基于诱捕的软件异常检测综述

高级持续威胁（APT,advanced persistent threats）会使用漏洞实现攻击代码的自动加载和攻击行为的隐藏，并通过复用代码攻击绕过堆栈的不可执行限制，这是网络安全的重要威胁。传统的控制流完整性和地址随机化技术虽然有效抑制了APT的步伐，但软件的复杂性和攻击演化使软件仍存在被攻击的时间窗口。为此，以资源为诱饵的诱捕防御是确保网络安全的必要补充。诱捕机制包含诱饵设计和攻击检测两部分，通过感知与诱饵的交互行为，推断可能的未授权访问或者恶意攻击。针对文件、数据、代码3种诱饵类型，设计诱饵的自动构造方案并进行部署，从真实性、可检测性、诱惑性等方面对诱饵的有效程度进行度量。基于诱捕防御的勒索软件检测注重诱饵文件的部署位置，在漏洞检测领域，通过注入诱饵代码来检测代码复用攻击。介绍了在APT攻击各个阶段实施诱捕防御的相关研究工作，从诱饵类型、诱饵生成、诱饵部署、诱饵度量方面刻画了诱捕防御的机理；同时，剖析了诱捕防御在勒索软件检测、漏洞检测、Web安全方面的应用。针对现有的勒索软件检测研究在诱饵文件设计与部署方面的不足，提出了用于检测勒索软件的诱饵动态更新方法。讨论了诱捕防御面临的挑...

Survey of software anomaly detection based on deception

Advanced persistent threats (APT) will use vulnerabilities to automatically load attack code and hide attack behavior, and exploits code reuse to bypass the non-executable stack ＆amp; heap protection, which is an essential threat to network security.Traditional control flow integrity and address space randomization technologies have effectively prevented the pace of APT.However, the complexity of the software and the evolution of attacks make the software still being vulnerable.For this reason, deception defense with resources as bait is an indispensable supplement for network security.The trapping mechanism consists of bait design and attack detection, which infer possible unauthorized access or malicious attacks by sensing the interaction behavior with the bait.According to the three types of bait, which are file, data and code, the automatic construction scheme of bait is designed and deployed, and the effectiveness of bait is measured from the aspects of believability, detectability and enticement, etc.Ransom ware detection based on deception defense focuses on the deployment location of bait files, and in the area of vulnerability detection, code reuse attacks are detected by injecting bait code.Research work related to the implementation of deception defense in each phase of APT attacks was introduced, and the mechanism of deception defense from bait type, bait generation, bait deployment, and bait measurement was described.Simultaneously, deception defense applications in ransom ware detection, vulnerability detection, and Web security were analyzed.In response to the shortcomings of existing ransom ware detection research in terms of bait file design and deployment, a dynamic update method of bait for ransom ware detection was proposed.The deception defense challenges were discussed and hoped that deception defense can provide theoretical and technical support for discovering unknown attacks and attack attribution.