Research On Modeling And Path Prediction Technology Of APT Attack

Under the background of information globalization,Cyberspace has become a new territory of national sovereignty.The fighting activities around it have been escalating.The country's political,economic,cultural,social,national defense security and citizens'legitimate rights and interests in cyberspace are facing serious risks and challenges.Among the many forms there exists advanced,targeted,persistent and phased cyber attack,called APT(Advanced Persistent Threat).Through the analysis of the APT attacks reported in recent years,it can be seen that the number of APT attacks increased year by year,the means of attack also constantly changed and the fields involved became wider and wider.However,the defensive technology fits it were not upgraded and even remains at the level of passive defense.Therefore,studying a set of technologies that can actively defend against APT attacks has important practical significance for maintaining Cyberspace sovereignty,security and development benefits.The first chapter studied the situation of current Cyberspace security,summarizes the defense process and methods of traditional APT,analyzed the current technology of network attack in modeling and predicting and deeply studied advantages and disadvantages of each.Finally,it presented the research direction,basic ideas,organizational structure and main work of this treatise.The second chapter analyzed and summarized the three related technical foundations,analyzed its basic principles,basic methods and basic structure and summarized its advantages and disadvantages for APT attacks.Finally,it presented the improvement idea and direction.In the third chapter,it mainly studied the first sub-problem,the path modeling problem.It first deeply studied the phase characteristics of APT attack and enriched and improved the original chain-killing model.Then,it constructed the general model of Petri net of APT attack(APTPN)based on Petri net.Then,based on the model,I proposed an algorithm that can generate the Petri net model automatically by inputting the relevant information of a specific APT attack.By preprocessing the input information,the algorithm obtained three basic element sets,and then attained the attack path meta set through the preset seven logical inferences,and finally obtained all possible APT attack paths by performiming depth-first traversal.The complexity of the algorithm can be bounded at?(N~2).The experiment simulated Google Aurora action by building virtual hardware,software and network environment and constructed the Petri net model(APTPN-Aurora)by using the algorithm.In the fourth chapter,it mainly studied the second sub-problem that the initial path generation problem.It proposed the initial path generation algorithm of APT attack based on OpenIOC.The core of the algorithm is to generate a logical expression of APT attack sample which had simple,small scale and good detection effect.According to the principle of information entropy,the algorithm divides the feature into two categories,strong feature and weak feature,by judging the change of total entropy of a certain feature.The strong feature is the feature that the sample identification ability is higher than the set threshold,while the weak feature combination is It is a combined feature formed by AND combining features whose distinguishing ability is lower than the threshold,and the strong features and weak features are connected into a logical expression of the APT sample according to the connection principle.In the fifth chapter,it mainly studied the third sub-problem that the path prediction problem.We proved that an attack path in the APTPN model established in Chapter 3 is isomorphic to a hidden Markov chain according to the isomorphism principle at the first step.Then,we proposed an APT attack path prediction algorithm for hidden Markov model.The algorithm introduces the integrated alarm information,and proposes the method of determining the starting point library when the alarm information is insufficient.For the problem of the small number of APT attack samples,the calculation of the original hidden Markov model parameters is improved.Based on AHP-fuzzy comprehensive evaluation,the state transition matrix is calculated and the confusion matrix is calculated based on association rules mining.Finally,the probability of occurrence of each APT attack path is obtained by calculating the probability of each transition after the starting point library,and the prediction purpose is achieved.The path occurrence probability of ATPPN-Aurora is calculated and compared with the attack path of real aurora attack,and the effectiveness of the algorithm is verified.