APT-oriented Dynamic Assessment of Attack Behaviors

doi:10.16182/j.issn1004731x.joss.201810025

Abstract

Abstract: The existing attack assessment methods cannot effectively deal with the long-term concealment in APT attack. Aiming at the accurate assessment of attack behaviors in APT attack, the APT-oriented dynamic assessment of attack behaviors which focuses on both the space dimension and the time dimension is proposed. The attack behaviors are correlated in the causality-diversion among the whole network system to discover the attack paths. The attack paths are modified in the time-diversion to get the dynamic causal attack traces. The attack traces are quantified based on CVSS standard. The experimental result shows that the proposed method can correctly reflect the attack status and effectively assess the attack behavior.

Key words: APT attack, attack quantification, dynamic assessment, causal correlation

CLC Number:

TP393.08

Wang Jindong, Yang Haopu, Zhang Hengwei, Li Tao. APT-oriented Dynamic Assessment of Attack Behaviors[J]. Journal of System Simulation, 2018, 30(10): 3796-3806.

References

[1] Defense USA Department of Trusted Computer System Evaluation Criteria[S]. DoD-5200, 28-STD, DoD, 1985.
[2] Board Common Criteria Editing. Common Criteria of Information Technology Security Evaluation[S]. 1998.
[3] M Schiffman. Common Vulnerability Scoring System Version 2.0 [EB/OL]. [2013-7-8]. http://www.first.org/ cvss/cvss-guide.html.
[4] Mell P, Scarfone K, Romanosky S. The common vulnerability scoring system (CVSS) andits applicability to federal agency systems, NIST Interagency Report7435 [R/OL]. (2007) [2014-01-17]. http:csrc.nist.gov/ publications/nistir/ir7435/NISTIR-7435.pdf.
[5] GB 17859-1999B 17859-1999. 计算机信息系统安全保护等级划分准则 [S]. 中国标准出版社, 1999.
GB 17859-1999B 17859-1999. Classification criteria for computer information system security protection [S]. Standards Press of China, 1999.
[6] GB/T18336-2001. 信息技术安全技术信息技术信息安全评估准则[S]. 中华人民共和国国家标准, 2001.
GB/T18336-2001. Information technology safety technology information technology information security evaluation criteria[S]. National Standard of the People’s Republic of China, 2001
[7] GB/T 20984-2007. 信息安全技术信息系统的风险评估规范 20984-2007. 信息安全技术信息系统的风险评估规范[S]. 中华人民共和国国家标准, 2005.
GB/T 20984-2007. Risk assessment specification for information security technology information system 20984-2007. Risk assessment specification for information security technology information system[S]. National Standard of the People’s Republic of China, 2005
[8] Poolsappasit N, Dewri R, Ray I.Dynamic security risk management using Bayesian attack graph[J]. IEEE Trans on Dependable and Secure Computing, 2012, 9(1): 61-74.
[9] 方研, 殷肖川, 李景志. 基于贝叶斯攻击图的网络安全量化评估研究[J]. 计算机研究应用, 2013, 30(9): 2763-2766.
FANG Yan, YIN Xiao-chuan, LI Jing-zhi.Research of quantitative network security assessment based on Bayesian-attack graphs[J]. Application Research of Computers, 2013, 30(9): 2763-2766.
[10] Helmer C, Wong J, Slagell M, et al.Software Fault Tree and Colored Petri net based Specification, Design and Implementation of Agent-based Intrusion Detection System[J]. Requirements Engineering, 2000, 7(4): 207-220.
[11] 张勇, 谭笑彬, 崔孝林, 等. 基于Markov博弈模型的网络安全态势感知方法[J]. 软件学报, 2011, 22(3): 495-508.
Zhang Yong, Tan Xiao-bin, Cui Xiao-lin.Network Security Situation Awareness Approach Based on Markov Game Model[J]. Journal of Software, 2011, 22(3): 495-508.
[12] Yee Weilaw, Tansu Alpcan, Marimuthu Palaniswami.Security Games for Risk Minization in Automatic Generation Control[J]. IEEE Transactions on Power Systems, 2015, 30(1): 223-232.
[13] 张少俊, 李建华, 宋珊珊. 贝叶斯推理在攻击图节点置信度计算中的应用[J]. 软件学报, 2010, 21(9): 2376-2386.
Zhang Shao-jun, Li Jian-hua, Song Shan-shan.Using Bayesian Inference for Computing Attack Graph Node Beliefs[J]. Journal of Software, 2010, 21(9): 2376-2386.
[14] Joint Task Force Transformation Initiative. Managing Information Security Risk: Organization, Mission, and Information System View [EB/OL]. [2011-03-01] http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.
[15] Fatemeh Kavousi, Behzad Akbari.Automatic learning of attack behavior patterns using Bayesian networks[C]// 6’th International Symposium on Telecommunications (IST’2012). USA: IEEE, 2012: 999-1004.
[16] 陈剑锋, 王强, 伍淼. 网络APT攻击及防范策略[J]. 信息安全与通信保密, 2012(7): 24-27.
Chen Jian-feng, Wang Qiang, Wu Miao.Network-based APT attack and defense strategies[J]. Information Security and Communications Privacy, 2012(7): 24-27.
[17] 林龙成, 陈波, 郭向民. 传统网络安全防御面临的新威胁:APT攻击[J]. 信息安全, 2013, 4(3): 20-25.
Lin Long-cheng, Chen Bo, Guo Xiang-min.The new threat to traditional network security defense: APT attack[J]. Information Security, 2013, 4(3): 20-25.
[18] 杜跃进, 翟立东, 李跃, 等. 一种应对APT攻击的安全架构: 异常发现[J]. 计算机研究与发展, 2014, 51(7): 1633-1645.
Du Yue-jin, Zhai Li-dong, Li Yue.Security architecture to deal with APT attacks: abnormal discovery[J]. Journal of Computer Research and Development, 2014, 51(7): 1633-1645.
[19] J Moss. Capture the flag traffic dump [EB/OL]. [2017-09-04] http://www.defcon.org/html/links/dc-cft. html.