一种基于会话关系的攻击流量溯源方法

IF 1.7 Q3 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

ADCAIJ-Advances in Distributed Computing and Artificial Intelligence Journal Pub Date : 2023-04-29 DOI:10.5121/csit.2023.130711

Yajing Liu, Ruijie Cai, Xiaokang Yin, Shengli Liu

{"title":"一种基于会话关系的攻击流量溯源方法","authors":"Yajing Liu, Ruijie Cai, Xiaokang Yin, Shengli Liu","doi":"10.5121/csit.2023.130711","DOIUrl":null,"url":null,"abstract":"Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. To solve the above problems, we propose a traffic traceback method of vulnerability exploitation based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.","PeriodicalId":42597,"journal":{"name":"ADCAIJ-Advances in Distributed Computing and Artificial Intelligence Journal","volume":"27 1","pages":""},"PeriodicalIF":1.7000,"publicationDate":"2023-04-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A Novel Exploit Traffic Traceback Method based on Session Relationship\",\"authors\":\"Yajing Liu, Ruijie Cai, Xiaokang Yin, Shengli Liu\",\"doi\":\"10.5121/csit.2023.130711\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. To solve the above problems, we propose a traffic traceback method of vulnerability exploitation based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.\",\"PeriodicalId\":42597,\"journal\":{\"name\":\"ADCAIJ-Advances in Distributed Computing and Artificial Intelligence Journal\",\"volume\":\"27 1\",\"pages\":\"\"},\"PeriodicalIF\":1.7000,\"publicationDate\":\"2023-04-29\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ADCAIJ-Advances in Distributed Computing and Artificial Intelligence Journal\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.5121/csit.2023.130711\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ADCAIJ-Advances in Distributed Computing and Artificial Intelligence Journal","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.5121/csit.2023.130711","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

摘要

漏洞利用是获取系统控制权限的关键，对网络安全构成重大威胁。因此，有必要从流量中发现利用。目前的方法通常只针对单个阶段，且因果关系不完全，依赖于负载内容，导致攻击者很容易通过加密流量等手段逃避检测。针对上述问题，我们提出了一种基于会话关系的漏洞利用流量溯源方法。首先，利用攻击过程中不同阶段的会话相关性，构建会话关系模型。其次，基于历史流量构建会话图。最后，我们遍历会话图以查找符合会话关系模型的流量。与基于RNN的早期漏洞流量检测方法Blatta相比，该方法的检测率提高了50%，且不受流量加密方法的影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A Novel Exploit Traffic Traceback Method based on Session Relationship

Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. To solve the above problems, we propose a traffic traceback method of vulnerability exploitation based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

ADCAIJ-Advances in Distributed Computing and Artificial Intelligence Journal COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE-

CiteScore

1.40

自引率

0.00%

发文量

审稿时长

4 weeks