高级持续威胁网络行为建模与检测方法研究

项目名称： 高级持续威胁网络行为建模与检测方法研究

项目编号： No.61303264

项目类型： 青年科学基金项目

立项/批准年度： 2014

项目学科： 自动化技术、计算机技术

项目作者： 张博锋

作者单位： 中国人民解放军国防科学技术大学

项目金额： 23万元

中文摘要： 面对高级持续威胁（APT）带来的挑战，传统的检测系统缺乏灵活的检测框架和统一的威胁模型，检测手段的可扩展性和检测模式生成的自动化程度不足。项目针对互联网环境中APT网络行为的多阶段协作特点，从检测的角度抽象其表现出的网络事件关联等共性特征，拟建立一种可加载多样化监测手段和威胁判别方法的基于多层次网络事件聚合的新型APT网络行为模型与检测框架。项目将突破基于多层次网络事件聚合的APT网络行为建模与检测语义映射、基于个体事件聚合与群体属性约简的网络威胁模式挖掘，以及基于事件多层次聚合模型的APT网络行为判别等关键技术，为提高多样化的APT网络行为分析、模式获取和检测的便捷性，增强威胁检测算法向APT检测能力转变的自动化水平提供基本的理论依据和有效的技术手段。

中文关键词： 高级持续威胁；攻击模式挖掘；网络威胁建模；攻击检测；随机地址端口跳变

英文摘要： Traditional detection systems are facing with the challenges from the advanced persistent threats(APT).Most of them lack the flexibility in detecting framework, unification in threat modeling, scalability in detection means and degree of automation in detection pattern generation. Based on the multi-stage cooperative characteristic of the APT network behavior in the Internet environment,this project proposes to summarize the common correlating features exhibited by the network events from the perspective of the detector, and establish a new APT network behavior modeling and detection framework which would be able to load various monitoring strategies and identification methods according to the model of multi-level network events aggregation. This project will study three key techniques on the sophisticated network threat, including the detection model with semantic mapping, mining method of the pattern and identification mechanism of the threats based on the multi-stage aggregation of network events, reduction of group features and the aggregation model, respectively. The development of the project will provide the theoretical basis and effective techniques for improving the convenience of the analysis, pattern generation and detection of sophisticated network threats.It will enhance the automation of the transf

英文关键词： advanced persistent threat；attack model mining；network threat modeling；attack detection；random port and address hopping