Attack Graph Based Research Of Threat Detection And Assessment In Advanced Persistent Threat Senario

Company networks and their complexity have been evolving rapidly over the past decade, and emerging attack techniques raise a global concern about security issues, including advanced persistent threat(APT), social engineering attacks, ICT attacks and IOT attacks. Among the above mentioned threats, APT is one of the severest attacks. We conduct our research in threat detection and threat evaluation in APT attack scenarios,which has practical significance.Advanced persistent threat poses three major challenges to our current defense systems. Firstly, how to make use of mass attack knowledge effectively. Correlation in attack knowledge makes it a mass correlation graph. Current detection systems lack parallel solution to apply graph-based knowledge in real-time or near real-time scenario. Secondly, how to effectively detect unknown attacks. Among all works conducted by academic and industrial community, one of the most promising fields is anomaly detection based on modeling behavior of service systems.Traditional signature-based detection is incapable of detecting unknown attacks, hence more and more defense systems build behavior models for their own network and provided services. Lastly, how to evaluate threat in multi-stage attacks in APT scenario. Current threat evaluation techniques are mostly based on threat metrics, however, correlation in network assets and vulnerabilities have not been taken thoroughly consideration. We try to tackle these three above mentioned challenges. This paper proposes one highly parallel attack-graph based threat detection framework, one anomaly detection system based on behavior profiling and one threat evaluation combining asset correlation and vulnerability correlation.Specifically, the main contributions of this paper are as follows:(1) We propose a methodology of attack graph-based parallel massive alert correlation. Current attack graph-based alert correlation cannot deal with graph relation of alerts properly, and huge amount of redundant attack paths may arise when trying to find out missing alerts and predict future attacks. In this article, a multi-source alert analyzing method is proposed,fully utilizing graph relation and threshold to correlate mapped alerts and eventually reduce false positive rate as well as true negative rate. To improve the speed of the algorithm, a parallel alert processing system (AG-PAP) is proposed. AG-PAP is able to parallelize the process of alert mapping and correlation. AG-PAP avoids redundant replication of graph data, with the ability to update graph knowledge. AG-PAP is tested on distributed environment, which gets satisfied effectiveness and performance.(2) We propose a flow-based anomaly detection model using access behavior profiling and time-sequenced relation mining. The key contributions of this part of article are as follows: Firstly, we propose an applicable method to discover active server application without pre-defined knowledge, which can be applied to autonomous network surveillance in enterprises. Using this method, raw flows can be merged to access flows towards server applications. Secondly, we create behavior profiles for each server application by applying a novel linear grouping algorithm PSOLGA. PSOLGA is a PSO-based clustering algorithm, with better grouping stability and time complexity than LGA. Using PSOLGA,linear structures in access flow can be transformed to behavior profile of specific server application. In addition, we use in-memory graph model to establish anomaly detection rules from time-dependent access flows, such as clients? web server? database. To evaluate the proposed system, a variety of tests are performed using simulation data and real-world data from an enterprise network.(3) We propose an attack graph-based approach of threat evaluation in multi-stage attack scenarios. Aiming at threat evaluation in computer networks, we propose bi-directional threat evaluation, with integregation of on attack graph, host metrics and the Common Vulnerability Scoring System(CVSS). Combining severity of vulnerabilities, attack dependencies and host status, we are able to assess penetration progress. In addition, we apply bi-directional threat evaluation to real-time threat scenario, evaluating progress attackers already made, as well as threat to goal-resources in attack graph. The proposed method is finally verified in real experiment and simulation, which has reasonable and effective results.