Research On Exfiltration Complex Network Attack Modeling And Identification Method

In recent years,the data leakage of individuals,enterprises,and even countries have caused major economic losses.The disclosure of sensitive information(i.e.,military intelligence)is a serious threat to the security and stability of the entire country.Exfiltration complex network attacks are the key external causes for the leakage of sensitive information.Technologically,it is necessary to research on exfiltration complex network attacks.However,this kind of attacks has such characteristics e.g.,long duration,concealment,diversification,and customization.Therefore,the detection of exfiltration complex network attacks has become a big problem.In order to solve this problem,the process of the exfiltration complex network attacks is described and the attack model is built.Based on the attack model,the key attack phases are focused to detect and predict the exfiltration complex network attack.The key attack phases include attack payload delivery and malware command and control(C&C)establishment.The key technologies used in this thesis include network attack modeling,malware detection,and attack prediction.Advanced Persistent Threats(APT)is a typical kind of exfiltration complex network attacks.In the first,the systematic investigations,definitions,and statistics of APT cases are conducted.In the second,APT detection schemes of Mainstream security company are analyzed.In the third,a detailed comparative analysis of the major technical problems and solutions about APT modeling and detection is conducted.APT detection focuses on flow-based C&C detection and malware identification which is based on program analysis.Although some researchers have made progress,there are still many technical problems in the actual network.The main contents of the thesis divide into the following four parts.Firstly,a new model is proposed to describe the process of the exfiltration complex network attacks.The model provides theoretical guidance for APT attack detection and prediction.The traditional network attack modeling method cannot present the dynamic changes of the target node involved in the attack process.Also,they do not consider the influence of human interaction in actual attacks.Therefore,the targeted complex attack network model(TCAN)based on the kill chain model is proposed to solve the problem.The simulated attack experiments in a real network environment are carried out.The experimental results show that the targeted complex attack network model can accurately characterize the randomization characteristics of exfiltration complex network attacks.Moreover,the simulation results in scale-free networks show that the TCAN model has scalability.Secondly,an APT depth detection and defense system based on the TCAN model is constructed.The system integrates three aspects: i)internal fixed equipment,ii)mobile users and equipment,iii)vertical edges of the network.At the same time,a CS-SVM method is proposed to identify spear phishing emails that contain malicious links.The traditional SVM-based phishing email detection methods have a high false negative rate.The new phishing emails use the characteristics of short links and so on.Therefore,the Cuckoo Search is used to optimize the parameters of the SVM kernel function and two new features,i)domain name similarity,ii)short link are introduced to solve the problem.The experimental results show that CS-SVM has higher recognition accuracy than the traditional classifier based on SVM.The reduction rate of the false negative of phishing emails is increased by more than 30%.Moreover,the new features can further improve the detection rate of phishing emails.Thirdly,a real-time detection method based on unsupervised learning is proposed to discover exfiltration complex network attack malware.In order to solve the problem of lack of actual attack samples,the suspicious domain names are screened out by using the Alexa rankings and the VirusTotal judgment scores.On the basis of the de-differentiated information entropy,an anomaly detection algorithm based on the global anomaly tree(GAF)is proposed to further identify the malicious domain names.This method is validated in a mobile network including at least 300,000 DNS daily requests.The experimental results show that the detection accuracy of GAF is improved by 10% over the anomaly detection algorithm with the best performance.Compared to other traditional anomaly detection algorithms,the recognition rate has increased by more than 20% and the detection time has increased by at least one order of magnitude.Fourthly,a network attack prediction model based on the tree structure is constructed,which can effectively warn attack targets.In the actual network environment,conflict and tolerance coexist between detection evidence from the end,side,and edge detection products.Therefore,an exfiltration complex network attack prediction approach based on the tree structure is proposed to solve the problem.This approach introduces the confidence degree of security incidents.The DS evidence fusion theory is used to calculate and update the comprehensive confidence of different security incidents,and then the possible follow-up attack steps are predicted.Simulation results show that the prediction method has good expansibility and practicability.