Research On Behavioral Correlation Analysis For Complex Network Attacks

Traditional attack defense facilities,such as virus transmission and vulnerabilities,are increasingly fully covered and detection technology is becoming mature.Complex network attacks have gradually become the mainstream attack risk in the field of information security under the Internet,key information infrastructure and national defense industry networks.Under this background,this thesis starts from Complex network attacks.Network Attack,abbreviated as "attack subject and object,attack behavior,behavior characteristics" and other aspects of CNA,through the study of the current mainstream complex network attacks,and then build the basic model and deployment model of complex network attacks,and then put forward the qualitative and qualitative analysis methods and related complex network attacks.Combining with attack tree model,attack graph model and PetriNet model,the research route of behavior process based on attack graph is put forward.The task decomposition of attack behavior and the execution process of related resource dependence are analyzed.Finally,the behavior association model and sequence association model of complex network attack are formed.Following frequent itemsets,transaction correlation analysis is another important application of complex network attack.The main research contribution of this thesis will be divided into four parts,namely:In the first part,the qualitative and quantitative analysis methods of complex network attacks are described in detail.Network attacks are transformed into four basic stages through knowledge definition: information collection,keypath attacks,attack function execution and escape,and quantified into seven refinement processes.Combining with C4 ISR,a method based on survivability,concealment and persistence is proposed.Quantitative criteria such as destruction and breakthrough are used to transform complex network attacks into complex task execution patterns and correlate them with atomic tasks,and then a more complete behavior model and rules of complex network attacks are proposed.At the same time,this thesis also summarizes the environmental information of network attack,abstracts 13 environmental dimensions to describe the law of network attack behavior of global factors,and puts forward the basic method of network attack behavior association,which covers the association mining of traditional frequent itemsets based on network detection and alarm events.The calculation methods of support degree,confidence degree and promotion degree are described.At the same time,dependency relation,parallelism relation and selection relation are introduced into the association analysis method of complex network attacks.The second part focuses on describing the model of complex network attack in order to try to analyze its inherent behavior law.Firstly,the AttackTree model is analyzed.Combining with the task planning in the first part,the attack task model of attack tree is formed,and the attack path is combined with the information of network environment factors and security assessment status.A critical path analysis method based on attack tree is proposed.Since attack tree can not be described by attack tree in the case of cyclic use of attack channels and closed-loop of multiple attack states,this thesis proposes a graph representation suitable for complex network attacks,and combines the resource dependence,multi-dependence and multi-dependence of attack tasks in the above chapters.The traditional attack graph method based on the theory of state transition finite automata is further extended in the case of abnormal factors and other realistic situations.At the same time,a pyramid-based expansion model is proposed and the corresponding behavior association analysis method is studied based on the model,which can be effectively adapted to the heterogeneous network security facilities,as well as to the heterogeneous network security facilities.This part of the research results can be used for data collection,alarm aggregation,attack stage discovery and scene reconstruction of complex network attacks.The third part focuses on the detection and association analysis of a series of complex attacks using botnet resources.The premise of this work is that in recent years,more and more incidents such as stealing,blackmail and black industry chain construction are initiated by using the rigid network,and the rigid network attack itself is a typical complex network attack pattern.In this thesis,we abstractly model the conversation process of Botnet network and then extract the conversation characteristics,and test the traffic of 10 mainstream rigid networks.The results of the analysis of samples and other attacks show that the detection rate of BotHunter and IRC attacks is increased by 49%,which reflects the importance of association rule base.At the same time,this thesis also proposes to aggregate the relevant behavior samples of BotHunter attacks,and adopts a more comprehensive method.The experimental results show that the recognition rate of hybrid botnet attacks is about 0.75,and the false alarm rate is less than 10%.The recognition rate of PS botnet networks is about 0.83,which greatly improves the recognition rate of discrete features compared with the traditional unrelated behavior.The fourth part focuses on the practice of the correlation prediction and traceback ability of complex network attacks,and puts forward the correlation prediction model of complex network attacks.The core idea of the model is that the complex attacks conform to the behavior sequence and the qualitative and quantitative analysis model of the preceding chapters,and then calculates the corresponding attack sequence and subsequent sequence.Column and other sets,and based on social network pollution data attacks and other scenarios,extracts the characteristics of public opinion complex attacks in the early,middle and late stages and verifies them by grouping and clustering,and discovers malicious accounts and SNS-like Botnet attacks behind them.Through the analysis of APT sample's attack behavior,communication feature association,component correlation and tool set relationship,the blood relationship results based on association analysis are formed.In summary,the core contribution of thesis is to construct the basic model and deployment model of complex network attacks,put forward the qualitative and quantitative analysis methods of complex network attacks as well as the related environmental factors,combined with attack tree model and attack graph model,put forward the research route of behavior process based on attack graph,the task decomposition of attack behavior and the execution process of related resource dependence.Finally,author have formed an effective methods such as behavior association and sequence association of complex network attacks.