Advanced persistent threat (APT) as a new attack, has become a major threat to the security of SCADA (supervisory control and data acquisition) systems, while the existing intrusion detection technology can not effectively deal with this type of attack, so the research on valid APT detection model is very significant. This paper proposes a new APT attack detection method. In this method, behavior patterns of the logging behavior are characterized by characteristic substring sequences of different lengths, and sequence supports are employed to construct the normal behavior profiles. Considering the complex characteristics of APT attack, this paper proposes a detection model based on similarity matrix matching and preset threshold to determine that the logging behavior is normal or anomalous. Through the comparative analysis, the detection method proposed in this paper shows good detection performance.%高级持续性攻击(advanced persistent threat,APT)作为一种新型攻击,已成为SCADA(supervisory control and data acquisition)系统安全面临的主要威胁,而现有的入侵检测技术无法有效应对这一类攻击,因此研究有效的APT检测模型具有重要的意义。提出了一种新的APT攻击检测方法,该方法在正常日志行为建模阶段改进了对行为模式的表示方式,采用多种长度不同的特征子串表示行为模式,通过基于序列模式支持度来建立正常日志行为轮廓;在充分考虑日志事件时序特征的基础上,针对APT攻击行为复杂多变的特点,提出了基于矩阵相似匹配和判决阈值联合的检测模型。通过对比研究,该检测方法表现出了良好的检测性能。
展开▼
