Research On APT Detection And Tactical Source Graph Construction Method Based On Causality Graph

With the development of computer science and technology,all kinds of scientific and technological products have penetrated into all aspects of our daily life and work.At the same time,many individuals or organizations have been born to profit from cyber attacks,and the issue of information security has become more and more acute.In recent years,with the increasing frequency of APT(Advanced Persistent Threat)attacks,the in-depth research on APT and the research on APT defense have become more urgent.In order to conceal their own attack behaviors,APT attacks usually mix themselves with many benign behaviors during the attack process so as not to be detected.The vast majority of APT behaviors are benign according to a single behavior,so there are too many false alarms for APT attack detection at the host level,especially the method based on policies and rules.At the same time,path-based detection methods usually require customized rules,while detection based on machine learning and deep learning relies on trained models,and the detection effect will be greatly affected in the face of complex attack scenarios and new types of attacks.Therefore,there is a need for a method and strategy to detect APT attacks mixed with benign behaviors and obtain richer attack information while reducing false positives,so that researchers can reduce the work of traceability analysis.The main work content of this thesis is as follows:(1)Construct a causal graph using audit logs,and use a graph optimization algorithm to reduce the size of the causal graph.(2)Aiming at the problem that APT attack behaviors and benign behaviors are mixed together to evade detection and traditional detection schemes require rule formulation and model training,this thesis proposes an APT detection method based on causal graphs.The APT subgraph and many benign subgraphs are separated from the original causal graph,which solves the problem of mixing APT attack behaviors and benign behaviors.At the same time,the subgraph information is used as the node information in the causal graph to embed the nodes of the causal graph,so that the differences of different subgraphs can be used to classify the nodes in the causal graph.Finally,this thesis uses a clustering algorithm to extract suspicious nodes,and extracts the subgraph of suspicious nodes from the causal graph as the result of APT detection.(3)Aiming at the problem that the threat alert cannot be judged,this thesis uses ATT@CK(Adversarial Tactics,Techniques,and Common Knowledge)technical rules to prune suspicious attack graphs,and constructs APT tactical source graphs to enrich the information of suspicious APT scene graphs.First of all,this thesis uses ATT@CK technical rule matching to trim the edges that do not trigger alarms,so as to obtain a more accurate APT attack scene graph.The attack scenario graph is then threat-scored using the alerts from the attack scenario graph.Finally,use the ATT@CK framework to map the APT attack scene graph to obtain the APT tactical source graph.