传统的攻击检测方法很难辨识出利用零日漏洞发起的高级持续性威胁(advanced persistent threat,APT)攻击活动.为此提出一种面向零日攻击检测的APT攻击活动辨识方法(APTIZDM),该方法由三个主要部分组成.第一部分态势觉察本体构建(CSPOC)方法进行物联网(IoT)系统中关键活动属性及特征的形式化描述.第二部分恶意C&C(command and con-trol)DNS响应活动挖掘(MCCDRM)方法用于辨识APT攻击情境中的恶意C&C通信活动,并可有效控制活动辨识过程的范围与起始时间,从而减小计算开销.第三部分APT攻击情境中零日攻击活动辨识(ZDAARA)方法,其基于贝叶斯网络和安全风险传播理论,对系统调用信息进行关联分析,计算出各系统调用实例的恶意概率,可有效辨识出被入侵检测系统漏报的零日攻击活动.仿真实验结果表明,作为APTIZDM的核心内容,MCCDRM方法和ZDAARA方法都实现了较高的准确率和较低的误报率,协同完成了对APT攻击活动有效辨识.
An APT Attack Activity Identification Research for Zero Day Attack Detection
The traditional attack detection methods struggle to identify advanced persistent threat(APT)attacks launched using zero-day vulnerabilities.To address this issue,this paper proposes an APT attack activity identification for zero-day attack method(APTIZDM),which consists of three key components.The first component is the cyber situation perception ontology construction(CSPOC)method,which provides a formal description of critical activity attributes and features in IoT systems.The second component is the malicious command&control(C&C)DNS response activity mining(MCCDRM)method,which identifies malicious C&C communication activities in APT attack scenarios while effectively controlling the scope and starting time of the identification process,thereby reducing computational overhead.The third component is the zero-day attack activity recognition method in APT attack(ZDAARA)scenarios,which utilizes Bayesian networks and security risk propagation theory to perform correlation analysis on system call information.It calculates the malicious probability of each system call instance and effectively identifies zero-day attack activities missed by intrusion detection systems.Simulation experiment results demonstrate that MCCDRM and ZDAARA,as the core components of the APTIZDM,achieve high accuracy and low false positive rates,effectively collaborating to identify APT attack activities.
zero-day attackedge computingBayesian networkscommand and control
国家科技期刊平台
NSTL
万方数据
