A Holistic Framework for Emerging Long-term Attacks Detection and Response Using Diverse Heterogeneous Data Sources

使用不同异构数据源检测和响应新兴长期攻击的整体框架

• 批准号: RGPIN-2020-05321
• 负责人: Traore, Issa
• 金额: $ 2.55万
• 依托单位: University of Victoria
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=752293
• 关键词: Holistic; Framework; Emerging; Long; term

Recently, it was discovered that a state-sponsored hacker group has been infiltrating the European Union's (EU) diplomatic communications network for years, downloading thousands of sensitive cables. The attack ran undetected for a three-year period and targeted more than 100 organisations and institutions, such as the United Nations and ministries of foreign affairs and finance. The attack is a type of emerging threat consisting of targeted and long-term campaigns delivered by skilled hackers who have clearly defined objectives and relentlessly work towards achieving their aims. These breaches can go undetected for a long period of time because of the hackers' ability to adapt to and escape defensive methods. Noticeably, there has been an evolution from volume-based attacks towards stealth-like `low and slow' style attacks. Although volumetric attacks often occur within a set time frame, low and slow attacks rely on an ongoing stream of malicious requests and have no distinct beginning or end; this makes their detection by current intrusion detection systems (IDS) and security information and event management (SIEM) tools challenging. The long-term objective of the research program is to spearhead the development of a new generation of security data analytics techniques by using more diverse data sources that can gain better situational awareness of the threat environment and deploy sound solutions for cyber incident attribution and resiliency. The short-term objective of the research program is to develop a new framework for detecting, responding and investigating long-term attacks using data from both the traditional security ecosystem and beyond the organisation perimeter. The research will leverage the large dynamic uncertain multigraph theory to coherently express and analyse security data across various heterogeneous data sources and meaningfully link seemingly innocuous and unrelated events to expose hidden and long-term attack patterns. Indeed, existing attack graphs are crippled by scalability challenges: they are limited in scope, target particular types of threats and rely on a limited set of data sources. The research will strengthen existing cyber defenses by developing novel techniques to observe and process malicious patterns and activities at a larger scale, including the long-term activities that may span beyond an entire data center. This will benefit Canada by strengthening the protection of digital assets and critical infrastructure and by increasing the competitiveness of the Canadian cybersecurity industry. 11 Highly Qualified Personnel (HQPs), four PhD students, three master's students and four undergraduate students, will be trained in security threat assessment and mitigation directly in the program. The program will be led by Dr. Issa Traore, who is the coauthor of several influential cybersecurity papers and a current member of the editorial board of the IEEE Transactions on Information Security and Forensics.

最近，一个由国家支持的黑客组织被发现多年来一直在渗透欧盟（EU）的外交通信网络，下载了数千份敏感电报。这次攻击持续了三年未被发现，目标是100多个组织和机构，如联合国、外交部和财政部。这种攻击是一种新兴的威胁，由熟练的黑客提供的有针对性的长期活动组成，他们有明确的目标，并坚持不懈地努力实现他们的目标。这些漏洞可能会在很长一段时间内未被发现，因为黑客有能力适应和逃避防御方法。值得注意的是，从基于数量的攻击演变为类似于“低而慢”的隐形攻击。虽然体积攻击通常发生在一个设定的时间范围内，低和缓慢的攻击依赖于恶意请求的持续流，没有明显的开始或结束;这使得当前的入侵检测系统（IDS）和安全信息和事件管理（SIEM）工具的检测具有挑战性。该研究计划的长期目标是通过使用更多样化的数据源来率先开发新一代安全数据分析技术，这些数据源可以更好地了解威胁环境，并为网络事件归因和弹性部署合理的解决方案。该研究计划的短期目标是开发一个新的框架，用于使用来自传统安全生态系统和组织边界以外的数据来检测、响应和调查长期攻击。 该研究将利用大型动态不确定多重图理论来连贯地表达和分析各种异构数据源的安全数据，并有意义地链接看似无害和不相关的事件，以暴露隐藏和长期的攻击模式。事实上，现有的攻击图受到可扩展性挑战的削弱：它们的范围有限，针对特定类型的威胁，并且依赖于有限的数据源。该研究将通过开发新技术来加强现有的网络防御，以更大规模地观察和处理恶意模式和活动，包括可能跨越整个数据中心的长期活动。这将有利于加拿大加强对数字资产和关键基础设施的保护，并提高加拿大网络安全行业的竞争力。 11名高素质人员（HQP），4名博士生，3名硕士生和4名本科生，将直接在该计划中接受安全威胁评估和缓解培训。 该计划将由Issa Traore博士领导，他是几篇有影响力的网络安全论文的合著者，也是IEEE信息安全和取证交易编辑委员会的现任成员。