Research On Attack Path Prediction Method For APT Family Analysis

In today's world,there are lots of attacks on government agencies,industrial facilities and large corporate networks,cyber security has become the focus of global researchers.Advanced Persistent Threat uses social engineering,0-day vulnerabilities,covert communication and other technical to implement long-period,multi-stage attacks on targets.With its high concealment and threat,APT has become one of the main threats to cyberspace security.The focus of the researcher is to identify and trace the source of APT,they hope to detect and alert APT at an early stage.Using the APT stage to reconstruction and predict the attack path of APT can not only detect and defend against APT attacks at an early stage,but also help defenders understand the attacker's goals and strategic intentions.Furthermore,it will help optimizing its own defense system and tracing APT in tactical level.Currently,research on APT focuses on finding reliable attack characteristics and improving detection accuracy,rather than reconstruction and predicting the attack path of APT.At the same time,complex and huge data can easily hide APT characteristics,which increases the difficulty of obtaining reliable data.This paper presents a method of APT attack path restoration and prediction.First,we studied the idea of software genes and uses the APT malicious behavior gene pool to solve the problem of obtaining reliable data.APT attacks are long-period and multi-stage.This means that the attacker will consciously reduce the attack frequency or divide the malware into multiple modules.This paper proposes a gene model to extract key gene sequences in malware,and designs gene optimization algorithms and gene similarity algorithms to construct APT family gene pool and malicious behavior gene pool.Then use the malicious behavior gene pool to perform genetic testing on the samples and extract reliable malicious features from them.Secondly,to solve the problem of APT attack path restoration and prediction,we will use hidden Markov model to reconstruct and predict the attack path(composed of APT stages)on the APT malicious behavior chain(obtained through genetic testing).Using the characteristics generated by the malicious behavior gene pool to construct a malicious behavior chain and estimate the parameters of HMM.Then we will reconstruct the APT attack path through HMM and predict its next state.we will verify the scientificity and effectiveness of the method through multiple sets of comparative experiments.Finally,we will use HMM and genetic testing to identify malware families.This phase of the experiment is to improve the integrity of the system.On the other hand,it was discovered in the first two phases of experiments that the attack path of the APT family may contain certain family characteristics(Included in HMM parameters).We will use family identification to verify whether the features of attack path can guide the intrusion detection system to identify and classify malicious software.At the same time,we will analyze the advantages and disadvantages of the two methods based on the experimental results.