Research On Key Technologies Of Targeted Cyber Attacks Detection Based On Multi-Source Heterogeneous Data

The Targeted Cyber Attack represented by APT has the characteristics of complex attack means,long latency and high harmfulness,and it has become the biggest threat to network security.Identifying the behavior,intention and trend of Targeted Cyber Attacks from multi-source heterogeneous cyberspace data is an important research content of Cyber Security Situation Awareness.In view of the characteristics of multi-source heterogeneous cyber security data,such as huge volume,heterogeneous format and diverse semantics,this dissertation studies the detection method of Targeted Cyber Attack based to correlation analysis.On the basis of analyzing existing problems,a framework for Targeted Cyber Attack detection based on multi-source heterogeneous data is proposed,,and accordingly proposes a set of data correlation methods,which can effectively support the cyber security situation awareness and decision-making.Specifically,the main contributions are as follows:1.In view of the lack of a standard framework for standardized Targeted Cyber Attack detection based on correlation analysis,a framework for Targeted Cyber Attack detection based on multisource heterogeneous data is designed.By analyzing the Targeted Cyber Attack and its detection process,the formal definition of Targeted Cyber Attack is given.On this basis,a layered framework of Targeted Cyber Attack detection based on multi-source heterogeneous data is constructed.In addition,the corresponding data classification model and correlation method are proposed to solve the problem of lack of a unified and standardized description framework.2.Aiming at the problem that the anomaly detection model lacks high-quality labeled data sets,the anomaly detection method for stream data in the environment of less labeled samples is studied.An adaptive anomaly detection algorithm based on isolated forest and PAL is proposed.On the basis of the isolated forest algorithm based on ensemble learning idea,by integrating active learning strategy,the human-in-the-loop hybrid enhancement mechanism is used to make up for the shortcomings of machine learning algorithm.The detection model is updated iteratively according to the feedback results,which can effectively avoid the decision inaccuracy caused by the limitations of machine learning algorithm.This algorithm reduces the false alert rate and improve the detection efficiency,so as to achieve fast and efficient outlier discovery.3.Aiming at the problem of redundant alert data and lack of correlation caused by attack activities,in order to simplify the warning information and better grasp the attacker's motivation,a method of Targeted Cyber Attack scenario correlation method based on Dynamic Bayesian alert correlation graph is proposed.By analyzing the uncertainty of probability transfer of security alert events,an alert correlation graph model based on Dynamic Bayesian is constructed.The correlation constraints are established between alert events,and the relationship between different alerts is analyzed.The uncertainty and relevance of transfer between alerts are measured by conditional probability matrix.Probabilistic reasoning method is used to supplement the hidden edges and alert nodes.The ant-colony optimization algorithm updates the model weight and corrects the model error in time to achieve the accurate description of the attack path.4.Aiming at the problems of low efficiency of attack analysis and insufficient accuracy caused by cognitive error of manual analysis,an attack knowledge correlation method based on knowledge graph representation learning is proposed.In this dissertation,we propose a method to transform the knowledge representation into the automatic attack pattern,which is based on the knowledge structure of the attack for the security alert data,the corresponding knowledge recommendation results are given to provide the corresponding knowledge recommendation for analysts.5.In view of the lack of dynamic description of the relationship between alert events and attack context in existing research,a method of Targeted Cyber Attack scenario reconstruction based on cascaded Cyber Kill Chain model is proposed.By extending the modeling method of network threat process,a recursive cascaded Cyber Kill Chain model is proposed.Based on this model,a bidirectional analysis method is proposed,which explicitly maps attack events to different stages of Cyber Kill Chain,and supplements missing attack events through reverse reasoning to solve the problem of correlation and reconstruction of Targeted Cyber Attack scenarios.The research of this dissertation can help security analysts to grasp the network security situation in time,make protection against the possible Targeted Cyber Attack in the future,and provide theoretical support and method guarantee for shortening the time of attack detection and implementing active defense.