| Advanced Evasive Network Attack(AENA)is a novel cyber attack that uses adversarial,stealth,and escape techniques to build advanced intrusion tactics and implement sustainable control for specific targets.Goals of AENA are twofold: 1)spy,collect,and steal classified intelligence;2)monitor,penetrate,and destroy critical infrastructure or information systems.As the global cyber landscape becomes increasingly complex,AENA has caused catastrophic consequences to cybersecurity.As a result,detection,tracing,reasoning,and countermeasures aiming at AENA have become critical technologies for cybersecurity among countries.Typical AENAs include APT attacks,Power Shell attacks,and obfuscated malicious request attacks.However,the existing AENA detection and tracing methods with poor accuracy and robustness,rely too much on expert knowledge and cannot effectively counter obfuscated code.Meanwhile,it is hard for these methods to quickly and accurately identify malicious attacks,analyze malicious behaviors and trace the sources of attacks.Also,current research is conducted only from a single perspective,ignoring the role of the attack lifecycle on security defense.AENA defense lacks a study that correlates the four efforts of malicious detection,behavior identification,attack organization traceability and reasoning,security knowledge graph and behavior description,resulting in the poor protection effect of the AENA detection system.To solve the problems of the above methods,this thesis,based on the AENA’s life cycle,focuses on AENA and studies the malicious behavior detection of AENA from multiple dimensions and different stages.We design effective methods to achieve four aspects of research,including obfuscation malicious request detection,Power Shell attack behavior recognition,APT attack tracing and reasoning,APT knowledge graph construction and behavior portrait generation.The aim is to improve the ability of anti-obfuscation,robustness,intelligence,and interpretability of AENA behavior detection.Finally,this thesis effectively constructs an overall defense framework of AENA associated with "detection-attribution-reasoning-interpretation" to realize system security protection.The main works are as follows:(1)A method based on deep learning to detect obfuscated malicious requests is proposed.Attackers usually confuse,encrypt,and modify web requests,which makes AENA stealthy and evasive.Currently,conventional detection methods suffer from multiple weaknesses,such as being easily bypassed,depending on experience and rules,and ignoring the semantic relationship of malicious web requests.To this end,we propose a malicious request detection method based on the anti-obfuscation preprocessing strategy and deep learning.Firstly,according to the obfuscation characteristics of malicious web requests,12 standard obfuscation methods are summarized,and an anti-obfuscation preprocessing strategy is designed.Secondly,the three-layer CNN-Bi LSTM and Attention mechanism model is built to detect obfuscated malicious requests.Then,we designed a system,OMRDetector,to improve the previous model based on the characteristics of obfuscated malicious requests.It extracts local features of web requests and captures long-distance dependencies and semantic information.Finally,systematic experiments prove that OMRDetector is feasible and effective.OMRDetector can identify common obfuscated and encrypted types of malicious web requests,and detect unknown types of malicious web attacks,which can support the malicious detection of AENA.(2)A novel method based on multimodal semantic fusion and deep learning for behavior recognition of advanced evasive Power Shell attacks is proposed.Power Shell,as the typical payload of AENA,has been widely used in fileless or APT attacks.However,existing research on Power Shell attacks focuses on de-obfuscation and malicious detection,lacking fine-grained identification of malicious behavior.In addition,there is currently a lack of work on multimodal feature fusion and deep semantic analysis,with low robustness and accuracy.To this end,this thesis proposes an advanced Power Shell malicious behavior recognition method(Power Detector)based on multimodal semantic fusion and deep learning.Firstly,four feature extraction methods are designed to extract features of different dimensions and modalities of malicious Power Shell scripts.They extract features from characters,tokens,abstract syntax trees,and semantic relationship graphs.Secondly,four embedding representation methods(i.e.,Char2 Vec,Token2Vec,Rela2 Vec,and AST2Vec)are constructed,and the vectors of different views are stitched together through a multimodal semantic fusion algorithm.Finally,we build a Power Shell attack behavior detection model based on multi-head self-attention,transformer,and CNN-Bi LSTM.The experimental results show that Power Detector has better accuracy and robustness,which can effectively identify the behavior of high-stealth Power Shell attacks.(3)An APT attack tracing and reasoning method based on dynamic and static semantic behavior enhancement and graph attention network is proposed.Existing APT attack tracing methods excessively rely on expert knowledge and lack the correlation between the ATT&CK framework and the time series of attack behaviors.Besides,these methods ignore the advantage of dynamic and static behaviors to improve the traceability of malware.To solve the above problems,this thesis designs and implements an APT attack tracing and reasoning model(APTEye).Firstly,static and dynamic behavioral features of malware are extracted.Secondly,the algorithm of semantic enhancement and representation of behavioral features is designed.The static API features and attack chains are mapped by Attack2 Vec,and the temporal semantic relationship of dynamic API sequences is enhanced by APISeq2 Vec.Therefore,our method can realize the mapping from low-level behavior features to high-level attack behavior patterns.Then,a dynamic and static feature alignment and behavioral semantics aggregation algorithm is constructed to fuse all features of APT malware and generate corresponding embeddings.Finally,an attribution model based on the graph attention network is built to trace the APT organization,and then reason the attack behaviors according to the temporal relationship and the ATT&CK framework.(4)An automatic extraction method of APT attack knowledge combining entity recognition and entity alignment is proposed,which can generate the behavior portrait of APT organizations,and an APT knowledge graph is constructed.In view of the weak interpretability of APT attack defense research and the lack of methods to automatically generate structured attack behavior portraits,this thesis carries out research on APT knowledge graph construction and attack behavior portrait generation.Firstly,entity and relationship categories are designed with APT attack characteristics,and the Bert-Bi LSTM+CRF model is constructed to identify APT attack entities.Secondly,the clustering entity alignment algorithm is used to improve the quality of the extracted APT attack entities.In addition,combined with the dynamic and static key features of the APT attack samples extracted in Chapter 5,the attack behavior portrait of the APT organization is generated.Finally,a deep learning model is designed to extract the APT attack triplet relationship.Besides,this thesis constructs an APT organizational knowledge graph and uses visualization techniques to display entity infobox and association relationships.The experimental results show that the research can improve the interpretability and knowledge display functions of AENAs and APT attacks,providing decision support for attack event analysis and behavior detection.To sum up,the behavior detection research of advanced evasive network attacks can promote and inspire researchers to carry out in-depth analysis,enrich the overall defense work,and support detection and traceability in network security protection. |
PDF Full Text Request