引用本文: |
-
杜翔宇,姜政伟,杨沛安,张开,董放明,范子静,江钧,李宁,刘宝旭.网络攻击场景重构技术综述[J].信息安全学报,已采用 [点击复制]
- DU Xiangyu,JIANG Zhengwei,YANG Peian,ZHANG Kai,DONG Fangming,FAN Zijing,JIANG Jun,LI Ning,LIU Baoxu.Survey on Cyber Attack Scenario Reconstruction Techniques[J].Journal of Cyber Security,Accept [点击复制]
|
|
|
|
本文已被:浏览 7080次 下载 4877次 |
|
网络攻击场景重构技术综述 |
杜翔宇1, 姜政伟1, 杨沛安1, 张开1, 董放明2, 范子静1, 江钧1, 李宁1, 刘宝旭1
|
|
(1.中国科学院信息工程研究所;2.中国科学院大学网络空间安全学院) |
|
摘要: |
随着网络空间攻防对抗日益加剧,新型漏洞、新兴技术手法、新攻击面不断涌现,给网络威胁感知发现和溯源取证工作带来了巨大挑战。由于网络空间的威胁主体对目标的信息侦察、缺陷利用、控制通信等行为,不可避免地在各环节的监测系统中留下痕迹,这些痕迹从多个角度反映出其攻击手法和攻击意图。攻击场景重构是一种从流量、告警、日志等痕迹信息中抽取攻击信息并还原为攻击过程的技术,可帮助分析人员或检测系统对攻击活动进行准确识别、深入分析与有效归因,提升威胁处置效率。近年来,针对网络攻击重构技术已有较多的探索,本文按照攻击场景重构的全过程对现有工作进行梳理和归纳,为安全研究人员提供借鉴和参考。首先,本文介绍了攻击场景重构的概念内涵,指出了与其他威胁分析过程的异同点,并阐述了攻击场景重构的主要流程。然后,本文按照主要流程先后阐述了使用到的威胁模型、数据模型和关联方法,并对代表性工作进行总结与优劣分析。最后,本文提出攻击场景重构的常用评价指标和应用场景,讨论现有方法存在的问题,并展望该领域未来的几个重要研究方向。 |
关键词: 攻击场景重构 攻击链 攻击调查 威胁模型 攻击归因 威胁情报 |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.08.20 |
投稿时间:2022-04-29修订日期:2023-02-21 |
基金项目:中国科学院青年创新促进会(No.2020166),国家重点研发计划(No.2018YFB0805005、No.2019QY1301),中科院战略先导项目课题(No.XDC02030200) |
|
Survey on Cyber Attack Scenario Reconstruction Techniques |
DU Xiangyu1, JIANG Zhengwei1, YANG Peian1, ZHANG Kai1, DONG Fangming2, FAN Zijing1, JIANG Jun1, LI Ning1, LIU Baoxu1
|
(1.Institute of Information Engineering,Chinese Academy of Sciences;2.School of Cyber Security, University of Chinese Academy of Sciences) |
Abstract: |
As the confrontation between attackers and defenders in cyberspace escalates, traditional analysis methods such as cyber threat awareness, detection, and forensics are being challenged by the emergence of new vulnerabilities, advancing technologies, and expanded attack surfaces. While threat actors in cyberspace carry out threat behaviors such as reconnaissance, delivery, or exploitation, their actions are inevitably captured and recorded by the victims’ defense system as a variety of traces that reflect the attackers’ methods, intentions, or next attack plan from multiple angles. Attack scene reconstruction is a technology that extracts attack information from traffic, alarms, logs, or other trace information and reconstructs them to the attack process, which can help analysts or defense systems to provide accurate identification, in-depth analysis, and accurate attribution of attack activities, and improve the efficiency of threat investigation and resolution. A large number of researchers have provided deep insights into the field of cyber attack reconstruction and published many papers in recent years. This paper summarizes these works from the perspective of the attack scenario reconstruction process to provide a reference for security researchers. First, this paper introduces the critical concept of attack scenario reconstruction techniques, points out the similarities and differences with other threat analysis methods that are easily confused, and explains the main processes and core steps of attack scenario reconstruction. Second, this paper expounds on the threat model, data model, and reconstruction method in detail according to the order of the reconstruction process, introduces representative works, summarizes innovations, and compares their advantages, disadvantages, differences, and application areas. Finally, this paper summarizes the common evaluation indicators and dominant application domains of attack scenario reconstruction techniques, discusses the problems existing in the existing methods in the reconstruction process, and looks forward to several significant research directions based on mentioned problems in this field in the future. |
Key words: Attack Scenario Reconstruction Kill Chain Attack Investigation Threat Model Attack Attribution Threat Intelligence |
|
|
|
|
|