基于系统溯源图的威胁发现与取证分析综述

冷涛; 蔡利君; 于爱民; 朱子元; 马建刚; 李超飞; 牛瑞丞; 孟丹

doi:10.11959/j.issn.1000-436x.2022105

您当前的位置：

首页 >

文章列表页 >

基于系统溯源图的威胁发现与取证分析综述

综述 | 更新时间：2024-06-05

- 基于系统溯源图的威胁发现与取证分析综述
- Review of threat discovery and forensic analysis based on system provenance graph
- 通信学报 2022年43卷第7期页码：172-188
- 作者机构：
  
  1. 中国科学院信息工程研究所，北京 100093
  2. 中国科学院大学网络空间安全学院，北京 100049
  3. 四川警察学院智能警务四川省重点实验室，四川泸州 646000
- 作者简介：
  
  [ "冷涛（1986- ），男，四川合江人，中国科学院大学博士生，四川警察学院副教授，主要研究方向为APT攻击检测、取证分析" ]
  [ "蔡利君（1988- ），女，河南汝南人，博士，中国科学院信息工程研究所助理研究员，主要研究方向为攻击检测、内部威胁检测" ]
  [ "于爱民（1980- ），男，山西临汾人，博士，中国科学院信息工程研究所正高级工程师、博士生导师，主要研究方向为可信软件测评、基于大数据的行为异常检测" ]
  [ "朱子元（1980- ），男，河南汝州人，博士，中国科学院信息工程研究所研究员、博士生导师，主要研究方向为处理器安全技术、系统安全理论与技术等" ]
  [ "马建刚（1990- ），男，河北衡水人，中国科学院信息工程研究所高级工程师，主要研究方向为对抗网络高仿真、数据安全" ]
  [ "李超飞（1994- ），男，河南汝州人，中国科学院大学博士生，主要研究方向为加密流量、深度学习等" ]
  [ "牛瑞丞（1994- ），男，云南昆明人，中国科学院大学博士生，主要研究方向为恶意代码检测、深度学习等" ]
  [ "孟丹（1965- ），男，黑龙江哈尔滨人，博士，中国科学院信息工程研究所所长、研究员、博士生导师，主要研究方向为计算机系统安全、云计算安全等" ]
- 基金信息：
  
  中科院战略性先导科技专项基金资助项目(XDC02040200);智能警务四川省重点实验室资助项目(ZNJW2022ZZQN002)
- DOI：10.11959/j.issn.1000-436x.2022105
  中图分类号： TP391
- 网络出版日期：2022-06，
  
  纸质出版日期：2022-07-25
- 稿件说明：
移动端阅览
冷涛, 蔡利君, 于爱民, 等. 基于系统溯源图的威胁发现与取证分析综述[J]. 通信学报, 2022,43(7):172-188.

Tao LENG, Lijun CAI, Aimin YU, et al. Review of threat discovery and forensic analysis based on system provenance graph[J]. Journal on communications, 2022, 43(7): 172-188.
冷涛, 蔡利君, 于爱民, 等. 基于系统溯源图的威胁发现与取证分析综述[J]. 通信学报, 2022,43(7):172-188. DOI： 10.11959/j.issn.1000-436x.2022105.

Tao LENG, Lijun CAI, Aimin YU, et al. Review of threat discovery and forensic analysis based on system provenance graph[J]. Journal on communications, 2022, 43(7): 172-188. DOI： 10.11959/j.issn.1000-436x.2022105.

摘要

通过调研溯源图研究相关的文献，提出了基于系统溯源图的网络威胁发现和取证分析研究框架。详细综述了基于溯源图的数据采集、数据管理、数据查询和可视化方法；提出了基于规则、基于异常和基于学习的威胁检测分类方法；概括了基于威胁情报或基于战略、技术、过程驱动的威胁狩猎方法；总结了基于因果关系、序列学习、特殊领域语言查询和语义重建的取证分析方法；最后指出了未来的研究趋势。

Abstract

By investigating works of literature related to provenance graph research

a research framework for network threat discovery and forensic analysis based on system-level provenance graph was proposed.A detailed overview of data collection

data management

data query

and visualization methods based on provenance graphs was provided.The rule-based

anomaly-based

and learning-based threat detection classification methods were proposed.Threats based on threat intelligence or based on strategy

technology

and process-driven threats hunting methods were summarized.Forensic analysis methods based on causality

sequence learning

language query and semantic reconstruction in special fields were summarized.Finally

the future research trends were pointed out.

关键词

Keywords

references

BINDE B E , MCCREE R , O’CONNOR T J , . Assessing outbound traffic to uncover advanced persistent threat [R ] . 2011 .

ESHETE B , GJOMEMO R , HOSSAIN M N , et al . Attack analysis results for adversarial engagement 1 of the DARPA transparent computing program [J ] . arXiv Preprint,arXiv:1610.06936 , 2016 .

HAN X Y , PASQUIER T , SELTZER M . Provenance-based intrusion detection:opportunities and challenges [C ] // Proceedings of the 10th USENIX Conference on Theory and Practice of Provenance . Berkeley:USENIX Association , 2018 : 1 - 3 .

ZAFAR F , KHAN A , SUHAIL S , et al . Trustworthy data:a survey,taxonomy and future trends of secure provenance schemes [J ] . Journal of Network and Computer Applications , 2017 , 94 : 50 - 68 .

TAN C , WANG Q , WANG L N , et al . Attack provenance tracing in cyberspace:solutions,challenges and future directions [J ] . IEEE Network , 2019 , 33 ( 2 ): 174 - 180 .

LI Z Y , CHEN Q A , YANG R Q , et al . Threat detection and investigation with system-level provenance graphs:a survey [J ] . Computers ＆Security , 2021 ,106:102282.

潘亚峰 , 朱俊虎 , 周天阳 . APT 攻击场景重构方法综述 [J ] . 信息工程大学学报 , 2021 , 22 ( 1 ): 55 - 60 , 80 .

PAN Y F , ZHU J H , ZHOU T Y . Survey on APT attack scenario reconstruction methods [J ] . Journal of Information Engineering University , 2021 , 22 ( 1 ): 55 - 60 , 80 .

KING S T , CHEN P M . Backtracking intrusions [C ] // Proceedings of the 19th ACM Symposium on Operating Systems Principles . New York:ACM Press , 2003 : 223 - 236 .

蹇诗婕 , 卢志刚 , 杜丹 , 等 . 网络入侵检测技术综述 [J ] . 信息安全学报 , 2020 , 5 ( 4 ): 96 - 122 .

JIAN S J , LU Z G , DU D , et al . Overview of network intrusion detection technology [J ] . Journal of Cyber Security , 2020 , 5 ( 4 ): 96 - 122 .

徐嘉涔 , 王轶骏 , 薛质 . 网络空间威胁狩猎的研究综述 [J ] . 通信技术 , 2020 , 53 ( 1 ): 1 - 8 .

XU J C , WANG Y J , XUE Z . Research on threat hunting in cyberspace [J ] . Communications Technology , 2020 , 53 ( 1 ): 1 - 8 .

VALENTINA P . Practical threat intelligence and data-driven threat hunting [M ] . Birmingham : Packt Publishing , 2021 .

Secjuice . 5 types of threat hunting [EB ] . 2021 .

Secjuice . Breach detection-controlling dwell time is about much more than compliance [EB ] . 2021 .

CAN S , CAO P . Lineage file system [EB ] . 2021 .

MUNISWAMY-REDDY K K , HOLLAND D A , BRAUN U , et al . Provenance-aware storage systems [C ] // Proceedings of the Annual Conference on USENIX’06 Annual Technical Conference . Berkeley:USENIX Association , 2006 : 43 - 56 .

MUNISWAMY-REDDY K K , BRAUN U , HOLLAND D A , et al . Layering in provenance systems [C ] // Proceedings of the 2009 Conference on USENIX Annual Technical Conference . Berkeley:USENIX Association , 2009 : 1 - 10 .

GEHANI A , TARIQ D . SPADE:support for provenance auditing in distributed environments [C ] // Lecture Notes in Computer Science . Berlin:Springer , 2012 : 101 - 120 .

POHLY D J , MCLAUGHLIN S , MCDANIEL P , et al . Hi-Fi:collecting high-fidelity whole-system provenance [C ] // Proceedings of the 28th Annual Computer Security Applications Conference . New York:ACM Press , 2012 : 259 - 268 .

BATES A , TIAN D J , BUTLER K R B , et al . Trustworthy whole-system provenance for the linux kernel [C ] // Proceedings of the 24th USENIX Security Symposium . Berkeley:USENIX Association , 2015 : 319 - 334 .

BATES A , BUTLER K , DOBRA A , et al . Retrofitting applications with provenance-based security monitoring [J ] . arXiv Preprint,arXiv:1609.00266 , 2016 .

PASQUIER T , HAN X Y , GOLDSTEIN M , et al . Practical whole-system provenance capture [C ] // Proceedings of the 2017 Symposium on Cloud Computing . New York:ACM Press , 2017 : 405 - 418 .

HASSAN W U , NOUREDDINE M A , DATTA P , et al . OmegaLog:high-fidelity attack investigation via transparent multi-layer log analysis [C ] // Proceedings of 2020 Network and Distributed System Security Symposium . Reston:Internet Society , 2020 : 1 - 16 .

YU L , MA S Q , ZHANG Z , et al . ALchemist:fusing application and audit logs for precise attack provenance without instrumentation [C ] // Proceedings of 2021 Network and Distributed System Security Symposium . Reston:Internet Society , 2021 : 1 - 18 .

XIE Y L , FENG D , LIAO X L , et al . Efficient monitoring and forensic analysis via accurate network-attached provenance collection with minimal storage overhead [J ] . Digital Investigation , 2018 , 26 : 19 - 28 .

HAAS S , SOMMER R , FISCHER M . Zeek-Osquery:host-network correlation for advanced monitoring and intrusion detection [C ] // ICT Systems Security and Privacy Protection . Berlin:Springer , 2020 : 248 - 262 .

JI Y , LEE S , FAZZINI M , et al . Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking [C ] // Proceedings of the 27th USENIX Security Symposium . Berkeley:USENIX Association , 2018 : 1705 - 1722 .

JI Y . Efficient and refinable attack investigation [D ] . Atlanta:Georgia Institute of Technology , 2019 .

LEE K H , ZHANG X , XU D Y . High accuracy attack provenance via binary-based execution partition [C ] // Proceedings of the 20th Network and Distributed System Security Symposium (NDSS’13) . Reston:Internet Society , 2013 : 1 - 16 .

MA S Q , ZHANG X Y , XU D Y . ProTracer:towards practical provenance tracing by alternating between logging and tainting [C ] // Proceedings of 2016 Network and Distributed System Security Symposium . Reston:Internet Society , 2016 : 1 - 15 .

MA S Q , ZHAI J , WANG F , et al . MPI:multiple perspective attack investigation with semantic aware execution partitioning [C ] // Proceedings of the 26th USENIX Security Symposium . Berkeley:USENIX Association , 2017 : 1111 - 1128 .

MA S Q , LEE K H , KIM C H , et al . Accurate,low cost and instrumentation-free security audit logging for windows [C ] // Proceedings of the 31st Annual Computer Security Applications Conference . New York:ACM Press , 2015 : 401 - 410 .

LEE K H , ZHANG X Y , XU D Y . LogGC:garbage collecting audit log [C ] // Proceedings of the 2013 ACM SIGSAC Conference on Computer ＆ Communications Security . New York:ACM Press , 2013 : 1005 - 1016 .

YANG R Q , MA S Q , XU H T , et al . UIScope:accurate,instrumentation-free,and visible attack investigation for GUI applications [C ] // Proceedings of 2020 Network and Distributed System Security Symposium . Reston:Internet Society , 2020 : 1 - 18 .

MANZOOR E , MILAJERDI S M , AKOGLU L . Fast memory-efficient anomaly detection in streaming heterogeneous graphs [C ] // Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining . New York:ACM Press , 2016 : 1035 - 1044 .

The CERT Division . Insider threat tools [EB ] . 2018 .

KENT A D . Comprehensive,multi-source cyber-security events data set [R ] . 2015 .

Transparent computing engagement 5 data release [EB ] . 2019 .

ANGELOS K . Transparent computing engagement 3 data release [EB ] . 2018 .

ANJUM M M , IQBAL S , HAMELIN B . Analyzing the usefulness of the DARPA OpTC dataset in cyber threat detection research [C ] // Proceedings of the 26th ACM Symposium on Access Control Models and Technologies . New York:ACM Press , 2021 : 27 - 32 .

LI Z T , CHENG X , SUN L X , et al . A hierarchical approach for advanced persistent threat detection with attention-based graph neural networks [J ] . Security and Communication Networks,2021 , 2021 :9961342.

LI M , LI Q , XUAN G Z , et al . Identifying compromised hosts under APT using DNS request sequences [J ] . Journal of Parallel and Distributed Computing , 2021 , 152 : 67 - 78 .

LIU F C , WEN Y , ZHANG D X , et al . Log2vec:a heterogeneous graph embedding based approach for detecting cyber threats within enterprise [C ] // Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2019 : 1777 - 1794 .

LIU F C , WEN Y , WU Y N , et al . MLTracer:malicious logins detection system via graph neural network [C ] // Proceedings of 2020 IEEE 19th International Conference on Trust,Security and Privacy in Computing and Communications (TrustCom) . Piscataway:IEEE Press , 2021 : 715 - 726 .

COCHRANE T , FOSTER P , CHHABRA V , et al . SK-Tree:a systematic malware detection algorithm on streaming trees via the signature kernel [C ] // Proceedings of 2021 IEEE International Conference on Cyber Security and Resilience . Piscataway:IEEE Press , 2021 : 35 - 40 .

HOSSAIN M N , MILAJERDI S M , WANG J , et al . SLEUTH:Real-time attack scenario reconstruction from COTS audit data [C ] // Proceedings of the 26th USENIX Security Symposium . Berkeley:USENIX Association , 2017 : 487 - 504 .

HOSSAIN M N , SHEIKHI S , SEKAR R . Combating dependence explosion in forensic analysis using alternative tag propagation semantics [C ] // Proceedings of 2020 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 2020 : 1139 - 1155 .

SETAYESHFAR O , ADKINS C , JONES M , et al . GrAALF:supporting graphical analysis of audit logs for forensics [J ] . Software Impacts , 2021 ,8:100068.

MILAJERDI S M , GJOMEMO R , ESHETE B , et al . HOLMES:real-time APT detection through correlation of suspicious information flows [C ] // Proceedings of 2019 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 2019 : 1137 - 1152 .

HOSSAIN M N , WANG J , WEISSE O , et al . Dependence-preserving data compaction for scalable forensic analysis [C ] // Proceedings of the 27th USENIX Security Symposium . Berkeley:USENIX Association , 2018 : 1723 - 1740 .

ZENG J , CHUA Z L , CHEN Y F , et al . WATSON:abstracting behaviors from audit logs via aggregation of contextual semantics [C ] // Proceedings of 2021 Network and Distributed System Security Symposium . Reston:Internet Society , 2021 : 1 - 18 .

BERRADA G , CHENEY J , BENABDERRAHMANE S , et al . A baseline for unsupervised advanced persistent threat detection in system-level provenance [J ] . Future Generation Computer Systems , 2020 , 108 : 401 - 413 .

BENABDERRAHMANE S , BERRADA G , CHENEY J , et al . A rule mining-based advanced persistent threats detection system [J ] . arXiv Preprint,arXiv:2105.10053 , 2021 .

HASSAN W U , GUO S J , LI D , et al . NoDoze:combatting threat alert fatigue with automated provenance triage [C ] // Proceedings of 2019 Network and Distributed System Security Symposium . Reston:Internet Society , 2019 : 1 - 15 .

MYNENI S , CHOWDHARY A , SABUR A , et al . DAPT 2020 - constructing a benchmark dataset for advanced persistent threats [C ] // Deployable Machine Learning for Security Defense . Berlin:Springer , 2020 : 138 - 163 .

LIU Y S , ZHANG M , LI D , et al . Towards a timely causality analysis for enterprise security [C ] // Proceedings of 2018 Network and Distributed System Security Symposium . Reston:Internet Society , 2018 : 1 - 15 .

GUI J P , LI D , CHEN Z Z , et al . APTrace:a responsive system for agile enterprise level causality analysis [C ] // Proceedings of 2020 IEEE 36th International Conference on Data Engineering . Piscataway:IEEE Press , 2020 : 1701 - 1712 .

XU Z , WU Z Y , LI Z C , et al . High fidelity data reduction for big data security dependency analyses [C ] // Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2016 : 504 - 516 .

MICHAEL N , MINK J , LIU J , et al . On the forensic validity of approximated audit logs [C ] // Proceedings of Annual Computer Security Applications Conference . New York:ACM Press , 2020 : 189 - 202 .

TANG Y T , LI D , LI Z C , et al . NodeMerge:template based efficient data reduction for big-data causality analysis [C ] // Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2018 : 1324 - 1337 .

HASSAN W U , BATES A , MARINO D . Tactical provenance analysis for endpoint detection and response systems [C ] // Proceedings of 2020 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 2020 : 1172 - 1189 .

FEI P , LI Z , WANG Z , et al . SEAL:storage-efficient causality analysis on enterprise logs with query-friendly compression [C ] // Proceedings of the 30th USENIX Security Symposium . Berkeley:USENIX Association , 2021 : 2987 - 3004 .

ZHU T T , WANG J Y , RUAN L Q , et al . General,efficient,and real-time data compaction strategy for APT forensic analysis [J ] . IEEE Transactions on Information Forensics and Security , 2021 , 16 : 3312 - 3325 .

GAO P , SHAO F , LIU X Y , et al . A system for efficiently hunting for cyber threats in computer systems using threat intelligence [C ] // Proceedings of 2021 IEEE 37th International Conference on Data Engineering . Piscataway:IEEE Press , 2021 : 2705 - 2708 .

MILAJERDI S M , ESHETE B , GJOMEMO R , et al . POIROT:aligning attack behavior with kernel audit records for cyber threat hunting [C ] // Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2019 : 1795 - 1812 .

HASSAN W U , LI D , JEE K , et al . This is why we can’t cache nice things:lightning-fast threat hunting using suspicion-based hierarchical storage [C ] // Proceedings of Annual Computer Security Applications Conference . New York:ACM Press , 2020 : 165 - 178 .

MA S Q , ZHAI J , KWON Y , et al . Kernel-supported cost-effective audit logging for causality tracking [C ] // Proceedings of the 2018 USENIX Conference on Usenix Annual Technical Conference . Berkeley:USENIX Association , 2018 : 241 - 254 .

XIE Y L , FENG D , TAN Z P , et al . Unifying intrusion detection and forensic analysis via provenance awareness [J ] . Future Generation Computer Systems , 2016 , 61 : 26 - 36 .

XIE Y L , FENG D , HU Y C , et al . Pagoda:a hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments [J ] . IEEE Transactions on Dependable and Secure Computing , 2020 , 17 ( 6 ): 1283 - 1296 .

GAO P , XIAO X S , LI Z C , et al . A query system for efficiently investigating complex attack behaviors for enterprise security [J ] . arXiv Preprint,arXiv:1810.03464 , 2018 .

PASQUIER T , HAN X Y , MOYER T , et al . Runtime analysis of whole-system provenance [C ] // Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2018 : 1601 - 1616 .

GAO P , XIAO X S , LI Z C , et al . AIQL:enabling efficient attack investigation from system monitoring data [C ] // Proceedings of 2018 USENIX Annual Technical Conference . Berkeley:USENIX Association , 2018 : 113 - 126 .

GAO P , XIAO X S , LI D . SAQL:a stream-based query system for real-time abnormal system behavior detection [C ] // Proceedings of the 27th USENIX Security Symposium . Berkeley:USENIX Association , 2018 : 639 - 656 .

GAO P , SHAO F , LIU X Y , et al . Enabling efficient cyber threat hunting with cyber threat intelligence [C ] // Proceedings of 2021 IEEE 37th International Conference on Data Engineering . Piscataway:IEEE Press , 2021 : 193 - 204 .

GAO P , XIAO X S , LI D , et al . Querying streaming system monitoring data for enterprise system anomaly detection [C ] // Proceedings of 2020 IEEE 36th International Conference on Data Engineering . Piscataway:IEEE Press , 2020 : 1774 - 1777 .

XIONG C L , ZHU T T , DONG W H , et al . Conan:a practical real-time APT detection system with high accuracy and efficiency [J ] . IEEE Transactions on Dependable and Secure Computing , 2022 , 19 ( 1 ): 551 - 565 .

DING X , LIU B X , JIANG Z W , et al . Spear phishing emails detection based on machine learning [C ] // Proceedings of 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design . Piscataway:IEEE Press , 2021 : 354 - 359 .

DAI J , SUN X Y , LIU P . Patrol:revealing zero-day attack paths through network-wide system object dependencies [C ] // European Symposium on Research in Computer Security . Berlin:Springer , 2013 : 536 - 555 .

HAN X Y , PASQUIER T , RANJAN T , et al . FRAPpuccino:Fault-detection through runtime analysis of provenance [C ] // Proceedings of the 9th USENIX Conference on Hot Topics in Cloud Computing . Berkeley:USENIX Association , 2017 : 1 - 18 .

XIE Y L , WU Y F , FENG D , et al . P-Gaussian:provenance-based Gaussian distribution for detecting intrusion behavior variants using high efficient and real time memory databases [J ] . IEEE Transactions on Dependable and Secure Computing , 2021 , 18 ( 6 ): 2658 - 2674 .

HAN X Y , PASQUIER T , BATES A , et al . Unicorn:runtime provenance-based detector for advanced persistent threats [C ] // Proceedings of 2020 Network and Distributed System Security Symposium . Reston:Internet Society , 2020 : 1 - 18 .

SUN X Y , DAI J , LIU P , et al . Using Bayesian networks for probabilistic identification of zero-day attack paths [J ] . IEEE Transactions on Information Forensics and Security , 2018 , 13 ( 10 ): 2506 - 2521 .

HAN X Y , YU X , PASQUIER T , et al . SIGL:securing software installations through deep graph learning [C ] // Proceedings of the 30th USENIX Security Symposium . Berkeley:USENIX Association , 2021 : 2345 - 2362 .

AYOADE G , AKBAR K A , SAHOO P , et al . Evolving advanced persistent threat detection using provenance graph and metric learning [C ] // Proceedings of 2020 IEEE Conference on Communications and Network Security . Piscataway:IEEE Press , 2020 : 1 - 9 .

WANG Q , HASSAN W U , LI D , et al . You are what you do:hunting stealthy malware via data provenance analysis [C ] // Proceedings of 2020 Network and Distributed System Security Symposium . Reston:Internet Society , 2020 : 1 - 17 .

SATVAT K , GJOMEMO R , VENKATAKRISHNAN V N . Extractor:extracting attack behavior from threat reports [C ] // 2021 IEEE European Symposium on Security and Privacy (EuroS＆P) . Piscataway:IEEE Press , 2021 : 598 - 615 .

ZHAO J , YAN Q B , LIU X D , et al . Cyber threat intelligence modeling based on heterogeneous graph convolutional network [C ] // Proceedings of the 23rd International Symposium on Research in Attacks,Intrusions and Defenses . Berkeley:USENIX Association , 2020 : 241 - 256 .

GAO P , LIU X Y , CHOI E , et al . A system for automated open-source threat intelligence gathering and management [C ] // Proceedings of the 2021 International Conference on Management of Data . New York:ACM Press , 2021 : 2716 - 2720 .

WEI R Z , CAI L J , ZHAO L X , et al . DeepHunter:a graph neural network based approach for robust cyber threat hunting [C ] // Security and Privacy in Communication Networks . Berlin:Springer , 2021 : 3 - 24 .

NOEL S , HARLEY E , TAM K H , et al . CyGraph:graph-based analytics and visualization for cybersecurity [J ] . Handbook of Statistics , 2016 , 35 : 117 - 167 .

SHU X K , ARAUJO F , SCHALES D L , et al . Threat intelligence computing [C ] // Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2018 : 1883 - 1898 .

KARUNA P , HEMBERG E , O’REILLY U M , , et al . Automating cyber threat hunting using NLP,automated query generation,and genetic perturbation [J ] . arXiv Preprint,arXiv:2104.11576 , 2021 .

MILAJERDI S M , ESHETE B , GJOMEMO R , et al . ProPatrol:attack investigation via extracted high-level tasks [C ] // Information Systems Security . Berlin:Springer , 2018 : 107 - 126 .

ALLEN J , YANG Z , LANDEN M , et al . Mnemosyne:an effective and efficient postmortem watering hole attack investigation system [C ] // Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2020 : 787 - 802 .

NEWSOME J , SONG D . Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software [C ] // Proceedings of the Network and Distributed System Security Symposium . Reston:Internet Society , 2005 : 1 - 17 .

YIN H , SONG D , EGELE M , et al . Panorama:capturing system-wide information flow for malware detection and analysis [C ] // Proceedings of the 14th ACM Conference on Computer and Communications Security . New York:ACM Press , 2007 : 116 - 127 .

JI Y , LEE S , DOWNING E , et al . RAIN:refinable attack investigation with on-demand inter-process information flow tracking [C ] // Pro ceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2017 : 377 - 390 .

KWON Y , KIM D , SUMNER W N , et al . LDX:causality inference by lightweight dual execution [C ] // Proceedings of the 21st International Conference on Architectural Support for Programming Languages and Operating Systems . New York:ACM Press , 2016 : 503 - 515 .

KWON Y , WANG F , WANG W H , et al . MCI:modeling-based causality inference in audit logging for attack investigation [C ] // Proceedings of 2018 Network and Distributed System Security Symposium . Reston:Internet Society , 2018 : 1 - 15 .

PEI K X , GU Z S , SALTAFORMAGGIO B , et al . HERCULE:attack story reconstruction via community discovery on correlated log graph [C ] // Proceedings of the 32nd Annual Conference on Computer Security Applications . New York:ACM Press , 2016 : 583 - 595 .

SHEN Y , MARICONTI E , VERVIER P A , et al . Tiresias:predicting security events through deep learning [C ] // Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2018 : 592 - 605 .

SHEN Y , STRINGHINI G . ATTACK2VEC:leveraging temporal word embeddings to understand the evolution of cyberattacks [C ] // Proceedings of the 28th USENIX Security Symposium . Berkeley:USENIX Association , 2019 : 905 - 921 .

ALSAHEEL A , NAN Y H , MA S Q , et al . ATLAS:a sequence-based learning approach for attack investigation [C ] // Proceedings of the 30th USENIX Security Symposium . Berkeley:USENIX Association , 2021 : 1 - 18 .

ZONG B , XIAO X S , LI Z C , et al . Behavior query discovery in system-generated temporal graphs [C ] // Proceedings of the VLDB Endowment .[S.l. ] : VLDB Endowment , 2015 : 240 - 251 .

潘亚峰 , 周天阳 , 朱俊虎 , 等 . 基于ATT＆CK的APT攻击语义规则构建 [J ] . 信息安全学报 , 2021 , 6 ( 3 ): 77 - 90 .

PAN Y F , ZHOU T Y , ZHU J H , et al . Construction of APT attack se-mantic rules based on ATT ＆ CK [J ] . Journal of Cyber Security , 2021 , 6 ( 3 ): 77 - 90 .

YANG R Q , CHEN X T , XU H T , et al . RATScope:recording and reconstructing missing RAT semantic behaviors for forensic analysis on windows [J ] . IEEE Transactions on Dependable and Secure Computing , 2022 , 19 ( 3 ): 1621 - 1638 .

浏览量

1181

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

面向WSN异常节点检测的融合重构机制与对比学习方法

基于预训练与新型时序图神经网络的智能合约漏洞检测方法

新增未知攻击场景下的工业互联网恶意流量识别方法

移动边缘计算中基于图到序列深度强化学习的复杂任务部署策略

基于溯源图和注意力机制的APT攻击检测模型构建