進階持續性威脅之偵測方法改進

Abstract

高級持續性威脅 (APT) 需要分析大量日誌以確定其攻擊步驟，這些步驟是在很長一段時間內執行的一組活動。然而，常見的入侵檢測系統（IDS）從可疑網絡流量產生大量可疑事件的威脅警報，以及異常檢測器缺乏足夠的APT負面數據進行訓練，導致大量誤報，同時他們無法提供關於APT攻擊的具體訊息。安全分析師必須花費大量時間調查這些大量警報以確定該事件是否是攻擊的一部分。在本文中，我們提出了一種基於序列學習的機器學習方法來檢測 APT 並從現有審計日誌構建攻擊故事。 我們的觀察是 APT 攻擊可能共享相似的攻擊策略。 我們提出了一種基於學習的模型，結合使用圖形分析、詞形還原和機器學習技術，從起源圖中提取攻擊和非攻擊行為的模式。 我們使用採樣策略生成相等數量的攻擊和非攻擊序列來解決 APT 攻擊數據不平衡的問題，然後使用訓練有素的模型檢測促成攻擊的節點。基於這些惡意節點，我們重構場景圖來重現攻擊者的行為。從實驗結果來看，所提出的方法可以達到 0.91 的AUC分數。重構的場景圖捕獲了76%的惡意實體，可以捕獲所有入口點和惡意網絡連接，高於異常檢測器的結果。與相關文獻異常檢測器相比，我們的圖形大小可以小十倍，以允許安全分析師進一步調查攻擊。

Advanced persistent threats (APT) require the analysis of numerous logs to determine their attack steps, which are a set of activities carried out over a long period of time. However, common intrusion detection systems (IDS) generate a large number of threat alerts of suspicious events on suspicious network traffic, and anomaly detectors lack sufficient APT negative data for training, resulting in a large number of false alarms, while they cannot provide specific information about APT attacks. Security analysts have to spend a lot of time investigating these high volumes of alerts to determine if the incident is part of an attack. In this thesis, we propose a sequence learning-based machine learning method to detect APT and construct an attack story from existing audit logs. Our observation is that APT attacks may share similar attack strategies. We proposed a learning-based model to extract patterns of attack and non-attack behaviors from a provenance graph using a combination of graph analysis, lemmatization, and machine learning techniques. We use a sampling strategy to generate equal numbers of attack and non-attack sequences to solve the problem of APT attack data imbalance and then detect nodes contributing to the attack with a well-trained model. Based on these malicious nodes, we reconstructed the scenario graph to reproduce the behavior of the attacker. From the experiment results, the proposed method can achieve an AUC score of 0.91. The reconstructed scenario graph captures 76\% of malicious entities, which can capture all entry points and malicious network connections and is higher than the results of anomaly detectors. Compared to related work anomaly detectors, our graph size can be ten times smaller to allow security analysts to further investigate attacks.