[J]. 计算机工程与科学, 2020, 42(05): 923-930.
[6]	金涛1,2，牛亚峰2. 一种复杂产品界面可用性定量评估方法的研究和应用[J]. J4, 2015, 37(04): 819-823.
[7]	郭勤1，贾振红1，覃锡忠1，盛磊2，陈丽2. 支持向量机补偿的多因素灰色模型话务量预测[J]. J4, 2014, 36(07): 1330-1335.
[8]	曹卫东,刘红霞. 基于多层次灰色关联分析的复杂网络节点排序模型[J]. J4, 2014, 36(06): 1165-1171.
[9]	王君. 带时间窗车辆路径问题的多目标文化基因算法[J]. J4, 2013, 35(1): 124-129.
[10]	王海艳，胡玲，王汝传. 基于信任向量的P2P信任机制[J]. J4, 2010, 32(5): 6-9.
[11]	郭军, 赵和鹏, 朱长仁. 一种基于自适应权值灰关联分析的毫米波/红外融合识别方法[J]. J4, 2010, 32(2): 146-149.
[12]	刘芳华,赵建民,徐慧英，朱信忠. 有时间窗物流配送路径优化问题的并购算法[J]. J4, 2010, 32(12): 80-84.
[13]	张潇，王江晴. 蚂蚁算法在带时间窗车辆路径问题中的应用及参数分析[J]. J4, 2010, 32(12): 134-136.
[14]	朱树人李文彬匡芳君. 一种带软时间窗的物流配送路径优化遗传算法[J]. J4, 2005, 27(12): 108-110.
[15]	韩宗芬杨志玲储杰涂旭平. 一种用于网络安全系统的报警聚类与关联模型[J]. J4, 2005, 27(10): 8-9.