高级持续性威胁远控阶段异常通信的检测技术研究

发布时间：2018-04-27 01:34

本文选题：高级持续性威胁 + DGA动态域名　；参考：《南京理工大学》2017年硕士论文

【摘要】：计算机与网络技术的飞速发展和广泛应用,在给人们带来便利的同时,也带来了各种安全问题。近年来,以零日渗透、极具隐蔽性和持久性控制为主要特点的高级持续性威胁(Advanced Persistent Threat,APT)已成为网络安全领域关心的最大威胁,引起了业界和科学界的广泛重视。如何及时地发现我方网络中可能存在的APT攻击威胁,是防御APT威胁的重要问题之一。本文结合部分APT攻击案例和样本数据,针对APT攻击远控阶段的异常通信的行为特点进行了分析,在此基础上设计可实现异常远控通信检测的相关特征,并提出了应用性较强的基于机器学习的异常通信检测方法,并以该方法为核心,设计与实现了 APT攻击远控阶段异常通信的检测程序,通过实验验证了检测程序的有效性。具体来说,本文主要完成了以下工作:(1)通过对APT攻击远控阶段异常通信的深入研究,详细分析了被控主机通常利用域名生成算法(Domain Generation Algorithm,DGA)生成动态域名获取CC服务器的IP地址的原因、DGA生成动态域名的工作原理以及与域名结构上与正常域名的不同;另一方面则从多个角度全面分析了在远控过程中,APT攻击的TCP通信行为与正常通信之间存在的差异。根据这些特点,提出了基于机器学习的异常通信检测方法。(2)根据对多种DGA动态域名和合法域名在字符特征上的分析对比,设计提取多项特征指标,并通过相关域名样本验证这些特征指标的区分能力,考虑到检测模型的精度和效率,利用特征选择算法确定了 11项用于实际检测DGA动态域名的特征指标。(3)针对远控阶段APT攻击异常TCP通信行为的特点,利用网络流量分析的方法确定了 TCP流作为特征提取源,然后设计提取了多项特征指标,并结合实际数据对这些特征指标的有效性进行分析,最后也利用特征选择算法确定了 10项最优的检测特征。(4)根据设计的特征指标,对比分析多种机器学习方法构建的检测模型的性能,最终确定DGA动态域名和异常TCP通信检测模型均为GBDT分类器。然后设计并实现APT攻击远控阶段异常通信的检测程序,该检测程序利用PF_RING的Libpcap接口实现对网络数据的捕获,并且设计了域名与IP白名单以降低检测程序的工作负荷和虚警率,并通过仿真实验验证了检测程序的有效性。最后,论文对全文进行了总结,并指出了下一步的研究方向。
[Abstract]:The rapid development and wide application of computer and network technology not only bring convenience to people, but also bring all kinds of security problems. In recent years, Advanced Persistent threat (Advanced Persistent threat), which is characterized by zero day penetration, concealment and persistence control, has become the most concerned threat in the field of network security. How to detect the possible APT attack threat in our network in time is one of the important problems to defend against APT threat. Based on some APT attack cases and sample data, this paper analyzes the behavior characteristics of abnormal communication in remote control stage of APT attack, and then designs the relevant features of detecting abnormal remote control communication. An anomaly communication detection method based on machine learning is proposed, and the detection program of abnormal communication in remote control stage of APT attack is designed and implemented with this method as the core. The validity of the detection program is verified by experiments. Specifically, this paper mainly completes the following work: 1) through the in-depth study of abnormal communication in remote control stage of APT attack, This paper analyzes in detail the reason why the controlled host usually generates the dynamic domain name to obtain the IP address of the CC server by using the domain name generation algorithm (DGA) and the working principle of generating the dynamic domain name and the difference between the domain name structure and the normal domain name. On the other hand, the differences between the TCP communication behavior of apt attack and the normal communication are analyzed from several aspects. According to these characteristics, an anomaly communication detection method based on machine learning is proposed. Based on the analysis and comparison of the character features of various DGA dynamic domain names and legal domain names, several feature indexes are designed and extracted. And through the relevant domain name samples to verify the ability of distinguishing these characteristic indicators, considering the accuracy and efficiency of the detection model, Using feature selection algorithm, 11 feature indexes used to detect DGA dynamic domain name are determined. Aiming at the characteristics of abnormal TCP communication behavior of APT attack in remote control stage, TCP stream is determined as feature extraction source by network traffic analysis method. Then, several feature indexes are designed and extracted, and the validity of these feature indexes is analyzed by combining the actual data. Finally, 10 optimal detection features are determined by using the feature selection algorithm. By comparing and analyzing the performance of the detection models constructed by various machine learning methods, it is determined that both DGA dynamic domain name and abnormal TCP communication detection model are GBDT classifiers. Then the detection program of abnormal communication in remote control phase of APT attack is designed and implemented. The detection program uses Libpcap interface of PF_RING to capture network data, and designs domain name and IP whitelist to reduce the workload and false alarm rate of detection program. The validity of the detection program is verified by simulation experiments. Finally, the paper summarizes the full text and points out the next research direction.
【学位授予单位】：南京理工大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【相似文献】