ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2017, Vol. 54 ›› Issue (10): 2344-2355.doi: 10.7544/issn1000-1239.2017.20170433

• 信息安全 • 上一篇    下一篇

基于专家系统的高级持续性威胁云端检测博弈

胡晴1,2,吕世超1,2,石志强1,2,孙利民1,2,肖亮3   

  1. 1(中国科学院大学网络空间安全学院 北京 100049); 2(物联网信息安全技术北京市重点实验室(中国科学院信息工程研究所) 北京 100093); 3(厦门大学通信工程系 福建厦门 361005) (huqing@iie.ac.cn)
  • 出版日期: 2017-10-01
  • 基金资助: 
    国家重点研发计划项目(2016YFB0800202);国防基础科研计划项目(JCKY2016602B001);国家自然科学基金项目(U1636120,61671396);北京市科委科技计划专项项目(Z161100002616032);CCF启明星辰鸿雁基金项目(2016-010)

Advanced Persistent Threats Detection Game with Expert System for Cloud

Hu Qing1,2, Lü Shichao1,2, Shi Zhiqiang1,2, Sun Limin1,2, Xiao Liang3   

  1. 1(School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049); 2(Beijing Key Laboratory of IOT Information Security Technology (Institute of Information Engineering, Chinese Academy of Sciences), Beijing 100093); 3(Department of Communication Engineering, Xiamen University, Xiamen, Fujian 361005)
  • Online: 2017-10-01

摘要: 云计算系统是高级持续性威胁(advanced persistent threats, APT)的重要攻击目标.自动化的APT检测器很难准确发现APT攻击,用专家系统对可疑行为进行二次检测可以减少检测错误.但是专家系统完成二次检测需要花费一段额外的时间,可能导致防御响应延迟,而且专家系统本身也会产生误判.在综合考虑APT检测器和专家系统的虚警率和漏报率的基础上,用博弈论方法讨论在云计算系统的APT检测和防御中,利用专家系统进行二次检测的必要性.设计了一个基于专家系统的APT检测方案,并提出一个ES-APT检测博弈模型,推导其纳什均衡,据此研究了专家系统对云计算系统安全性能的改善作用.此外,当无法获得APT攻击模型时,提出了一种利用强化学习算法获取最优防御策略的方案.仿真结果表明:基于WoLF-PHC算法的动态ES-APT检测方案较之其他对照方案能够提高防御者的效用和云计算系统的安全性.

关键词: 高级持续性威胁, 云安全, 专家系统, 博弈论, 强化学习

Abstract: Cloud computing systems are under threaten of advanced persistent threats (APT). It is hard for an autonomous detector to discover APT attacks accurately. The expert system (ES)can help to reduce detection errors via double-checking suspicious behaviors. However, it takes an extended period of time for the ES to recheck, which may lead to a defense delay. Besides, the ES makes mistakes too. In this paper, we discuss the necessity of the ES to participate in APT detection and defense for a cloud computing system by game theory, based on the consideration of miss detection rates and false alarm rates of both the APT detector and the ES. The ES-based APT detection method is designed, and the ES-APT game between an APT attacker and a defender is formulated. We derive its Nash equilibrium and analyze how the ES enhances the security of the cloud computing system. Also, the dynamic game is studied, in case that the APT attack model is unknowable. We present a reinforcement learning scheme for the cloud computing system with ES to get the optimal strategy. Simulation results show that, with the knowledge of the ES, both the defenders utility and the cloud computing systems security are improved compared with benchmark schemes.

Key words: advanced persistent threats (APT), cloud security, expert system (ES), game theory, reinforcement learning

中图分类号: