Computer Engineering and Applications ›› 2018, Vol. 54 ›› Issue (1): 1-10.DOI: 10.3778/j.issn.1002-8331.1710-0249

Previous Articles     Next Articles

Algorithm for generating logical expressions of APT samples

DU Zhenyu, LI Yihong, ZHANG Liang   

  1. Electronic Confrontation Institute, National University of Defense Technology, Hefei 230037, China
  • Online:2018-01-01 Published:2018-01-15


杜镇宇,李翼宏,张  亮   

  1. 国防科技大学 电子对抗学院 网络系,合肥 230037

Abstract: By studying the known Advanced Persistent Threat(APT) attack events deeply, this paper proposes an APT sample logic expression generation algorithm IOCG(Indicator of Compromise Generate), and the algorithm based on the threat information sharing theory. The algorithm can automatically generate machine readable IOCs(Indicators of Compromise), to solve that the existing IOCs logical relationship is fixed, the number of logical items unchanged, large scale and cannot generate a sample of the limitations of the expression. At the same time, it can reduce the redundancy and useless APT sample processing time consumption, and improve the sharing rate of information analysis, and actively respond to complex and volatile APT attack situation. The samples are divided into experimental set and training set, and then the algorithm is used to generate the logical expression of the training set with the IOC_Aware plug-in. The contrast expression itself is different from the detection result. The experimental results show that the algorithm is effective and can improve the detection effect.

Key words: Advanced Persistent Threat(APT), entropy, Indicators of Compromise(IOCs), logic expression

摘要: 深入研究已知APT攻击事件,以威胁情报共享理论为基础,提出一种APT样本逻辑表达式生成算法IOCG。该算法能够自动生成可机读的IOCs,解决现有IOC的逻辑关系固定,逻辑项个数不变,规模庞大以及无法对一类样本生成表达式的局限性。同时能够减少冗余及无用APT样本特征处理时间消耗,提高情报分析共享速率,积极应对复杂多变的APT攻击态势。实验采用自助法对APT1样本进行抽样,将样本分成实验集及训练集,再分别利用该算法与IOC_Aware插件对训练集生成逻辑表达式,对比表达式本身及检测效果上的差异。实验结果表明,该算法是有效的,并能提高检测效果。

关键词: 高级持续性威胁(APT), 熵, 攻击指示器(IOCs), 逻辑表达式