  • 白波,冯云,刘宝旭,汪旭童,何松林,姚敦宇,刘奇旭.基于网络行为的攻击同源分析方法研究[J].信息安全学报,2023,8(2):66-80    [点击复制]
  • BAI Bo,FENG Yun,LIU Baoxu,WANG Xutong,HE Songlin,YAO Dunyu,LIU Qixu.Research on Network Behavior-based Cyberattack Grouping Method[J].Journal of Cyber Security,2023,8(2):66-80   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭


过刊浏览    高级检索

本文已被:浏览 9603次   下载 5493 本文二维码信息
白波1,2,3, 冯云1, 刘宝旭1,3, 汪旭童1,3, 何松林1,3, 姚敦宇1,3, 刘奇旭1,3
(1.中国科学院信息工程研究所 北京 中国 100093;2.北京网络数据研究所 北京 中国 100084;3.中国科学院大学网络空间安全学院 北京 中国 100049)
关键词:  攻击同源  网络行为  社区发现  高级持续性威胁
Research on Network Behavior-based Cyberattack Grouping Method
BAI Bo1,2,3, FENG Yun1, LIU Baoxu1,3, WANG Xutong1,3, HE Songlin1,3, YAO Dunyu1,3, LIU Qixu1,3
(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.Beijing Institute of Network Data, Beijing 100084, China;3.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China)
The threat of cyberattacks is becoming more and more serious. Cyberattack attribution is a significant work to enhance defense capability and reverse the situation of attack and defense. Attack grouping analysis is an important part of attack attribution and has become a research hotspot. According to different types of clues, attack grouping analysis can be divided into grouping analysis based on malware and grouping analysis based on network behavior. At present, grouping analysis based on malware has achieved remarkable research results, but there are some limitations, which cannot cover all the requirements of attack attribution, and the analysis results are not necessarily reliable due to the widely reuse of malicious code. In contrast, grouping analysis based on network behavior has few outstanding results, which has become the weakness of attack attribution. In order to solve the existing problems, this paper proposes an attack grouping analysis method based on network behavior, which aims to achieve more accurate attack grouping by extracting and analyzing the unique behavior patterns of attackers or attack organizations. In order to retain the different behavioral characteristics of the attack in different stages, one attack activity is recognized into five attack stages, and then a total of 14 features of four categories are extracted from the attack behavior of each IP to form the behavior feature matrix. Then, calculate the similarity between every two IP feature matrices, and treat them as weights to construct the IP behavior network diagram. By using the community discovery algorithm, the attack community is divided, and then the grouping analysis of attack organizations is realized. The experiments were conducted on real datasets which include 114,845 warnings. The results were evaluated with the actual attack organization tags, and the accuracy was 96%, which proved the effectiveness of the method in attack homology analysis. Finally, the possible research directions in the future are put forward.
Key words:  attack grouping  network behavior  community discovery  APT