基于APT活动全生命周期的攻击与检测综述

王郅伟; 何睎杰; 易鑫; 李孜旸; 曹旭栋; 尹涛; 李书豪; 付安民; 张玉清

doi:10.11959/j.issn.1000-436x.2024128

您当前的位置：

首页 >

文章列表页 >

基于APT活动全生命周期的攻击与检测综述

综述 | 更新时间：2024-10-10

- 基于APT活动全生命周期的攻击与检测综述
- Survey of attack and detection based on the full life cycle of APT
- 通信学报 2024年45卷第9期页码：206-228
- 作者机构：
  
  1.中国科学院大学国家计算机网络入侵防范中心,北京 101408
  2.中关村实验室,北京 100194
  3.南京理工大学计算机科学与工程学院,江苏南京 210094
  4.海南大学网络空间安全学院,海南海口 570228
- 作者简介：
  
  [ "王郅伟（2000- ），男，河南信阳人，中国科学院大学博士生，主要研究方向为Fuzzing、APT攻击与防御技术等。" ]
  [ "何睎杰（2001- ），女，云南曲靖人，中国科学院大学博士生，主要研究方向为信息安全等。" ]
  [ "易鑫（2001- ），男，四川南充人，中国科学院大学硕士生，主要研究方向为信息安全等。" ]
  [ "李孜旸（2002- ），男，云南曲靖人，中国科学院大学博士生，主要研究方向为信息安全等。" ]
  [ "曹旭栋（1997- ），男，陕西渭南人，中国科学院大学博士生，主要研究方向为网络与系统安全。" ]
  [ "尹涛（1989- ），男，重庆人，博士，中关村实验室高级工程师，主要研究方向为网络威胁检测与溯源。" ]
  [ "李书豪（1983- ），男，山西文水人，博士，中关村实验室正高级工程师、博士生导师，主要研究方向为网络威胁检测与溯源、人工智能与网络安全等。" ]
  [ "付安民（1981- ），男，湖北通城人，博士，南京理工大学教授、博士生导师，主要研究方向为物联网安全、密码学和隐私保护等。" ]
  [ "张玉清（1966- ），男，陕西宝鸡人，博士，中国科学院大学教授、博士生导师，主要研究方向为网络攻防与系统安全、大数据与智能安全、物联网系统安全。" ]
- 基金信息：
  
  国家重点研发计划基金资助项目(2023YFB3106400;2023QY1202);国家自然科学基金资助项目(U2336203;U1836210);海南省重点研发计划基金资助项目(GHYF2022010);北京市自然科学基金资助项目(4242031)
- DOI：10.11959/j.issn.1000-436x.2024128
  中图分类号： TP399
- 收稿日期：2024-02-18，
  
  修回日期：2024-05-24，
  
  纸质出版日期：2024-09-25
- 稿件说明：
移动端阅览
王郅伟,何睎杰,易鑫等.基于APT活动全生命周期的攻击与检测综述[J].通信学报,2024,45(09):206-228.

WANG Zhiwei,HE Xijie,YI Xin,et al.Survey of attack and detection based on the full life cycle of APT[J].Journal on Communications,2024,45(09):206-228.
王郅伟,何睎杰,易鑫等.基于APT活动全生命周期的攻击与检测综述[J].通信学报,2024,45(09):206-228. DOI： 10.11959/j.issn.1000-436x.2024128.

WANG Zhiwei,HE Xijie,YI Xin,et al.Survey of attack and detection based on the full life cycle of APT[J].Journal on Communications,2024,45(09):206-228. DOI： 10.11959/j.issn.1000-436x.2024128.

摘要

从攻击方法和检测方法两方面展开，首先综述高级持续威胁（APT）攻击的定义与特点，总结相关攻击模型的研究发展，在此基础上给出更一般性的APT全生命周期模型，并划分4个阶段，信息收集阶段、入侵实施阶段、内网攻击阶段和数据渗出阶段，对每一个阶段，重点调研近5年的研究论文，归纳总结各阶段的攻击与检测技术，并给出分析。最后，结合APT攻防技术相互博弈、快速发展的趋势，指出了当前攻防双方面临的挑战和未来研究的发展方向。

Abstract

The advanced persistent threat (APT) attack was explored from two perspectives: attack methods and detection methods. First

the definitions and characteristics of APT attacks were reviewed and the development of related attack models was summarized. Based on this

a more general APT full lifecycle model was proposed

which was divided into four stages: information gathering

intrusion execution

internal network penetration

and data exfiltration. For each stage

recent research papers from the past five years were thoroughly reviewed

and the attack and detection techniques for each stage were analyzed. Finally

in light of the dynamic landscape of APT attack and defense technologies

the paper underscores the formidable challenges confronting both offense and defense and offers guidance for future research in this domain.

关键词

Keywords

references

KUZNETSOV I , PASHKOV V , BEZVERSHENKO L , et al . Operation triangulation: iOS devices targeted with previously unknown malware [R ] . 2023 .

Qi An Xin Technology Group Inc . Global advanced persistent threats (APT) mid-2023 report [R ] . 2023 .

陈应虎 , 杨哲 , 艾传鲜 . 数据中心APT攻击检测和防御技术 [J ] . 网络安全技术与应用 , 2023 ( 6 ): 4 - 7 .

CHEN Y H , YANG Z , AI C X . Data center APT attack detection and defense technology [J ] . Network Security Technology & Application , 2023 ( 6 ): 4 - 7 .

ARULKUMAR D , KARTHEEBAN K , ARULKUMARAN G . The APT cyber warriors with TTP weapons to battle: an review on IoT and cyber twin [M ] . Pennsylvania : IGI Global , 2022 .

付钰 , 李洪成 , 吴晓平 , 等 . 基于大数据分析的APT攻击检测研究综述 [J ] . 通信学报 , 2015 , 36 ( 11 ): 1 - 14 .

FU Y , LI H C , WU X P , et al . Detecting APT attacks: a survey from the perspective of big data analysis [J ] . Journal on Communications , 2015 , 36 ( 11 ): 1 - 14 .

TATAM M , SHANMUGAM B , AZAM S , et al . A review of threat modelling approaches for APT-style attacks [J ] . Heliyon , 2021 , 7 ( 1 ): e05969 .

TALIB A M , NASIR Q , BOU NASSIF A , et al . APT beaconing detection: a systematic review [J ] . Computers & Security , 2022 , 122 : 102875 .

ALSHAMRANI A , MYNENI S , CHOWDHARY A , et al . A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities [J ] . IEEE Communications Surveys & Tutorials , 2019 , 21 ( 2 ): 1851 - 1877 .

SHARMA A , GUPTA B B , SINGH A K , et al . Advanced persistent threats (APT): evolution, anatomy, attribution and countermeasures [J ] . Journal of Ambient Intelligence and Humanized Computing , 2023 , 14 ( 7 ): 9355 - 9381 .

AUTY M . Anatomy of an advanced persistent threat [J ] . Network Security , 2015 , 2015( 4 ): 13 - 16 .

张瑜 , 潘小明 , LIU Qingzhong , 等 . APT攻击与防御 [J ] . 清华大学学报(自然科学版) , 2017 , 57 ( 11 ): 1127 - 1133 .

ZHANG Y , PAN X M , LIU Q Z , et al . APT attacks and defenses [J ] . Journal of Tsinghua University (Science and Technology) , 2017 , 57 ( 11 ): 1127 - 1133 .

NIST . Managing information security risk: organization, mission, and information system view [R ] . US Department of Commerce , 2011 .

CALTAGIRONE S , PENDERGAST A , BETZ C . The diamond model of intrusion analysis [J ] . Threat Connect , 2013 , 298 ( 704 ): 1 - 61 .

HUTCHINS E , CLOPPERT M , AMIN R . Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains [J ] Leading Issues in Information Warfare & Security Research , 2011 , 1 ( 1 ): 80 - 106 .

LEVY E . Poisoning the software supply chain [J ] . IEEE Security & Privacy , 2003 , 1 ( 3 ): 70 - 73 .

STROM B E , APPLEBAUM A , MILLER D P , et al . Mitre attack: design and philosophy [M ] . Virginia : MITRE Corporation , 2018 .

CENTER M I . APT1: exposing one of China’s cyber espionage units [R ] . 2013 .

KHALEEFA E J , ABDULAH D A , Concept and difficulties of advanced persistent threats (APT) : survey [J ] . International Journal of Nonlinear Analysis and Applications , 2022 , 13 ( 1 ): 4037 - 4052 .

China Information Technology Security Evaluation Center . Global advanced persistent threat (APT) research report [R ] . 2023 .

MAZURCZYK W , CAVIGLIONE L . Cyber reconnaissance techniques [J ] . Communications of the ACM , 2021 , 64 ( 3 ): 86 - 95 .

ROY S , SHARMIN N , ACOSTA J C , et al . Survey and taxonomy of adversarial reconnaissance techniques [J ] . ACM Computing Surveys , 2023 , 55 ( 6 ): 1 - 38 .

SHAIKH S A , CHIVERS H , NOBLES P , et al . Network reconnaissance [J ] . Network Security , 2008 ( 11 ): 12 - 16 .

GONT F , CHOWN T . Network reconnaissance in IPv6 networks [J ] . RFC , 2016 , 7707 : 1 - 38 .

BOU-HARB E , DEBBABI M , ASSI C . Cyber scanning: a comprehensive survey [J ] . IEEE Communications Surveys & Tutorials , 2014 , 16 ( 3 ): 1496 - 1519 .

SALAHDINE F , KAABOUCH N . Social engineering attacks: a survey [J ] . Future Internet , 2019 , 11 ( 4 ): 89 .

KANTA A , COISEL I , SCANLON M . A survey exploring open source Intelligence for smarter password cracking [J ] . Forensic Science International: Digital Investigation , 2020 , 35 : 301075 .

RAI B K , VERMA R , TIWARI S . Using open source intelligence as a tool for reliable web searching [J ] . SN Computer Science , 2021 , 2 ( 5 ): 402 .

MILLAR K A . Graph-based machine learning for passive network reconnaissance within encrypted networks [D ] . Australia : The University of Adelaide , 2022 .

USSATH M , JAEGER D , CHENG F , et al . Advanced persistent threats: Behind the scenes [C ] // Proceedings of the 2016 Annual Conference on Information Science and Systems (CISS) . Piscataway : IEEE Press , 2016 : 181 - 186 .

FireEye Company . HAMMERTOSS: stealthy tactics define a Russian cyber threat group [R ] . 2015 .

FIFIELD D , LAN C , HYNES R , et al . Blocking-resistant communication through domain fronting [J ] . Proceedings on Privacy Enhancing Technologies , 2015 ( 2 ): 46 - 64 .

CHARI S , HALEVI S , VENEMA W . Where do you want to go today? escalating privileges by pathname manipulation [C ] // Proceedings of the Symposium on Network and Distributed System Security . Piscataway : IEEE Press , 2010 : 1 - 16 .

DAVI L , DMITRIENKO A , SADEGHI A R , et al . Privilege escalation attacks on android [C ] // International Conference on Information Security . Berlin : Springer , 2011 : 346 - 360 .

SUCIU D , MCLAUGHLIN S , SIMON L , et al . Horizontal privilege escalation in trusted applications [C ] // Proceeding of the 29th USENIX Security Symposium . Berkeley : USENIX Association , 2020 : 825 - 840 .

KIM Y M , LEE B . Extending a hand to attackers: browser privilege escalation attacks via extensions [C ] // Proceeding of the 32nd USENIX Security Symposium . Berkeley : USENIX Association , 2023 : 7055 - 7071 .

Red Hat Customer Portal . Kernel local privilege escalation “dirty COW” [R ] . 2016 .

SALEEL A P , NAZEER M , BEHESHTI B D . Linux kernel OS local root exploit [C ] // Proceedings of the 2017 IEEE Long Island Systems, Applications and Technology Conference (LISAT) . Piscataway : IEEE Press , 2017 : 1 - 5 .

LIN Z P , WU Y H , XING X Y . DirtyCred: escalating privilege in linux kernel [C ] // Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM Press , 2022 : 1963 - 1976 .

HABER M J , ROLLS D . A nuance on lateral movement [M ] . Berkeley : Apress , 2020 .

DEMERS D , LEE H . Kerberoasting: case studies of an attack on a cryptographic authentication technology [J ] . International Journal of Cybersecurity Intelligence & Cybercrime , 2022 , 5 ( 2 ): 25 - 39 .

GARCIA L A , BRASSER F , CINTUGLU M H , et al . Hey, my malware knows physics! attacking PLCs with physical model aware rootkit [C ] // Proceedings of 2017 Network and Distributed System Security Symposium . Reston : Internet Society , 2017 : 1 - 15 .

WAMPLER J , MARTINY I , WUSTROW E . ExSpectre: hiding malware in speculative execution [C ] // Proceedings of the 2019 Network and Distributed System Security Symposium . Reston : Internet Society , 2019 .

ULLAH F , EDWARDS M , RAMDHANY R , et al . Data exfiltration: a review of external attack vectors and countermeasures [J ] . Journal of Network and Computer Applications , 2018 , 101 : 18 - 54 .

NAR K , SASTRY S S . An analytical framework to address the data exfiltration of advanced persistent threats [C ] // Proceedings of the 2018 IEEE Conference on Decision and Control (CDC) . Piscataway : IEEE Press , 2018 : 867 - 873 .

CHIEN E , OMURCHU L , FALLIERE N . W 32 . Duqu: the precursor to the next stuxnet [C ] // Proceeding of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 12) . Berkeley : USENIX Association , 2012: 5 .

HALFOND W G , VIEGAS J , ORSO A . A classification of SQL-injection attacks and countermeasures [C ] // Proceedings of the IEEE International Symposium on Secure Software Engineering . Piscataway : IEEE Press , 2006 : 13 - 15 .

CLARKE J . Blind SQL injection exploitation [M ] . Amsterdam : Elsevier , 2009 .

MUKHERJEE S , SEN P , BORA S , et al . SQL Injection: a sample review [C ] // Proceedings of the 2015 6th International Conference on Computing, Communication and Networking Technologies (ICCCNT) . Piscataway : IEEE Press , 2015 : 1 - 7 .

BAKLIZI M , ATOUM I , ABDULLAH N , et al . A technical review of SQL injection tools and methods: a case study of SQLMap [J ] . International Journal of Intelligent Systems and Applications in Engineering , 2022 , 10 ( 3 ): 75 - 85 .

ANU P , VIMALA S . A survey on sniffing attacks on computer networks [C ] // Proceedings of the 2017 International Conference on Intelligent Computing and Control (I2C2) . Piscataway : IEEE Press , 2017 : 1 - 5 .

GLĂVAN D . Sniffing attacks on computer networks [J ] . Scientific Bulletin of Naval Academy , 2020 , 23 ( 1 ): 202 - 207 .

D’ORAZIO C J , CHOO K K R , YANG L T . Data exfiltration from Internet of things devices: iOS devices as case studies [J ] . IEEE Internet of Things Journal , 2017 , 4 ( 2 ): 524 - 535 .

SARKAR S , LIU J Q , JOVANOV E . A robust algorithm for sniffing BLE long-lived connections in real-time [C ] // Proceedings of the 2019 IEEE Global Communications Conference (GLOBECOM) . Piscataway : IEEE Press , 2019 : 1 - 6 .

PANJWANI S , TAN S , JARRIN K M , et al . An experimental evaluation to determine if port scans are precursors to an attack [C ] // Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN’05) . Piscataway : IEEE Press , 2005 : 602 - 611 .

ANDERSON J P . Computer security threat monitoring and surveillance [M ] . Washington : James P. Anderson Company , 1980 .

DENNING D E . An intrusion-detection model [J ] . IEEE Transactions on Software Engineering , 1987 , SE-13( 2 ): 222 - 232 .

KUMAR V , SANGWAN O P . Signature based intrusion detection system using SNORT [J ] . International Journal of Computer Applications & Information Technology , 2012 , 1 ( 3 ): 35 - 41 .

HEBERLEIN L T , DIAS G V , LEVITT K N , et al . A network security monitor [C ] // Proceedings of the 1990 IEEE Computer Society Symposium on Research in Security and Privacy . Piscataway : IEEE Press , 1990 : 296 - 304 .

KIM J , LEE J H . A slow port scan attack detection mechanism based on fuzzy logic and a stepwise policy [C ] // Proceedings of the 2008 IET 4th International Conference on Intelligent Environments . London : IET , 2008 : 1 - 5 .

CONTI G , ABDULLAH K . Passive visual fingerprinting of network attack tools [C ] // Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security . New York : ACM Press , 2004 : 45 - 54 .

CHEN J J , CHENG X J . A novel fast port scan method using partheno-genetic algorithm [C ] // Proceedings of the 2009 2nd IEEE International Conference on Computer Science and Information Technology . Piscataway : IEEE Press , 2009 : 219 - 222 .

ALMOMANI O , ALMAIAH M A , MADI M , et al . Reconnaissance attack detection via boosting machine learning classifiers [C ] // Proceedings of the 4th International Computer Sciences and Informatics Conference (ICSIC 2022) . New York : ACM Press , 2023 .

CROUSE M , PROSSER B , FULP E W . Probabilistic performance analysis of moving target and deception reconnaissance defenses [C ] // Proceedings of the 2nd ACM Workshop on Moving Target Defense . New York : ACM Press , 2015 : 21 - 29 .

FERGUSON-WALTER K J , MAJOR M M , JOHNSON C K , et al . Examining the efficacy of decoy-based and psychological cyber deception [C ] // Proceedings of the 30th USENIX security symposium (USENIX Security 21) . Berkeley : USENIX Association , 2021 : 1127 - 1144 .

ZHONG Z X , FAN W J . A honey-imprint enabled approach for resisting social engineering attacks [C ] // Proceedings of the 2023 24st Asia-Pacific Network Operations and Management Symposium (APNOMS) . Piscataway : IEEE Press , 2023 : 302 - 305 .

YU X F , SAMARASINGHE N , MANNAN M , et al . Got sick and tracked: privacy analysis of hospital websites [C ] // Proceedings of the 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) . Piscataway : IEEE Press , 2022 : 278 - 286 .

RUGO A , ARDAGNA C A . Transparency-based reconnaissance for APT attacks [C ] // Proceedings of the 2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC) . Piscataway : IEEE Press , 2023 : 1652 - 1657 .

TSINGANOS N , MAVRIDIS I , GRITZALIS D . Utilizing convolutional neural networks and word embeddings for early-stage recognition of persuasion in chat-based social engineering attacks [J ] . IEEE Access , 2022 , 10 : 108517 - 108529 .

PEIRETTI F , PENSA R G . Detection of privacy-harming social media posts in Italian [C ] // International Symposium on Security and Privacy in Social Networks and Big Data . Berlin : Springer , 2023 : 203 - 223 .

RAJESWARY C , THIRUMARAN M . A comprehensive survey of automated website phishing detection techniques: a perspective of artificial intelligence and human behaviors [C ] // Proceedings of the 2023 International Conference on Sustainable Computing and Data Communication Systems (ICSCDS) . Piscataway : IEEE Press , 2023 : 420 - 427 .

KIM T , PARK N , HONG J , et al . Phishing URL detection: a network-based approach robust to evasion [C ] // Proceedings of the Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM Press , 2022 : 1769 - 1782 .

HAFNER L , WUTZ F , PÖHN D , et al . TASEP: a collaborative social engineering tabletop role-playing game to prevent successful social engineering attacks [C ] // Proceedings of the 18th International Conference on Availability, Reliability and Security . New York : ACM Press , 2023 : 1 - 10 .

DUMAN S , KALKAN-CAKMAKCI K , EGELE M , et al . EmailProfiler: spearphishing filtering with header and stylometric features of emails [C ] // Proceedings of the 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC) . Piscataway : IEEE Press , 2016 : 408 - 416 .

CIDON A , GAVISH L , BLEIER I , et al . High precision detection of business email compromise [C ] // Proceeding of the 28th USENIX Security Symposium . Berkeley : USENIX Association , 2019 : 1291 - 1307 .

BAI B , FENG Y , LIU B X , et al . APT behaviors detection based on email business scenarios [C ] // Proceedings of the 2021 IEEE Sixth International Conference on Data Science in Cyberspace (DSC) . Piscataway : IEEE Press , 2021 : 171 - 178 .

ALLEN J , YANG Z , LANDEN M , et al . Mnemosyne: an effective and efficient postmortem watering hole attack investigation system [C ] // Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM Press , 2020 : 787 - 802 .

ASLAN Ö A , SAMET R . A comprehensive review on malware detection approaches [J ] . IEEE Access , 2020 , 8 : 6249 - 6271 .

WANG X , ZHENG K F , NIU X X , et al . Detection of command and control in advanced persistent threat based on independent access [C ] // Proceedings of the 2016 IEEE International Conference on Communications (ICC) . Piscataway : IEEE Press , 2016 : 1 - 6 .

YAN G H , LI Q , GUO D , et al . Discovering suspicious APT behaviors by analyzing DNS activities [J ] . Sensors , 2020 , 20 ( 3 ): 731 .

MENON A . Thwarting C2 communication of DGA-based malware using process-level DNS traffic tracking [C ] // Proceedings of the 2019 7th International Symposium on Digital Forensics and Security (ISDFS) . Piscataway : IEEE Press , 2019 : 1 - 5 .

TRAN H , DANG C , NGUYEN H , et al . Multi-confirmations and DNS graph mining for malicious domain detection [C ] // Proceedings of the Intelligent Computing Conference . Berlin : Springer , 2019 : 639 - 653 .

HIGHNAM K , PUZIO D , LUO S , et al . Real-time detection of dictionary DGA network traffic using deep learning [J ] . SN Computer Science , 2021 , 2 ( 2 ): 110 .

YUN X C , XIE J , LI S H , et al . Detecting unknown HTTP-based malicious communication behavior via generated adversarial flows and hierarchical traffic features [J ] . Computers & Security , 2022 , 121 : 102834 .

YAMAUCHI T , AKAO Y , YOSHITANI R , et al . Additional kernel observer to prevent privilege escalation attacks by focusing on system call privilege changes [C ] // Proceedings of the 2018 IEEE Conference on Dependable and Secure Computing (DSC) . Piscataway : IEEE Press , 2018 : 1 - 8 .

ELSABAGH M , JOHNSON R , STAVROU A , et al . FIRMSCOPE: automatic uncovering of privilege-escalation vulnerabilities in pre-installed apps in android firmware [C ] // Proceedings of the 29th USENIX security symposium . Berkeley : USENIX Association . 2020 : 2379 - 2396 .

LI R , DIAO W R , LI Z , et al . Android custom permissions demystified: from privilege escalation to design shortcomings [C ] // Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE Press , 2021 : 70 - 86 .

TIAN Z H , SHI W , WANG Y H , et al . Real-time lateral movement detection based on evidence reasoning network for edge computing environment [J ] . IEEE Transactions on Industrial Informatics , 2019 , 15 ( 7 ): 4285 - 4294 .

YAN D Y , LIU F , JIA K . Modeling an information-based advanced persistent threat attack on the internal network [C ] // Proceedings of the 2019 IEEE International Conference on Communications (ICC) . Piscataway : IEEE Press , 2019 : 1 - 7 .

MOHAMED N , BELATON B . SBI model for the detection of advanced persistent threat based on strange behavior of using credential dumping technique [J ] . IEEE Access , 2021 , 9 : 42919 - 42932 .

BAI T , BIAN H B , ABOU DAYA A , et al . A machine learning approach for RDP-based lateral movement detection [C ] // Proceedings of the 2019 IEEE 44th Conference on Local Computer Networks (LCN) . Piscataway : IEEE Press , 2019 : 242 - 245 .

BI J C , HE S B , LUO F J , et al . Defense of advanced persistent threat on industrial Internet of Things with lateral movement modeling [J ] . IEEE Transactions on Industrial Informatics , 2023 , 19 ( 9 ): 9619 - 9630 .

PACCAGNELLA R , LIAO K , TIAN D , et al . Logging to the danger zone: race condition attacks and defenses on system audit frameworks [C ] // Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM Press , 2020 : 1551 - 1574 .

PACCAGNELLA R , DATTA P , HASSAN W U , et al . Custos: practical tamper-evident auditing of operating systems using trusted execution [C ] // Proceedings of the 2020 Network and Distributed System Security Symposium . Reston : Internet Society , 2020 .

JIANG P , HUANG R Z , LI D , et al . Auditing frameworks need resource isolation: a systematic study on the super producer threat to system auditing and its mitigation [C ] // Proceedings of the 32nd USENIX Security Symposium . Berkeley : USENIX Association . 2023 : 355 - 372 .

SEKAR R , KIMM H , AICH R , et al . eAudit: a fast, scalable and deployable audit data collection system [C ] // Proceedings of the 2024 IEEE Symposium on Security and Privacy (S&P) . Piscataway : IEEE Press , 2023 : 87 - 87 .

TIAN D H , MA R , JIA X Q , et al . A kernel rootkit detection approach based on virtualization and machine learning [J ] . IEEE Access , 2019 , 7 : 91657 - 91666 .

NAGY R , NÉMETH K , PAPP D , et al . Rootkit detection on embedded IoT devices [J ] . Acta Cybernetica , 2021 , 25 ( 2 ): 369 - 400 .

YAO M X , FULLER J , KASTURI R P , et al . Hiding in plain sight: an empirical study of web application abuse in malware [C ] // Proceedings of the 32nd USENIX Security Symposium . Berkeley : USENIX Association , 2023 : 6115 - 6132 .

LAL A , PRASAD A , KUMAR A , et al . Data exfiltration: preventive and detective countermeasures [C ] // Proceedings of the International Conference on Innovative Computing & Communication (ICICC) . Amsterdam : Elsevier , 2022 : 1 - 8 .

KIPERBERG M , AMIT G , YESHOOROON A , et al . Efficient DLP-visor: an efficient hypervisor-based DLP [C ] // Proceedings of the 2021 IEEE/ACM 21st International Symposium on Cluster, Cloud and Internet Computing (CCGrid) . Piscataway : IEEE Press , 2021 : 344 - 355 .

ALKILANI H , NASEREDDIN M , HADI A , et al . Data exfiltration techniques and data loss prevention system [C ] // Proceedings of the 2019 International Arab Conference on Information Technology (ACIT) . Piscataway : IEEE Press , 2019 : 124 - 127 .

ALMOMANI I , ALKHAYER A , EL-SHAFAI W . A crypto-steganography approach for hiding ransomware within HEVC streams in android IoT devices [J ] . Sensors , 2022 , 22 ( 6 ): 2281 .

FATHI-KAZEROONI S , ROJAS-CESSA R . GAN tunnel: network traffic steganography by using GANs to counter Internet traffic classifiers [J ] . IEEE Access , 2020 , 8 : 125345 - 125359 .

PŁACHTA M , KRZEMIEŃ M , SZCZYPIORSKI K , et al . Detection of image steganography using deep learning and ensemble classifiers [J ] . Electronics , 2022 , 11 ( 10 ): 1565 .

ZHAI L M , WANG L N , REN Y Z . Universal detection of video steganography in multiple domains based on the consistency of motion vectors [J ] . IEEE Transactions on Information Forensics and Security , 2019 , 15 : 1762 - 1777 .

HU Y T , HUANG Y H , YANG Z L , et al . Detection of heterogeneous parallel steganography for low bit-rate VoIP speech streams [J ] . Neurocomputing , 2021 , 419 : 70 - 79 .

NADLER A , AMINOV A , SHABTAI A . Detection of malicious and low throughput data exfiltration over the DNS protocol [J ] . Computers & Security , 2019 , 80 : 36 - 53 .

CRESPO-MARTINEZ I S , CAMPAZAS-VEGA A , GUERRERO-HIGUERAS Á M , et al . SQL injection attack detection in network flow data [J ] . Computers & Security , 2023 , 127 : 103093 .

NYAKOMITTA P S , ABEKA S O . A Survey of data exfiltration prevention techniques [J ] . International Journal of Scientific Research in Science and Technology , 2020 , 5 ( 8 ): 8 .

WEN J , TAN C H , CHEN J N , et al . The application of RNN-based API data security detection in government cloud service [C ] // Proceedings of the 2022 Tenth International Conference on Advanced Cloud and Big Data (CBD) . Piscataway : IEEE Press , 2022 : 276 - 281 .

郭嘉琰 , 李荣华 , 张岩 , 等 . 基于图神经网络的动态网络异常检测算法 [J ] . 软件学报 , 2020 , 31 ( 3 ): 748 - 762 .

GUO J Y , LI R H , ZHANG Y , et al . Graph neural network based anomaly detection in dynamic networks [J ] . Journal of Software , 2020 , 31 ( 3 ): 748 - 762 .

CHUNG M H , CHIGNELL M , WANG L , et al . Interactive machine learning for data exfiltration detection: active learning with human expertise [C ] // Proceedings of the 2020 IEEE International Conference on Systems, Man, and Cybernetics (SMC) . Piscataway : IEEE Press , 2020 : 280 - 287 .

MARQUES R S , EPIPHANIOU G , AL-KHATEEB H , et al . A flow-based multi-agent data exfiltration detection architecture for ultra-low latency networks [J ] . ACM Transactions on Internet Technology , 2021 , 21 ( 4 ): 1 - 30 .

DIJK A . Detection of advanced persistent threats using artificial intelligence for deep packet inspection [C ] // Proceedings of the 2021 IEEE International Conference on Big Data (Big Data) . Piscataway : IEEE Press , 2021 : 2092 - 2097 .

HOSSAIN M N , MILAJERDI S M , WANG J N , et al . SLEUTH: real-time attack scenario reconstruction from COTS audit data [J ] . arXiv Preprint , arXiv: 1801.02062 , 2018 .

MILAJERDI S M , ESHETE B , GJOMEMO R , et al . POIROT: aligning attack behavior with kernel audit records for cyber threat hunting [C ] // Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM Press , 2019 : 1798 - 1812 .

MILAJERDI S M , GJOMEMO R , ESHETE B , et al . HOLMES: real-time APT detection through correlation of suspicious information flows [C ] // Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE Press , 2019 : 1137 - 1152 .

HAN X Y , PASQUIER T , BATES A , et al . Unicorn: runtime provenance-based detector for advanced persistent threats [C ] // Proceedings of the 2020 Network and Distributed System Security Symposium . Reston : Internet Society , 2020 .

ZHAO J , YAN Q B , LIU X D , et al . Cyber threat intelligence modeling based on heterogeneous graph convolutional network [C ] // Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses . Piscataway : IEEE Press , 2020 : 241 - 256 .

SATVAT K , GJOMEMO R , VENKATAKRISHNAN V N . Extractor: extracting attack behavior from threat reports [C ] // Proceedings of the 2021 IEEE European Symposium on Security and Privacy (EuroS&P) . Piscataway : IEEE Press , 2021 : 598 - 615 .

ALSAHEEL A , NAN Y , MA S , et al . ATLAS: a sequence-based learning approach for attack investigation [C ] // USENIX Security Symposium . Berkeley : USENIX Association , 2021 : 3005 - 3022 .

ANJUM M M , IQBAL S , HAMELIN B . ANUBIS: a provenance graph-based framework for advanced persistent threat detection [C ] // Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing . New York : ACM Press , 2022 : 1684 - 1693 .

MAHMOUD M , MANNAN M , YOUSSEF A . APTHunter: detecting advanced persistent threats in early stages [J ] . Digital Threats: Research and Practice , 2023 , 4 ( 1 ): 1 - 31 .

JIA S S , XU Y B . The APT detection method based on attack tree for SDN [C ] // Proceedings of the 2nd International Conference on Cryptography, Security and Privacy . New York : ACM Press , 2018 : 116 - 121 .

KUMAR R , KELA R , SINGH S , et al . APT attacks on industrial control systems: a tale of three incidents [J ] . International Journal of Critical Infrastructure Protection , 2022 , 37 : 100521 .

YI S Y , SINGH M M , SODHY G C , et al . Fingerprinting generation for advanced persistent threats (APT) detection using Machine Learning techniques [C ] // Proceedings of the 2023 13th International Conference on Information Technology in Asia (CITA) . Piscataway : IEEE Press , 2023 : 31 - 36 .

GAO P , SHAO F , LIU X Y , et al . Enabling efficient cyber threat hunting with cyber threat intelligence [C ] // Proceedings of the 2021 IEEE 37th International Conference on Data Engineering (ICDE) . Piscataway : IEEE Press , 2021 : 193 - 204 .

JI Z J , CHOI E , GAO P . A knowledge base question answering system for cyber threat knowledge acquisition [C ] // Proceedings of the 2022 IEEE 38th International Conference on Data Engineering (ICDE) . Piscataway : IEEE Press , 2022 : 3158 - 3161 .

GOLDREICH O . Secure multi-party computation [J ] . Manuscript , 1998 , 78 ( 1 ): 86 - 97 .

FAN J F , VERCAUTEREN F . Somewhat practical fully homomorphic encryption [J ] . IACR Cryptol EPrint Arch , 2012 , 144 : 1 - 19 .

MAVROVOUNIOTIS S , GANLEY M . Hardware security modules [M ] . Berlin : Springer , 2014 .

LEE G , SHIM S , CHO B , et al . Fileless cyberattacks: Analysis and classification [J ] . ETRI Journal , 2021 , 43 ( 2 ): 332 - 343 .

浏览量

141

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

暂无数据