中国邮电高校学报(英文) ›› 2023, Vol. 30 ›› Issue (5): 61-71.doi: 10.19682/j.cnki.1005-8885.2023.0003

• • 上一篇    下一篇

Heuristic multistep attack scenarios construction based on kill chain

Jie Cheng1,张茹2,Jiahui Wei3,Chen Lu3,Zhishuai Lv3,Bingjie Lin3,Ang Xia3   

  1. 1. 国家电网有限公司信息通信分公司
    2. 北京邮电大学计算机学院
  • 收稿日期:2022-03-28 修回日期:2022-11-21 出版日期:2023-10-31 发布日期:2023-10-30
  • 通讯作者: 张茹 E-mail:zhangru@bupt.edu.cn
  • 基金资助:
    The work was supported by the Science and Technology Project of the Headquarters of State Grid Corporation of China (5700-202152186A-0-0-00).

Heuristic multistep attack scenarios construction based on kill chain

  1. 1. State Grid Information and Telecommunication Branch, Beijing 100761, China
    2. School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
  • Received:2022-03-28 Revised:2022-11-21 Online:2023-10-31 Published:2023-10-30
  • Supported by:
    The work was supported by the Science and Technology Project of the Headquarters of State Grid Corporation of China (5700-202152186A-0-0-00).

摘要:

 Network attacks evolved from single-step and simple attacks to complex multistep attacks. Current methods of multistep attack detection usually match multistep attacks from intrusion detection systems (IDS) alarms based on the correlation between attack steps. However, IDS has false negatives and false positives, which leads to incomplete or incorrect multistep attacks. Association based on simple similarity is difficult to obtain an accurate attack cluster, while association based on prior knowledge such as attack graphs is difficult to guarantee a complete attack knowledge base. To solve the above problems, a heuristic multistep attack scenarios construction method based on the kill chain (HMASCKC) model was proposed. The attack model graph can be obtained from dual data sources and heuristic multistep attack scenarios can be obtained through graph matching. The model graph of the attack and the predicted value of the next attack are obtained by calculating the matching value. And according to the purpose of the multistep attack, the kill chain model is used to define the initial multistep attack model, which is used as the initial graph for graph matching. Experimental results show that HMASCKC model can better fit the multistep attack behavior, the effect has some advantages over the longest common subsequence (LCS) algorithm, which can close to or match the prediction error of judge evaluation of attack intension ( JEAN) system. The method can make multistep attack model matching for unknown attacks, so it has some advantages in practical application.

关键词: 多步攻击场景| 杀伤链| 图匹配| 攻击预测

Abstract:

   Network attacks evolved from single-step and simple attacks to complex multistep attacks. Current methods of multistep attack detection usually match multistep attacks from intrusion detection systems (IDS) alarms based on the correlation between attack steps. However, IDS has false negatives and false positives, which leads to incomplete or incorrect multistep attacks. Association based on simple similarity is difficult to obtain an accurate attack cluster, while association based on prior knowledge such as attack graphs is difficult to guarantee a complete attack knowledge base. To solve the above problems, a heuristic multistep attack scenarios construction method based on the kill chain (HMASCKC) model was proposed. The attack model graph can be obtained from dual data sources and heuristic multistep attack scenarios can be obtained through graph matching. The model graph of the attack and the predicted value of the next attack are obtained by calculating the matching value. And according to the purpose of the multistep attack, the kill chain model is used to define the initial multistep attack model, which is used as the initial graph for graph matching. Experimental results show that HMASCKC model can better fit the multistep attack behavior, the effect has some advantages over the longest common subsequence (LCS) algorithm, which can close to or match the prediction error of judge evaluation of attack intension ( JEAN) system. The method can make multistep attack model matching for unknown attacks, so it has some advantages in practical application.

Key words: multistep attack scenario, kill chain, graph matching, attack prediction