A Holistic Framework for Emerging Long-term Attacks Detection and Response Using Diverse Heterogeneous Data Sources

使用不同异构数据源检测和响应新兴长期攻击的整体框架

• 批准号: RGPIN-2020-05321
• 负责人: Traore, Issa
• 金额: $ 2.55万
• 依托单位: University of Victoria
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2021
• 资助国家: 加拿大
• 起止时间: 2021-01-01 至 2022-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=740508
• 关键词: Holistic; Framework; Emerging; Long; term

Recently, it was discovered that a state-sponsored hacker group has been infiltrating the European Union's (EU) diplomatic communications network for years, downloading thousands of sensitive cables. The attack ran undetected for a three-year period and targeted more than 100 organisations and institutions, such as the United Nations and ministries of foreign affairs and finance. The attack is a type of emerging threat consisting of targeted and long-term campaigns delivered by skilled hackers who have clearly defined objectives and relentlessly work towards achieving their aims. These breaches can go undetected for a long period of time because of the hackers' ability to adapt to and escape defensive methods. Noticeably, there has been an evolution from volume-based attacks towards stealth-like `low and slow' style attacks. Although volumetric attacks often occur within a set time frame, low and slow attacks rely on an ongoing stream of malicious requests and have no distinct beginning or end; this makes their detection by current intrusion detection systems (IDS) and security information and event management (SIEM) tools challenging. The long-term objective of the research program is to spearhead the development of a new generation of security data analytics techniques by using more diverse data sources that can gain better situational awareness of the threat environment and deploy sound solutions for cyber incident attribution and resiliency. The short-term objective of the research program is to develop a new framework for detecting, responding and investigating long-term attacks using data from both the traditional security ecosystem and beyond the organisation perimeter. The research will leverage the large dynamic uncertain multigraph theory to coherently express and analyse security data across various heterogeneous data sources and meaningfully link seemingly innocuous and unrelated events to expose hidden and long-term attack patterns. Indeed, existing attack graphs are crippled by scalability challenges: they are limited in scope, target particular types of threats and rely on a limited set of data sources. The research will strengthen existing cyber defenses by developing novel techniques to observe and process malicious patterns and activities at a larger scale, including the long-term activities that may span beyond an entire data center. This will benefit Canada by strengthening the protection of digital assets and critical infrastructure and by increasing the competitiveness of the Canadian cybersecurity industry. 11 Highly Qualified Personnel (HQPs), four PhD students, three master's students and four undergraduate students, will be trained in security threat assessment and mitigation directly in the program. The program will be led by Dr. Issa Traore, who is the coauthor of several influential cybersecurity papers and a current member of the editorial board of the IEEE Transactions on Information Security and Forensics.

最近，人们发现一个国家支持的黑客组织多年来一直渗透欧盟（EU）外交通信网络，下载了数千条敏感电缆。这次攻击在三年内未被发现，攻击目标是联合国、外交部和财政部等 100 多个组织和机构。这种攻击是一种新兴威胁，由熟练的黑客发起的有针对性的长期活动组成，这些黑客有明确的目标，并不懈地努力实现其目标。由于黑客有能力适应和逃避防御方法，因此这些漏洞可能会在很长一段时间内不被发现。值得注意的是，已经从基于容量的攻击演变为类似隐秘的“低而慢”的攻击。尽管容量攻击通常发生在设定的时间范围内，但低速和慢速攻击依赖于持续的恶意请求流，并且没有明显的开始或结束；这使得当前的入侵检测系统 (IDS) 和安全信息和事件管理 (SIEM) 工具的检测变得具有挑战性。该研究计划的长期目标是通过使用更多样化的数据源来引领新一代安全数据分析技术的开发，这些数据源可以获得更好的威胁环境态势感知，并为网络事件归因和弹性部署良好的解决方案。该研究计划的短期目标是开发一个新的框架，使用来自传统安全生态系统和组织边界之外的数据来检测、响应和调查长期攻击。 该研究将利用大动态不确定多图理论来连贯地表达和分析各种异构数据源的安全数据，并有意义地将看似无害和不相关的事件联系起来，以暴露隐藏的长期攻击模式。事实上，现有的攻击图因可扩展性挑战而受到削弱：它们的范围有限，针对特定类型的威胁，并且依赖于有限的数据源。该研究将通过开发新技术来观察和处理更大规模的恶意模式和活动，包括可能跨越整个数据中心的长期活动，从而加强现有的网络防御。这将通过加强对数字资产和关键基础设施的保护以及提高加拿大网络安全行业的竞争力而使加拿大受益。 11 名高素质人员 (HQP)、四名博士生、三名硕士生和四名本科生将直接在该计划中接受安全威胁评估和缓解方面的培训。 该项目将由 Issa Traore 博士领导，他是多篇有影响力的网络安全论文的合著者，也是 IEEE Transactions on Information Security and Forensics 的现任编辑委员会成员。