高时空复杂度的APT攻击关联和检测技术研究

Advanced Persistent Threat(APT) attacks user’s information privacy, even national security. It has complex features, such as multi-step attack, long time lurk, lateral movement, persistent monitoring, covert steal and so on. Existing methods to detect APT are mainly analyzing the logs and footprints of DNS, network flows, and C&C records. However, they are all limited by the following important aspects on scientific researches. Firstly, on the point of space, much more extensive data and massive logs are needed to be inspected. Secondly, on the point of time, the whole period of APT is much longer than usual attacks. Finally, on the point of attack reconstruction. It is harder for researchers to completely analyze the whole process of APT attack, and even re-built the attack chains. In this project, we propose a study on the correlation and detection of the APT attacking with high space-time complexity. We utilize improved strategies based on machine learning methods to discovery the abnormal behaviors among the whole attack process. Besides, we detect the hidden attacking behaviors with the graph-based algorithms. Thus, we can effectively reduce the complexity of computing. Through our pre-treatment process on source date, the data size can be significantly reduced. By introducing the time-based features and sliding windows, analyzing the hidden features transferring through multi-step attack, and designing the correlation methods, we will clearly reconstruct the panorama view of APT attack. We can quickly compute the graphs on APT attack chains with the graph processing techniques to reduce the time complexity. If APT attacks could be discovered and detected as soon as possible, we can stop the attack in time and effectively protect the cyberspace.

高级持续性威胁(APT)具有复合攻击、长期潜伏、不断扩散、持续监控、隐蔽窃密等特点,严重危害国家安全和用户安全。现有APT检测主要采用对DNS、网络流、C&C记录进行分析的方法,但面临重要的科学研究问题,首先是空间问题,需要检测的数据范围广、日志多;其次是时间问题,需要考察的时间跨度大、数据量大;最后是攻击过程重现问题,需要复原攻击环节组成的完整的攻击过程。本项目提出高时空复杂度的APT攻击关联和检测技术研究课题。使用改进的机器学习技术发现各攻击阶段的异常行为,使用图处理方法检测攻击隐蔽行为,降低检测的空间复杂度。通过数据预处理技术,降低需分析的数据规模。加入时间特征和滑动窗口,分析多个攻击阶段的隐蔽特征,设计多阶段攻击关联方法,给出攻击的过程全景图。利用图计算技术快速处理大量包含APT攻击链条的关系图,降低检测的时间复杂度。尽早尽快的发现APT,可及时发现网络入侵,提升网络空间防护能力。

高级持续性威胁(APT)具有复合攻击、长期潜伏、不断扩散、持续监控、隐蔽窃密等特点， 严重危害国家安全和用户安全。现有APT检测主要采用对DNS、网络流、C&C记录进行分析的方法，但面临重要的科学研究问题，首先是空间问题，需要检测的数据范围广、日志多;其次是时间问题，需要考察的时间跨度大、数据量大;最后是攻击过程重现问题，需要复原攻击环节组成的完整的攻击过程。本项目主要针对 APT 攻击检测的空间问题、时间问题和过程还原3个部分进行研究。使用改进的机器学习技术发现各攻击阶段的异常行为，使用图处理方法检测攻击隐蔽行为，降低检测的空间复杂度。通过数据预处理技术，降低需分析的数据规模。加入时间特征和滑动窗口，分析多个攻击阶段的隐蔽特征，设计多阶段攻击关联方法，给出攻击的过程全景图。利用图计算技术快速处理大量包含APT攻击链条的关系图，降低检测的时间复杂度。本项目期间，我们共发表SCI论文15篇，其中CCF-A类会议论文1篇，CCF-B类期刊论文4篇，CCF-C类期刊论文3篇，中科院期刊分区1区论文1篇，计算机研究与发展期刊论文1篇。这些研究成果有助于尽早尽快的发现APT，可及时发现网络入侵，提升网络空间防护能力。

内容获取失败，请点击重试