作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2024, Vol. 50 ›› Issue (5): 128-138. doi: 10.19678/j.issn.1000-3428.0067968

• 网络空间安全 • 上一篇    下一篇

面向后渗透攻击行为的网络恶意流量检测研究

梁松林, 林伟, 王珏, 杨庆   

  1. 信息工程大学网络空间安全学院, 河南 郑州 450001
  • 收稿日期:2023-06-29 修回日期:2023-08-28 发布日期:2024-05-14
  • 通讯作者: 梁松林,E-mail:liangsonglin_lsl@163.com E-mail:liangsonglin_lsl@163.com
  • 基金资助:
    国家重点研发计划前沿科技创新专项基金(2019QY1300);国家自然科学基金(62302520)。

Research on Network Malicious Traffic Detection for Post-Exploitation Attack Behavior

LIANG Songlin, LIN Wei, WANG Jue, YANG Qing   

  1. School of Cyberspace Security, Information Engineering University, Zhengzhou 450001, Henan, China
  • Received:2023-06-29 Revised:2023-08-28 Published:2024-05-14
  • Contact: 梁松林,E-mail:liangsonglin_lsl@163.com E-mail:liangsonglin_lsl@163.com

摘要: 现有的后渗透行为研究主要针对主机端进行攻击与防御反制,缺乏对流量侧的模式分析与检测方法。随着后渗透攻击框架与攻击工具的快速发展与广泛使用,基于统计特征或原始流量输入的恶意流量检测模型难以应对复杂多变场景下的后渗透攻击行为恶意流量,存在泛化能力弱、检测精度低、误报率高等问题。通过深入分析后渗透攻击恶意流量样本与正常网络流量会话流,提出后渗透攻击恶意流量的会话流级别粒度划分方法,挖掘后渗透攻击恶意流量在时间尺度上的交互行为与语义表示。引入一种基于马尔可夫模型的时间向量特征提取方法表征流序列的行为相似度,对会话流进行全局行为建模,解决单一粒度特征学习能力不足的问题,进而构建基于多粒度特征融合的后渗透攻击恶意流量检测框架。实验结果表明,该方法在后渗透攻击行为恶意流量多分类检测任务上达到了99.98%的准确率,具有较高的分类准确性与较低的误报率。

关键词: 后渗透攻击, 流量分析, 多特征融合, 特征提取, 恶意流量检测

Abstract: Existing post-exploitation behavior studies mainly focus on the host side of the attack and defense countermeasures, and lack pattern analysis and detection methods for the traffic side. With the rapid development and widespread use of post-exploitation attack frameworks and tools, it is difficult for malicious traffic detection models based on statistical features or raw traffic input to cope with the malicious traffic of post-exploitation attack behaviors in complex and variable scenarios, with weak generalization capabilities, low detection accuracies, and high false alarm rates. By deeply analyzing the post-exploitation attack malicious traffic samples and normal network traffic session flow, this study proposes a session flow-level granularity classification method for post-exploitation attack malicious traffic, mining the interaction behavior and semantic representation of post-exploitation attack malicious traffic on a time scale, and modeling the global behavior of the session flow by introducing a Markov model-based time vector feature extraction method to characterize the behavioral similarity of the flow sequence. The problem of insufficient learning capability of single granularity features is addressed, and a malicious traffic detection framework based on multi-granularity feature fusion for post-exploitation attacks is constructed. The experimental results demonstrate that the method has higher classification accuracies and lower false alarm rates, which achieves accuracy of 99.98% in post-exploitation attack malicious traffic detection.

Key words: post-exploitation attack, traffic analysis, multi-feature fusion, feature extraction, malicious traffic detection

中图分类号: