高级持续威胁网络行为建模与检测方法研究

Traditional detection systems are facing with the challenges from the advanced persistent threats(APT).Most of them lack the flexibility in detecting framework, unification in threat modeling, scalability in detection means and degree of automation in detection pattern generation. Based on the multi-stage cooperative characteristic of the APT network behavior in the Internet environment,this project proposes to summarize the common correlating features exhibited by the network events from the perspective of the detector, and establish a new APT network behavior modeling and detection framework which would be able to load various monitoring strategies and identification methods according to the model of multi-level network events aggregation. This project will study three key techniques on the sophisticated network threat, including the detection model with semantic mapping, mining method of the pattern and identification mechanism of the threats based on the multi-stage aggregation of network events, reduction of group features and the aggregation model, respectively. The development of the project will provide the theoretical basis and effective techniques for improving the convenience of the analysis, pattern generation and detection of sophisticated network threats.It will enhance the automation of the transformation from indentification algorithms to APT detection ability.

面对高级持续威胁（APT）带来的挑战，传统的检测系统缺乏灵活的检测框架和统一的威胁模型，检测手段的可扩展性和检测模式生成的自动化程度不足。项目针对互联网环境中APT网络行为的多阶段协作特点，从检测的角度抽象其表现出的网络事件关联等共性特征，拟建立一种可加载多样化监测手段和威胁判别方法的基于多层次网络事件聚合的新型APT网络行为模型与检测框架。项目将突破基于多层次网络事件聚合的APT网络行为建模与检测语义映射、基于个体事件聚合与群体属性约简的网络威胁模式挖掘，以及基于事件多层次聚合模型的APT网络行为判别等关键技术，为提高多样化的APT网络行为分析、模式获取和检测的便捷性，增强威胁检测算法向APT检测能力转变的自动化水平提供基本的理论依据和有效的技术手段。

本项目针对互联网环境中APT的多阶段协作特点，抽象其在检测方所表现出的网络事件关联等共性特征这些特征表现在网络事件的时空关联上。项目提出了量化和度量网络时空关联性的方法以及网络连接和威胁判别的概率图建模方法NLDA，并能够针对当前典型的网管和安全监测数据进行实例化，具有较强的描述能力和适应性。提出了基于个体事件聚集与群体属性约简的高级持续威胁模式挖掘方法AM2，同时基于挖掘的模式和NLDA训练的模型进行多步骤高级网络攻击的检测，实现了吞吐率较高的在线版网络攻击检测原型系统。设计了基于云端的反恶意软件系统CloudEyes，基于逆向哈希结构的特征匹配检测机制，能大量的降低扫描范围，提供可回溯的精确的恶意数据片段定位信息。提出并实现了基于地址端口跳变的网络威胁防范机制RPAH，能有效抵御扫描，可以明显地降低APT第一阶段感染速率和最坏情况下的损失。