| 297 | 13 | 137 |
| 下载次数 | 被引频次 | 阅读次数 |
APT攻击对网络空间构成严重威胁,APT组织通常会复用恶意功能代码。首先对大量威胁情报进行调研,总结了APT样本的8大类功能,构建各类功能的静态检测规则,并提取样本的功能函数。接着标准化处理函数的汇编代码和计算其模糊哈希,构建APT组织的特征功能指纹库。最后根据待分类样本与APT组织指纹库的匹配程度确定样本组织。实验结果表明,所提方法的准确率为92%,能有效实现对APT样本的组织分类和溯源。
Abstract:APT attack poses a serious threat to today′s cyberspace. APT organizations reused malicious functional codes. Firstly, in terms of function implementation, malicious samples of the same organization were more similar, while malicious samples of different organizations were less similar. Based on a large number of threat intelligence, the eight categories of function of APT samples were summarized and static detection rules for various functions were constructed to extract the functional modules of the samples. Then, the function assembly code was standardized and its fuzzy hash was calculated. The characteristic functional fingerprint database of the APT organization was constructed. Finally, the sample organization was determined according to the degree of matching between the sample to be classified and the fingerprint database of the APT organization. The experimental results showed that the accuracy of the proposed method was 92%, which could effectively realize the organization classification and traceability of APT samples.
[1] TAN C,WANG Q,WANG L N,et al.Attack provenance tracing in cyberspace:solutions,challenges and future directions[J].IEEE network,2019,33(2):174-180.
[2] ALSHAMRANI A,MYNENI S,CHOWDHARY A,et al.A survey on advanced persistent threats:techniques,solutions,challenges,and research opportunities[J].IEEE communications surveys & tutorials,2019,21(2):1851-1877.
[3] MOON D,IM H,KIM I,et al.DTB-IDS:an intrusion detection system based on decision tree using behavior analysis for preventing APT attacks[J].The journal of supercomputing,2017,73(7):2881-2895.
[4] 宋文纳,彭国军,傅建明,等.恶意代码演化与溯源技术研究[J].软件学报,2019,30(8):2229-2267.SONG W N,PENG G J,FU J M,et al.Research on malicious code evolution and traceability technology[J].Journal of software,2019,30(8):2229-2267.
[5] MATTHIEU F.The Dukes aren′t back--they never left[EB/OL].[2021-07-29].https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf.
[6] YE Y,LI T,ADJEROH D,et al.A survey on malware detection using data mining techniques[J].ACM computing surveys,2017,50(3):1-40.
[7] HAN W J,XUE J F,WANG Y,et al.Review:build a roadmap for stepping into the field of anti-malware research smoothly[J].IEEE access,2019,7:143573-143596.
[8] BOLTON A D,ANDERSON-COOK C M.APT malware static trace analysis through bigrams and graph edit distance[J].Statistical analysis and data mining:the ASA data science journal,2017,10(3):182-193.
[9] ROSENBERG I,SICARD G,DAVID E.End-to-end deep neural networks and transfer learning for automatic analysis of nation-state malware[J].Entropy,2018,20(5):390.
[10] HAN W J,XUE J F,WANG Y,et al.APTMalInsight:identify and cognize APT malware based on system call information and ontology knowledge framework[J].Information sciences,2021,546:633-664.
[11] 陈瑞东,张小松,牛伟纳,等.APT攻击检测与反制技术体系的研究[J].电子科技大学学报,2019,48(6):870-879.CHEN R D,ZHANG X S,NIU W N,et al.A research on architecture of APT attack detection and countering technology[J].Journal of university of electronic science and technology of China,2019,48(6):870-879.
[12] NAIK N,JENKINS P,SAVAGE N,et al.Fuzzy-import hashing:a malware analysis approach[C]//IEEE International Conference on Fuzzy Systems.Piscataway:IEEE Press,2020:1-8.
[13] SHIEL I,O′SHAUGHNESSY S.Improving file-level fuzzy hashes for malware variant classification[J].Digital investigation,2019,28:S88-S94.
[14] DAMIANI E,DI VIMERCATI S D C,PARABOSCHI S,et al.An open digest-based technique for spam detection[C]//Proceedings of the ISCA 17th International Conference on Parallel and Distributed Computing Systems.New York:ACM Press,2004,559-564.
基本信息:
DOI:10.13705/j.issn.1671-6841.2021417
中图分类号:TP393.08
引用信息:
[1]吕杨琦,王张宜,杨秀璋,等.基于特征功能函数的APT样本分类方法[J],2023,55(02):10-17+24.DOI:10.13705/j.issn.1671-6841.2021417.
基金信息:
国家自然科学基金项目(62172308,U1626107,61972297,62172144)
2021-10-06
2021
2023-03-17
2023
3