首页 | 本学科首页   官方微博 | 高级检索  
     

一种无监督的窃密攻击及时发现方法
引用本文:冯云, 刘宝旭, 张金莉, 汪旭童, 刘潮歌, 申明喆, 刘奇旭. 一种无监督的窃密攻击及时发现方法[J]. 计算机研究与发展, 2021, 58(5): 995-1005. DOI: 10.7544/issn1000-1239.2021.20200902
作者姓名:冯云  刘宝旭  张金莉  汪旭童  刘潮歌  申明喆  刘奇旭
作者单位:1.(中国科学院信息工程研究所 北京 100093) (中国科学院大学网络空间安全学院 北京 100049) (fengyun@iie.ac.cn)
基金项目:国家自然科学基金项目(61902396);中国科学院青年创新促进会(2019163);中国科学院战略性先导科技专项项目(XDC02040100);中国科学院网络测评技术重点实验室资助;网络安全防护技术北京市重点实验室资助。
摘    要:近年来,窃密攻击成为了最严重的网络安全威胁之一.除了恶意软件,人也可以成为窃密攻击的实施主体,尤其是组织或企业的内部人员.由人实施的窃密很少留下明显的异常痕迹,给真实场景中攻击的及时发现和窃密操作的分析还原带来了挑战.提出了一个方法,将每个用户视为独立的主体,通过对比用户当前行为事件与其历史正常行为的偏差检测异常,以会话为单元的检测实现了攻击发现的及时性,采用无监督算法避免了对大量带标签数据的依赖,更能适用于真实场景.对算法检测为异常的会话,进一步提出事件链构建方法,一方面还原具体窃密操作,另一方面通过与窃密攻击模式对比,更精确地判断攻击.在卡内基梅隆大学的CERT内部威胁数据集上进行了实验,结果达到99%以上的准确率,且可以做到无漏报、低误报,证明了方法的有效性和优越性.

关 键 词:窃密攻击发现  用户事件  内部威胁检测  无监督算法  聚类  事件链

An Unsupervised Method for Timely Exfiltration Attack Discovery
Feng Yun, Liu Baoxu, Zhang Jinli, Wang Xutong, Liu Chaoge, Shen Mingzhe, Liu Qixu. An Unsupervised Method for Timely Exfiltration Attack Discovery[J]. Journal of Computer Research and Development, 2021, 58(5): 995-1005. DOI: 10.7544/issn1000-1239.2021.20200902
Authors:Feng Yun  Liu Baoxu  Zhang Jinli  Wang Xutong  Liu Chaoge  Shen Mingzhe  Liu Qixu
Affiliation:1.(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093) (School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049)
Abstract:In recent years,exfiltration attacks have become one of the severest threats to cyber security.In addition to malware,human beings,especially insiders,can also become the executor of the attack.The obvious anomalous digital footprint left by an insider can be minuscule,which brings challenges to timely attack discovery and malicious operation analysis and reconstruction in real-world scenarios.To address the challenge,a method is proposed,which treats each user as an independent subject and detects the anomaly by comparing the deviation between current behavior and the normal historical behavior.We take one session as a unit to achieve timely attack discovery.We use unsupervised algorithms to avoid the need for a large number of labeled data,which is more practical to real-world scenarios.For the anomalous session detected by the algorithm,we further propose to construct event chains.On the one hand,it can restore the specific exfiltration operation;on the other hand,it can determine the attack more accurately by matching it with the exfiltration attack mode.Then,the experiments are undertaken using the public CMU CERT insider threat dataset,and the results show that the accuracy rates were more than 99%,and there were no false-negative and low false-positive,demonstrate that our method is effective and superior.
Keywords:exfiltration attack discovery  user events  insider threat detection  unsupervised algorithm  clustering  event chain
本文献已被 维普 万方数据 等数据库收录!
点击此处可从《计算机研究与发展》浏览原始摘要信息
点击此处可从《计算机研究与发展》下载全文
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号