系统工程与电子技术 ›› 2019, Vol. 41 ›› Issue (4): 826-834.doi: 10.3969/j.issn.1001-506X.2019.04.18

• 系统工程 • 上一篇    下一篇

基于HMM的APT攻击路径预测

杜镇宇, 刘方正, 李翼宏   

  1. 国防科技大学, 安徽 合肥 230037
  • 出版日期:2019-03-20 发布日期:2019-03-20

Attack path prediction of APT based on HMM

DU Zhenyu, LIU Fangzheng, LI Yihong   

  1. National University of Defense Technology, Hefei 230037, China
  • Online:2019-03-20 Published:2019-03-20

摘要:

针对当前高级持续性威胁(advanced persistent threat,APT)攻击防御技术以被动防御为主的问题,以主动防御为出发点,研究提出基于隐马尔可夫模型(hidden Markov model,HMM)的APT攻击路径预测方法,该方法分为建模和预测两部分。在建模方面,首先针对APT攻击的特点建立了APT攻击的隐马尔可夫通用模型,然后提出能够针对某一具体APT攻击,生成该APT攻击的HMM的算法。在预测方面,针对APT攻击样本数量少的问题,改进了HMM的参数计算方法,并引入报警信息确定预测起点,提出一种路径预测算法。实验通过模拟极光行动的攻击方式及流程搭建实验环境,结果表明,该建模及预测算法符合APT攻击场景,并能达到路径预测的目的。

Abstract:

Aiming at the issue that the current advanced persistent threat (APT) attack defense technology is mainly based on passive defense and taking the active defense as a starting point, a method of APT attack path prediction based on the hidden Markov model (HMM) is proposed. The method is divided into modeling and prediction. In the aspect of modeling, firstly, a general HMM model for APT attacks according to characteristics of APT attacks is established. Then, an algorithm to generate the HMM model for specific APT attacks based on the current information input is proposed. In another aspect of prediction, it first improves the parameter calculation method of the HMM model for the less APT samples and then proposes an algorithm of path prediction by adding alert information which can giving the start point of prediction. In the experiment, it establish an experimental environment by simulating the attack method of aurora attack and the results shows that the methods of modeling and prediction meet the APT attack method and situation and they can complete the aim of path prediction.