Research On Key Technologies Of Tracing Network Attacks Based On Attack Behavior

Attack Tactics,Techniques & Procedures(TTPs)constitute the main connotation of network attack behavior.The traceability of network attacks aims to actively determine the source of attacks and reduce the impact of network attacks.In view of the shortcomings of current network attack traceability methods,such as unable to effectively deal with advanced persistent threats,difficult to deal with multi-source data network attacks,and lack of effective traceability methods for attack groups,this paper studies the technology and method of network attack traceability from the perspective of network attack behavior based on network security threat intelligence.The main research work of this paper is summarized as follows:(1)This paper proposes an Internet of Things(IOT)attack traceability ATT&CK-OAHPBNS method based on attack chain construction.This method is to construct the attack chain according to the probability of different kinds of attack behavior in IOT attack groups.Firstly,the ATT&CK IOT attack group knowledge graph is constructed to analyze the relationship between attack behavior.Secondly,for IOT Industrial Control System(ICS),a hierarchical quantitative model based on attack behavior is established.And the Optimized Analytic Hierarchy Process(OAHP)algorithm is used to calculate the weight of each attack behavior.Then,according to Bayesian Networks(BNS),the conditional probability of each attack technology leading to the occurrence of security threats is calculated.And the attack tactics and attack technologies that should be focused on when ICS suffered from security threats are inferred.Finally,the attack chain based on the attack behavior is constructed,including the complete attack behavior and its probability.The experimental results show that this method can calculate the probability corresponding to each attack tactic and technology,which can help security practitioners construct attack chains.(2)This paper proposes an attack traceability ATT&CK-HMM-VA method based on the construction of attack chain.The method is to construct a complete attack chain from the attack behavior missing from the attack tactics.Firstly,according to the constructed ATT&CK network attack group knowledge graph,the parameters between attack behavior are calculated,and the improved Hidden Markov Model(HMM)for ATT&CK is constructed.Then,the Viterbi Algorithm(VA)is used to calculate the occurrence probability of all attack behavior sequences,and the maximum probability value is used to determine which attack technique belongs to which attack tactic.Finally,the attack chain of the optimal complete attack behavior sequence is constructed.The experimental results show that this method can reverse attack tactics according to the sequence of attack behavior that only contain attack technologies.And security practitioners can build a complete attack chain.(3)This paper proposes an Attack Groups Traceability Method based on Attack Behavior(AGTM-AB).This method is to quickly trace the attack group from the attack event with high concealment.Firstly,according to the public data of known attack groups,the attack behavior based on attack tactics,techniques and procedures are analyzed.And according to the data types,different feature engineering methods are used to build the attack behavior library of known attack groups.Secondly,the Multi Classification Combination(MCC)algorithm is used to establish the model,and Bayesian optimization and grid search are used to jointly adjust the parameters to predict the attack groups.Then,for a specific target attack event,the similarity between the unknown attack event and the known attack group is calculated.Finally,the attack group corresponding to the maximum similarity value is the attack group that is most likely to launch the target attack event.The experimental results show that the method can trace attack events.