Heuristic multistep attack scenarios construction based on kill chain

doi:10. 19682/ j. cnki. 1005-8885. 2023. 0003

中国邮电高校学报(英文) ›› 2023, Vol. 30 ›› Issue (5): 61-71.doi: 10. 19682/ j. cnki. 1005-8885. 2023. 0003

Heuristic multistep attack scenarios construction based on kill chain

Jie Cheng¹,张茹²,Jiahui Wei³,Chen Lu³,Zhishuai Lv³,Bingjie Lin³,Ang Xia³

1. 国家电网有限公司信息通信分公司
2. 北京邮电大学计算机学院

收稿日期:2022-03-28 修回日期:2022-11-21 出版日期:2023-10-31 发布日期:2023-10-30
通讯作者: 张茹 E-mail:zhangru@bupt.edu.cn
基金资助:
The work was supported by the Science and Technology Project of the Headquarters of State Grid Corporation of China (5700-202152186A-0-0-00).

Heuristic multistep attack scenarios construction based on kill chain

1. State Grid Information and Telecommunication Branch, Beijing 100761, China
2. School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China

Received:2022-03-28 Revised:2022-11-21 Online:2023-10-31 Published:2023-10-30
Supported by:
The work was supported by the Science and Technology Project of the Headquarters of State Grid Corporation of China (5700-202152186A-0-0-00).

摘要/Abstract

摘要：

Network attacks evolved from single-step and simple attacks to complex multistep attacks. Current methods of multistep attack detection usually match multistep attacks from intrusion detection systems (IDS) alarms based on the correlation between attack steps. However, IDS has false negatives and false positives, which leads to incomplete or incorrect multistep attacks. Association based on simple similarity is difficult to obtain an accurate attack cluster, while association based on prior knowledge such as attack graphs is difficult to guarantee a complete attack knowledge base. To solve the above problems, a heuristic multistep attack scenarios construction method based on the kill chain (HMASCKC) model was proposed. The attack model graph can be obtained from dual data sources and heuristic multistep attack scenarios can be obtained through graph matching. The model graph of the attack and the predicted value of the next attack are obtained by calculating the matching value. And according to the purpose of the multistep attack, the kill chain model is used to define the initial multistep attack model, which is used as the initial graph for graph matching. Experimental results show that HMASCKC model can better fit the multistep attack behavior, the effect has some advantages over the longest common subsequence (LCS) algorithm, which can close to or match the prediction error of judge evaluation of attack intension ( JEAN) system. The method can make multistep attack model matching for unknown attacks, so it has some advantages in practical application.

关键词: 多步攻击场景| 杀伤链| 图匹配| 攻击预测

Abstract:

Key words: multistep attack scenario, kill chain, graph matching, attack prediction

Cheng Jie, Zhang Ru, Wei Jiahui, Lu Chen, LvZhishuai, Lin Bingjie, Xia Ang. Heuristic multistep attack scenarios construction based on kill chain[J]. The Journal of China Universities of Posts and Telecommunications, 2023, 30(5): 61-71.

参考文献

[1] JULISCH K. Mining alarm clusters to improve alarm handling efficiency. Proceedings of the 17th Annual Computer Security Applications Conference, 2001, Dec 10 -14, New Orleans, LA, USA. Piscataway, NJ, USA: IEEE, 2001: 12 -21.

[2] SHANECK M, CHANDOLA V, LIU H Y, et al. A multi-step framework for detecting attack scenarios. TR 06-004. Minneapolis, MN, USA: University of Minnesota, 2006.

[3] CHEN B, LEE J, WU A S. Active event correlation in Bro IDS to detect multi-stage attacks. Proceedings of the 4th IEEE International Workshop on Information Assurance ( IWIA'06 ), 2006, Apr 13 -14, London, UK. Piscataway, NJ, USA: IEEE, 2006: 50 -64.

[4] ZHU B, GHORBANI A A. Alert correlation for extracting attack strategies. International Journal of Network Security, 2006, 3(3): 244 -258.

[5] WANG J X, WANG H Z, ZHAO G. A GA-based solution to an NP-hard problem of clustering security events. Proceedings of the 2006 International Conference on Communications, Circuits and Systems Proceedings: Vol 3, 2006, Jun 25 -28, Guilin, China.

Piscataway, NJ, USA: IEEE, 2006: 2093 -2097.

[6] CHENG B C, LIAO G T, HUANG C C, et al. A novel probabilistic matching algorithm for multi-stage attack forecasts. IEEE Journal on Selected Areas in Communications, 2011, 29(7): 1438 -1448.

[7] MANGANIELLO F, MARCHETTI M, COLAJANNI M. Multistep attack detection and alert correlation in intrusion detection systems. Proceedings of the 2011 International Conference on Information Security and Assurance (ISA'11), 2011, Aug 15 -17, Brno, Czech. CCIS200. Berlin, Germany: Springer, 2011: 101 -110.

[8] XU D B, NING P. Alert correlation through triggering events and common resources. Proceedings of the 20th Annual Computer Security Applications Conference, 2004, Dec 6 - 10, Tucson, AZ, USA. Piscataway, NJ, USA: IEEE, 2004: 360 -369. [9] CHEUNG S, LINDQVIST U, FONG M W. Modeling multistep cyber attacks for scenario recognition. Proceedings of the 2003 DARPA Information Survivability Conference and Exposition: Vol 1, 2003, Apr 22 -24, Washington, DC, USA. Piscataway, NJ, USA: IEEE, 2003: 284 -292.

[10] ALSERHANI F, AKHLAQ M, AWAN I U, et al. MARS: multi-stage attack recognition system. Proceedings of the 24th IEEE

International Conference on Advanced Information Networking and Applications, 2010, Apr 20 - 23, Perth, Australia. Piscataway,

NJ, USA: IEEE, 2010: 753 -759.

[11] GEIB CW, GOLDMAN R P. Plan recognition in intrusion detection systems. Proceedings of the 2001 DARPA Information

Survivability Conference and Exposition II(DISCEX'01): Vol 1, 2001, Jun 12 -14, Anaheim, CA, USA. Piscataway, NJ,USA:

IEEE, 2001: 46 -55.

[12] QIN X Z, LEE W. Attack plan recognition and prediction using causal networks. Proceedings of the 20th Annual Computer

Security Applications Conference, 2004, Dec 6 - 10, Tucson, AZ, USA. Piscataway, NJ, USA: IEEE, 2004: 370 -379.

[13] OURSTON D, MATZNER S, STUMP W, et al. Applications of hidden Markov models to detecting multi-stage network attacks.

Proceedings of the 36th Annual Hawaii International Conference on System Sciences, 2003, Jan 6 - 9, Big Island, HI, USA. Piscataway, NJ, USA: IEEE, 2003: 1 -10.

[14] FENG X W, WANG D X, HUANG M H, et al. An approach of discovering causal knowledge for alert correlating based on data mining. Proceedings of the IEEE 12th International Conference on Dependable, Autonomic and Secure Computing ( DASC'12 ),

2014, Aug 24 - 27, Dalian, China. Piscataway, NJ, USA: IEEE, 2014: 57 -62.

[15] BYERS S R, YANG S J. Real-time fusion and projection of network intrusion activity. Proceedings of the 11th International Conference on Information Fusion, 2008, Jun 30 - Jul 3, Cologne, Germany. Piscataway, NJ, USA: IEEE, 2008: 1 -8.

[16] FAVA D S, BYERS S R, YANG S J. Projecting cyberattacks through variable'length Markov models. IEEE Transactions on

Information Forensics and Security, 2008, 3(3): 359 -369.

[17] YANG S J, BYERS S, HOLSOPPLE J, et al. Intrusion activity projection for cyber situational awareness. Proceedings of the 2008

IEEE International Conference on Intelligence and Security Informatics, 2008, Jun 17 -20, Taipei, China. Piscataway, NJ, USA: IEEE, 2008: 167 -172.

[18] NOEL S, ROBERTSON E, JAJODIA S. Correlating intrusion events and building attack scenarios through attack graph distances. Proceedings of the 20th Annual Computer Security Applications Conference, 2004, Dec 6 -10, Tucson, AZ, USA. Piscataway, NJ, USA: IEEE, 2004: 350 -359.

[19] CHIEN S H, HO C S. A novel threat prediction framework for network security. ZENG D H ( ed). Advances in Information Technology and Industry Applications. LNEE136. Berlin, Germany: Springer, 2012: 1 -9.

[20] ZHANG R, HUO Y Y, LIU J Y, et al. Constructing APT attack scenarios based on intrusion kill chain and fuzzy clustering. Security and Communication Networks, 2017: Article 7536381.

[21] VASILOMANOLAKIS E, SRINIVASA S, CORDERO C G, et al. Multi-stage attack detection and signature generation with ICS honeypots. Proceedings of the 2016 IEEE/ IFIP Network Operations and Management Symposium (NOMS'16), 2016, Apr 25 -29, Istanbul, Turkey. Piscataway, NJ, USA: IEEE, 2016: 1227 -1232.

[22] SALAH S, MACIÁ-FERNÁNDEZ G, DÍAZ-VERDEJO J E. A model-based survey of alert correlation techniques. Computer Networks, 2013, 57(5): 1289 -1317.

[23] FARHADI H, AMIRHAERI M, KHANSARI M. Alert correlation and prediction using data mining and HMM. The ISC International

Journal of Information Security, 2011, 3(2): 77 -101.

[24] SHITTU R O. Mining intrusion detection alert logs to minimise false positives & gain attack insight. Ph D Thesis. London, UK:

City University London, 2016.

Heuristic multistep attack scenarios construction based on kill chain

Heuristic multistep attack scenarios construction based on kill chain

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 0

编辑推荐

Metrics

本文评价