计算机应用 ›› 2017, Vol. 37 ›› Issue (9): 2551-2556.DOI: 10.11772/j.issn.1001-9081.2017.09.2551

• 网络空间安全 • 上一篇    下一篇

APT攻击分层表示模型

谭韧, 殷肖川, 廉哲, 陈玉鑫   

  1. 空军工程大学 信息与导航学院, 西安 710077
  • 收稿日期:2017-03-27 修回日期:2017-05-18 出版日期:2017-09-10 发布日期:2017-09-13
  • 通讯作者: 殷肖川,redstorm@live.cn
  • 作者简介:谭韧(1993-),男,湖南娄底人,硕士研究生,CCF会员,主要研究方向:网络与信息安全;殷肖川(1961-),男,湖北武汉人,教授,博士,主要研究方向:网络与信息安全、数字水印;廉哲(1993-),男,山西运城人,硕士研究生,主要研究方向:网络与信息安全;陈玉鑫(1993-),男,甘肃兰州人,硕士研究生,主要研究方向:网络与信息安全。
  • 基金资助:
    国家自然科学基金资助项目(61402510);陕西省工业科技攻关项目(2016GY-087)。

Hierarchical representation model of APT attack

TAN Ren, YIN Xiaochuan, LIAN Zhe, CHEN Yuxin   

  1. Information and Navigation College, Air Force Engineering University, Xi'an Shaanxi 710077, China
  • Received:2017-03-27 Revised:2017-05-18 Online:2017-09-10 Published:2017-09-13
  • Supported by:
    This work is partially supported by the the National Natural Science Foundation of China (61402510), the Industrial Science and Technology Project of Shaanxi Province (2016GY-087).

摘要: 针对攻击链模型攻击阶段划分过细且无法表示攻击手段的问题,提出了一种高级可持续性威胁(APT)攻击分层表示模型(APT-HARM)。通过总结分析大量公开的APT事件报告和参考APT攻击链模型与分层攻击表示模型(HARM),将APT攻击分为攻击链和攻击树上下两层,并将其形式化定义。首先,将APT攻击分为由侦察、渗透、行动和撤出四个阶段组成的攻击链,并研究了各阶段特点;然后,研究各阶段中采取的攻击手段,并依据其逻辑关系组成攻击树。APT攻击按照攻击链分阶段依次进行,各阶段按照攻击树流程依次执行。案例分析表明,本模型相较攻击链模型具有粒度划分合理、攻击描述完备准确的优点。APT-HARM形式化地定义了APT攻击,为APT攻击的预测和防范提供了一种思路。

关键词: 高级可持续性威胁, 攻击链, 攻击树, 分层攻击表示模型

Abstract: Aiming at the problem that the attack chain model for the attack phase is too small to indicate the means of attack, an Advanced Persistent Threat (APT) Hierarchical Attack Representation Model (APT-HARM) was proposed. By summarizing the analysis of a large number of published APT event reports and reference APT attack chain model and HARM, the APT attack was divided into into two layers, the upper layer attack chain and the lower layer attack tree, which were formally defined. Firstly, the APT attack was divided into four stages:reconnaissance, infiltration, operation and exfiltration and the characteristics of each stage were studied. Then, the attack methods in each stage were studied, and the attack tree was composed according to its logical relationship. APT attacks were carried out in stages according to the attack chain, and the attack of each stage was performed in accordance with the attack tree. The case study shows that the model has the advantages of reasonable granularity classification and better attack description compared to the attack chain model. APT-HARM formally defines the APT attack, which provides an idea for the prediction and prevention of APT attacks.

Key words: Advanced Persistent Threat (APT), attack chain, attack tree, Hierarchical Attack Representation Model (HARM)

中图分类号: