网络安全威胁检测与攻击溯源_攻击模式检测与预测

网络安全威胁检测与攻击溯源

Cyber-adversaries are becoming more sophisticated in their efforts to avoid detection, and many modern malware tools are already incorporating new ways to bypass antivirus and other threat detection measures. Because networks and organizations use sophisticated methods to detect and respond to attacks, the response can be so strong that criminals try to respond with something even stronger. The complexity of cybercriminals is increasing, combined with the widening potential of artificial intelligence (AI) attacks.

网络攻击者在避免检测方面正变得越来越复杂，许多现代恶意软件工具已经采用了绕过防病毒和其他威胁检测措施的新方法。 由于网络和组织使用复杂的方法来检测和响应攻击，因此响应可能非常强烈，以致犯罪分子会尝试以更强大的响应。 网络犯罪分子的复杂性正在增加，而人工智能(AI)攻击的潜力也在不断扩大。

Cybersecurity, however, is at a critical juncture, and the field must focus future research efforts on cyber-attack prediction systems that can anticipate critical scenarios and outcomes, rather than relying on defensive solutions and focusing on mitigation. Computer systems around the world need systems based on a comprehensive, predictive analysis of cyber threats.

但是，网络安全正处于关键时刻，该领域必须将未来的研究工作重点放在可以预测关键情景和结果的网络攻击预测系统上，而不是依赖防御性解决方案并专注于缓解措施。 世界各地的计算机系统都需要基于对网络威胁进行全面，预测性分析的系统。

Artificial intelligence (AI), which relies heavily on machine learning (ML), has the ability to recognize patterns arising from past experiences and make predictions based on them. In recent years, swarm technology, which can use things like machine learning and artificial intelligence to attack networks and devices, has shown new potential.

高度依赖于机器学习(ML)的人工智能(AI)具有识别过去经验产生的模式并根据这些经验做出预测的能力。 近年来，可以利用机器学习和人工智能之类的东西攻击网络和设备的集群技术已经显示出了新的潜力。

Useful patterns of attack can be defined by understanding patterns of behavior, analyzing patterns and connections between malicious activities, predicting future moves, and ultimately preventing or detecting potentially malicious behavior.

可以通过了解行为模式，分析恶意活动之间的模式和联系，预测未来的行动并最终预防或检测潜在的恶意行为来定义有用的攻击模式。

The aforementioned cyber-threat prediction systems offer promising and limited possibilities, but large-scale coordinated attacks require progress on several fronts, including the detection and prediction of events generated in computer systems. Obfuscation techniques are used to bypass detection by deliberately making malicious code difficult to understand in order to bypass the detection of the network.

前面提到的网络威胁预测系统提供了有希望且有限的可能性，但是大规模的协同攻击需要在多个方面取得进展，包括检测和预测计算机系统中生成的事件。 混淆技术用于通过故意使恶意代码难以理解以绕过网络的检测来绕过检测。

When assessing network security risks, hackers’ behavior must be taken into account, which can be a daunting task, given the number of known vulnerabilities and the choices an attacker could make to infiltrate a network.

在评估网络安全风险时，考虑到已知漏洞的数量以及攻击者可以做出的渗透网络的选择，必须考虑黑客的行为，这可能是一项艰巨的任务。

Photo by Chris Liverani on Unsplash

Chris Liverani在 Unsplash上 拍摄的照片

On a particular recently conducted study used the data is fed into two deep-learning techniques that use sequential data to characterize cyber attacks. They also integrate information theory-based divergence measures to generate and refine hypothetical attacks on computers and networks.

在最近进行的一项特殊研究中，将数据馈入了两种深度学习技术，这些技术使用顺序数据来表征网络攻击。 他们还集成了基于信息论的发散度量，以生成和完善对计算机和网络的假设攻击。

Another research that is funded by NSF (National Science Foundation) aims to simulate scenarios for cyber-attacks based on renewed criminological theories of cybercriminals. The ASSERT/CASCADES project is evolving as we learn more about the ever-evolving techniques of cyberterrorism. The project has the ability to use observable malicious activity occurring on a network to predict upcoming attacks. It is expected that it will be possible to develop strategies to differentiate ongoing malicious activities and respond to upcoming critical threats before these events occur.

由美国国家科学基金会(NSF)资助的另一项研究旨在基于更新的网络犯罪分子犯罪理论来模拟网络攻击的情景。 随着我们对网络恐怖主义不断发展的技术的了解越来越多，ASSERT / CASCADES项目也在不断发展。 该项目能够使用网络上发生的可观察到的恶意活动来预测即将发生的攻击。 预计将有可能制定出策略，以区分正在进行的恶意活动并在这些事件发生之前对即将来临的关键威胁做出响应。

NEPAR is another project on attack pattern recognition where to extract data on the patterns of more than 1.5 million cyber attacks in the US and around the world. They took data from both public and private sources and discovered and used characteristics and patterns that were used in each attack. This predicted the likelihood of an attack on a particular system, such as a computer system or network, and predicted the likelihood of a successful attack on those particular systems.

NEPAR是另一个有关攻击模式识别的项目，该项目可在美国和全球范围内提取超过150万次网络攻击的模式数据。 他们从公共和私人来源获取数据，并发现并使用了每次攻击中使用的特征和模式。 这预测了对特定系统(例如计算机系统或网络)的攻击的可能性，并预测了对那些特定系统的成功攻击的可能性。

Some organizations have already begun to perform statistical analyses of attacks using the MITRE framework for tactical sequencing. The Blue Team Defensive Game Book is used to predict tactics and map specific threats based on the Red Team’s opposing gamebook, which is created and updated from collected data and analyzed by the organization’s data collection and analysis tools, such as the Open Source Threat Assessment Toolkit (OSTAT). The defensive playbooks can then be developed to create reaction logs to identify attacks using cyber fingerprints.

一些组织已经开始使用MITER框架进行战术排序，对攻击进行统计分析。 蓝队防御性游戏手册用于根据红队的对立游戏手册预测战术并绘制特定威胁，后者根据收集的数据创建和更新，并由组织的数据收集和分析工具进行分析，例如开源威胁评估工具包(OSTAT)。 然后可以开发防御性手册，以创建React日志，以使用网络指纹识别攻击。

Combining the two can allow a SOC (Security Operation Center) security team to get an accurate picture of what a phishing attack might look like and how employees can be alerted before they fall for the lure. When an opponent breaks through the network, attack strategies can be identified with the help of the Red Team Defensive Game Book.

将两者结合起来可以使SOC(安全运营中心)安全团队准确了解网络钓鱼攻击的外观以及如何在诱使员工之前对其进行警报。 当对手突破网络时，可以在《红队防御游戏手册》的帮助下确定攻击策略。

Photo by Markus Spiske on Unsplash

Markus Spiske在 Unsplash上 拍摄的照片

In a lazy security environment, predicting the next attack is the only way to stay one step ahead of the disruption associated with a successful email security incident. Identifying anomalies and patterns of where the organization’s vulnerabilities lie and where attackers could strike next is a proactive and proactive approach. Those who are only trying to identify because of yesterday’s attack remain at greater risk.

在懒惰的安全环境中，预测下一次攻击是与成功的电子邮件安全事件相关的干扰保持领先的唯一方法。 识别组织漏洞所在的异常和模式以及攻击者接下来可能攻击的位置是一种积极主动的方法。 那些仅仅因为昨天的袭击而试图确定身份的人仍然面临更大的风险。

It is believed that security researchers can use attack pattern recognition or detection methods as an approach that can provide precautions to prevent future attacks.

人们认为，安全研究人员可以使用攻击模式识别或检测方法作为可以提供预防措施来防止将来发生攻击的方法。

Cited Sources

被引来源

• https://researchfeatures.com/2018/07/09/cybersecurity-threats-can-we-predict-them/

  https://researchfeatures.com/2018/07/09/cybersecurity-threats-can-we-predict-them/

• https://gcn.com/blogs/emerging-tech/2017/03/analyzing-terrorist-patterns.aspx

  https://gcn.com/blogs/emerging-tech/2017/03/analyzing-terrorist-patterns.aspx

• https://www.informationsecuritybuzz.com/articles/why-prediction-and-not-detection-is-the-key-to-reducing-email-risk/

  https://www.informationsecuritybuzz.com/articles/why-prediction-and-not-detection-is-the-key-to-reducing-email-risk/

• https://www.sciencedaily.com/releases/2017/03/170302115740.htm

  https://www.sciencedaily.com/releases/2017/03/170302115740.htm

• https://threatpost.com/combining-ai-playbooks-predict-cyberattacks/151367/

  https://threatpost.com/combining-ai-playbooks-predict-cyberattacks/151367/

翻译自: https://towardsdatascience.com/attack-pattern-detection-and-prediction-108fc3d47f03

网络安全威胁检测与攻击溯源