ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2017, Vol. 54 ›› Issue (7): 1537-1548.doi: 10.7544/issn1000-1239.2017.20160436

• 信息安全 • 上一篇    下一篇

针对数据泄漏行为的恶意软件检测

王丽娜,谈诚,余荣威,尹正光   

  1. (软件工程国家重点实验室(武汉大学) 武汉 430072) (空天信息安全与可信计算教育部重点实验室(武汉大学) 武汉 430072) (武汉大学计算机学院 武汉 430072) (lnwang.whu@gmail.com)
  • 出版日期: 2017-07-01
  • 基金资助: 
    国家自然科学基金项目(61373169);国家“八六三”高技术研究发展计划基金项目(2015AA016004);国家科技支撑计划基金项目(2014BAH41B00);NSFC-通用技术基础研究联合基金项目(U1536204)

The Malware Detection Based on Data Breach Actions

Wang Lina, Tan Cheng, Yu Rongwei, Yin Zhengguang   

  1. (State Key Laboratory of Software Engineering (Wuhan University), Wuhan 430072) (Key Laboratory of Aerospace Information Security and Trusted Computing (Wuhan University), Ministry of Education, Wuhan 430072) (School of Computer Science, Wuhan University, Wuhan 430072)
  • Online: 2017-07-01

摘要: 高级可持续威胁(advanced persistent threat, APT)级网络攻击对企业和政府的数据保护带来了极大的挑战.用0day漏洞制作恶意软件来进行攻击是APT级网络攻击的常用途径,传统基于特征的安全系统很难检测这类攻击.为了检测泄漏敏感信息的恶意软件,首先分析已出现的APT恶意软件,描绘出窃取信息的攻击步骤,以此为基础提出1个针对数据泄漏行为的恶意软件检测方案用于检测同种攻击类型的恶意软件.该方案结合异常检测和误用检测,对被保护的主机和网络进行低开销的持续监控,同时提出一系列推断规则来描述攻击步骤中可以观察到的高级恶意事件.一旦监控到可疑事件,进一步收集主机和网络的低级行为,根据推断规则关联低级行为和高级恶意事件,据此重构窃取信息的攻击步骤,从而检测出攻击的存在.通过仿真实验验证了该方案的有效性.

关键词: 信息泄漏, 恶意软件, 攻击步骤, 低级行为, 高级恶意事件, 推断规则

Abstract: The advanced persistent threat (APT) attack is a big challenge towards enterprise and governmental data protection. The use of 0-day exploits is prevalent with malwares capable of APT attacks, and traditional security systems relying on known features can hardly detect them. In order to detect malwares which steal sensitive information, first of all we analyze existing APT malwares and describe the steps of their attacks. Based on the analysis, we propose a malware detection method focusing on data breach actions to the same kind of malwares. Combining anomaly detection with misuse detection, this method enables persistent monitoring, protecting hosts and network with low cost. Also proposed are inference rulesets which describe high-level malicious events observed in attack steps. Once suspicious events are detected, low-level actions from the hosts and the network will be further collected and correlated to high-level malicious events by the inference rules. Eventually we reconstruct the data breach attack procedure to judge the existence of the attacks. Simulation experiment verify the effectiveness of the method.

Key words: data breach, malware, attack steps, low-level actions, high-level malicious events, inference rules

中图分类号: