ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2021, Vol. 58 ›› Issue (5): 1006-1020.doi: 10.7544/issn1000-1239.2021.20200942

所属专题: 2021人工智能安全与隐私保护技术专题

• 信息安全 • 上一篇    下一篇

隐私保护的基于图卷积神经网络的攻击溯源方法

李腾1,乔伟2,张嘉伟1,高怿旸3,王申奥1,沈玉龙2,马建峰1   

  1. 1(西安电子科技大学网络与信息安全学院 西安 710071);2(西安电子科技大学计算机科学与技术学院 西安 710071);3(西安电子科技大学人工智能学院 西安 710071) (litengxidian@gmail.com)
  • 出版日期: 2021-05-01
  • 基金资助: 
    国家自然科学基金青年科学基金项目(61902291);中国博士后基金项目(2019M653567);陕西省自然科学基金项目(2019JM-425);中央高校基本科研业务费专项资金(JB191507)

Privacy-Preserving Network Attack Provenance Based on Graph Convolutional Neural Network

Li Teng1, Qiao Wei2, Zhang Jiawei1, Gao Yiyang3, Wang Shenao1, Shen Yulong2, Ma Jianfeng1   

  1. 1(School of Cyber Engineering, Xidian University, Xi’an 710071);2(School of Computer Science and Technology, Xidian University, Xi’an 710071);3(School of Artificial Intelligence, Xidian University, Xi’an 710071)
  • Online: 2021-05-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (61902291), the China Postdoctoral Science Foundation (2019M653567), the Natural Science Foundation of Shaanxi Province of China (2019JM-425), and the Fundamental Research Funds for the Central Universities (JB191507).

摘要: APT(advanced persistent threat)攻击潜伏时间长,目的性强,会通过变种木马、勒索病毒、组建僵尸网络等手段从内部瓦解企业安全堡垒.但现有攻击溯源方法都只针对单一日志或流量数据,这导致了无法追溯多阶段攻击的完整过程.并且因为日志条目间关系复杂,日志关系图中会产生严重的状态爆炸问题,导致难以对攻击进行准确的分类识别.同时,在利用日志及流量数据进行攻击溯源过程中,很少考虑到数据隐私保护问题.为解决这些问题,提出了一种具有隐私保护的基于图卷积神经网络的攻击溯源方法.通过监督学习解决了因多日志关系连接导致的状态爆炸,对Louvain社区发现算法进行优化从而提高了检测速度及准确性,利用图卷积神经网络对攻击进行有效的分类,并结合属性基加密实现了日志数据的隐私保护.通过复现4种APT攻击测试方法来检测速度和效率.实验结果表明:该方法的检测时间最多可有90%的缩减,攻击溯源准确率可达92%.

关键词: 攻击溯源, 图卷积神经网络, 隐私保护, 数据访问控制, 属性基加密

Abstract: APT(advanced persistent threat) attacks have a long incubation time and a vital purpose. It can destroy the inside’s enterprise security fortress, employing variant Trojans, ransomware, and botnet. However, the existing attack source tracing methods only target a single log or traffic data, making it impossible to trace the complete process of multi-stage attacks. Because of the complicated log relationship, serious state explosion problems will occur in the log relationship graph, making it difficult to classify and identify attacks accurately. Simultaneously, data privacy protection is rarely considered in using log and traffic data for attack tracing approaches. We propose an attack tracing method based on a Graph Convolutional Network (GCN) with user data privacy protection to solve these problems. Supervised learning solves the state explosion caused by multiple log relationship connections, optimizing the Louvain community discovery algorithm to improve detection speed and accuracy. Moreover, using map neural networks to attack classification effectively and combining privacy protection scheme leveraging CP-ABE (Ciphertext-Policy Attribute Based Encryption) properties realize log data secure sharing in public cloud. In this paper, the detection speed and efficiency of four APT attack testing methods are reproduced. Experimental results show that the detection time of this method can be reduced by 90% at most, and the accuracy can reach 92%.

Key words: attack provenance, graph convolutional neural network, privacy preserving, data access control, attribute-based encryption

中图分类号: