| At present,cyber-attacks are in various forms,the duration of attacks and the number of attacks are increasing,and devices and applications face enormous security threats.Existing security technologies such as firewall and intrusion detection can implement network data filtering,network access rule policy setting and attack detection,but they cannot solve the security problems faced by host devices well,such as whether the host is implanted with Trojan virus.What information is stolen in the host,how the host information is leaked,and so on.The ultimate goal of most forms of cyberattacks today is the end entities(hosts)in the network,so attack analysis on the host can reflect network attacks.The research work in this paper is to use the host's system log to inscribe the attack behavior of the host to the host and identify the attack intention to improve the perception of the host security.Host-oriented attacks come in many forms.This article focuses on malicious programs as an example to study their impact on terminal entities(hosts).The main work of this paper consists of three parts:(1)A method for attack analysis based on Windows event data is proposed.This method utilizes the host log collected by Event Tracing for Windows as the behavioral operation data,and divides the behavior of the host into four aspects:file,registry,process,and network;combined with custom high-risk action features,adopts virus analysis.The method generates the attack behavior call graph and the statistical operation behavior feature;using the above data can describe a series of harmful behaviors generated by the attack on the Windows host,and analyze the operational behavior characteristics to identify the specific attack behavior type.(2)An attack behavior analysis method based on graph clustering is proposed.This method is an improvement of the method of attack analysis based on Windows event data.This method uses the causal relationship idea to analyze the object invocation relationships within the host system.Represents the calling relationship of a process by using a graph.Then,the community discovery algorithm is used to cluster the process call graphs to automatically discover malicious processes and their related malicious communities.In addition,because there are many redundant entries in the host log,these redundant logs cannot indicate the event relationship of the system.Therefore,the preprocessing of the log data is required.This paper proposes the rule of removing redundant logs and implements data cleaning.(3)Finally,a method for identifying the impact and intention of the attack is proposed.The method comprehensively analyzes the attack path of the malicious program and the call of the resource(network resource,file resource,etc.)generated by the attack,and combines the behavior operation with the calling relationship to identify the impact and intention of the attack.The research work in this paper focuses on the specific malicious behaviors generated by malicious programs on the host.Through experimental verification,the attack path of malicious programs can be identified and the impact and intent of the attacks can be further identified.The work of this paper not only enhances the security awareness of host-oriented attacks,but also has important implications for the study of attack behavior. |
PDF Full Text Request