論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:開放下載的時間 available 2029-08-28
校外 Off-campus:開放下載的時間 available 2029-08-28
博碩士論文 etd-0728124-142415 詳細資訊
Title page for etd-0728124-142415
論文名稱 Title |
基於進階持續性威脅情資構建之攻擊模擬自動化技術:以史丹佛研究機構問題解決方案為例 Automated Cyber Adversary Emulation with Advanced Persistent Threat Intelligence Construction: Leveraging Stanford Research Institute Problem Solver for Domain Knowledge Integration |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
90 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2024-07-22 |
繳交日期 Date of Submission |
2024-08-28 |
關鍵字 Keywords |
對手模擬、網路安全、自動化、後滲透活動、威脅重構、計劃和行動演算法、網路防禦訓練、弱點評估 Adversary Emulation, Vulnerability Assessment, Network Security, Post-Exploitation Activities, Threat Reconstruction, Planning and Acting Algorithms, Defense Training |
||
統計 Statistics |
本論文已被瀏覽 181 次,被下載 0 次 The thesis/dissertation has been browsed 181 times, has been downloaded 0 times. |
中文摘要 |
對手模擬旨在透過模擬真實世界的對手,包括他們的技術、戰術、程式和目標,來評估網路的整體狀態。這種方法對於了解和減輕網路基礎設施中的潛在安全威脅至關重要。然而,對手模擬的部署通常會面臨幾個重大挑戰。這些挑戰包括高昂的部署成本、耗時的過程、重複性問題以及需要專業知識的必要性。這些因素共同使得常規的對手模擬測試難以進行和維持。 為了解決這些問題,本文提出了一個針對後滲透活動的自動化對手模擬新框架。此方法將對手模擬重新概念化為計劃和行動的問題,從而開發更系統和高效的方法。這包括開發定制的編碼方法和規劃演算法,以準確模擬對手行為。該框架利用基於邏輯編碼、規劃語言的自動化規劃器,建模目標網路環境,以處理紅隊場景中固有的大量不確定性,準確理解目標網路狀態,並推理出進一步的對手模擬行動。 驗證此框架的有效性是本研究的關鍵組成部分。實驗過程透過構建包含已知漏洞的實驗網路環境來實現這一目標。這些環境被用來嚴格測試弱點並訓練網路防禦者。透過這一過程,展示了該自動化對手模擬框架的實際應用性和優勢。結果表明,這種方法可以顯著提高對手模擬的效率和效果,使其得以成為常規和全面網路安全評估的解決方案。 |
Abstract |
Adversary Emulation aims to evaluate the comprehensive state of a network by simulating real-world adversaries, including their techniques, tactics, procedures, and objectives. This approach is crucial for understanding and mitigating potential security threats within network infrastructures. However, the deployment of adversary emulation is often hindered by several significant challenges. These challenges include the high cost associated with the deployment, the time-consuming nature of the processes involved, issues with repeatability, and the necessity for specialized expertise. These factors collectively make regular adversary emulation tests difficult to conduct and maintain. To address these issues, an automated adversary emulation framework focused on post-exploitation activities has been proposed. This approach re-conceptualizes adversary emulation as a problem of planning and action, thereby developing a more systematic and efficient method. It involves the development of customized encoding methods and planning algorithms to accurately simulate adversary behavior. The framework leverages an automated planner based on logical encoding and planning languages to model the target network environment. This allows it to manage the inherent uncertainties in red team scenarios, accurately understand the state of the target network, and infer subsequent adversary actions. The validation of our framework's effectiveness is a critical component of our research. This was achieved by constructing an experimental network environment containing known vulnerabilities. These environments were used to rigorously test weaknesses and train network defenders. Through this process, the practical applicability and advantages of the automated adversary emulation framework were demonstrated. The results indicate that this approach can significantly improve the efficiency and effectiveness of adversary emulation, making it a viable solution for routine and comprehensive network security assessments. |
目次 Table of Contents |
論文審定書 i 摘要 ii Abstract iv Contents v Table of Figures viii Table of Tables ix Table of Listings x Chapter 1 Introduction 1 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Chapter 2 Preliminary 5 2.1 MITRE ATT&CK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Stanford Research Institute Problem Solver . . . . . . . . . . . . . . . . . . . 8 2.3 Planning Domain Definition Language . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 3 Related Works 10 3.1 Adversary Emulation Frameworks . . . . . . . . . . . . . . . . . . . . . . . . 10 3.2 Advanced Persistent Threats (APT) Simulation . . . . . . . . . . . . . . . . . 11 3.3 Real-time Threat Intelligence Integration . . . . . . . . . . . . . . . . . . . . . 11 3.4 Automated Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Chapter 4 The System Architecture 14 4.1 The Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.1.1 Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.1.2 Decision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.2 Command and Control Server Implementation . . . . . . . . . . . . . . . . . . 16 4.2.1 Development and Features . . . . . . . . . . . . . . . . . . . . . . . . 16 4.2.2 Architecture and Workflow . . . . . . . . . . . . . . . . . . . . . . . . 17 4.2.3 TTP Execution Module . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.3 Adversary Emulation Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.3.1 World Model Construction . . . . . . . . . . . . . . . . . . . . . . . . 20 4.3.2 Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.3.3 Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.3.4 Simulating the Adversary . . . . . . . . . . . . . . . . . . . . . . . . 25 4.4 Algorithm Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.4.1 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.4.2 Extending the STRIPS model . . . . . . . . . . . . . . . . . . . . . . 28 4.4.3 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Chapter 5 Experiment and Evaluation 33 5.1 Experimental Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.2 APT37 Emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 5.2.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5.2.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5.3 APT29 Emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 5.3.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 5.3.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5.4 Comparison and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Chapter 6 Conclusions 47 Appendix A Implementation of Planning Domain Definition Language 53 Appendix B Experiment Log of the APT37 Emulation 56 Appendix C Experiment Log of the APT29 Emulation 59 |
參考文獻 References |
[1] S. Karagiannis, A. Tokatlis, S. Pelekis, M. Kontoulis, G. Doukas, C. Ntanos, and E. Magkos, “A-demo: Att&ck documentation, emulation and mitigation operations: de- ploying and documenting realistic cyberattack scenarios-a rootkit case study,” in Proceed- ings of the 25th Pan-Hellenic Conference on Informatics, pp. 328–333, 2021. [2] V. Machaka and T. Balan, “Investigating proactive digital forensics leveraging adversary emulation,” Applied Sciences, vol. 12, no. 18, p. 9077, 2022. [3] J. Elgh, “Comparison of adversary emulation tools for reproducing behavior in cyber attacks,” Master’s thesis, Linko ̈ping University, 2022. [4] A. B. Ajmal, M. A. Shah, C. Maple, M. N. Asghar, and S. U. Islam, “Offensive secu- rity: Towards proactive threat hunting via adversary emulation,” IEEE Access, vol. 9, pp. 126023–126033, 2021. [5] A. B. Ajmal, S. Khan, M. Alam, A. Mehbodniya, J. Webber, and A. Waheed, “Toward effective evaluation of cyber defense: Threat based adversary emulation approach,” IEEE Access, vol. 11, pp. 70443–70458, 2023. [6] J. D. Yoo, E. Park, G. Lee, M. K. Ahn, D. Kim, S. Seo, and H. K. Kim, “Cyber attack and defense emulation agents,” Applied Sciences, vol. 10, no. 6, p. 2140, 2020. [7] “The MITRE Corporation.” https://attack.mitre.org/, [Online; accessed 16-May- 2024]. [8] R. E. Fikes and N. J. Nilsson, “Strips: A new approach to the application of theorem proving to problem solving,” Artificial intelligence, vol. 2, no. 3-4, pp. 189–208, 1971. [9] M. Ghallab, D. Nau, and P. Traverso, Automated Planning: theory and practice. Elsevier, 2004. [10] A.Zhao,J.Xu,M.Konakovic ́-Lukovic ́,J.Hughes,A.Spielberg,D.Rus,andW.Matusik, “Robogrammar: graph grammar for terrain-optimized robot design,” ACM Transactions on Graphics (TOG), vol. 39, no. 6, pp. 1–16, 2020. [11] C.Aeronautiques,A.Howe,C.Knoblock,I.D.McDermott,A.Ram,M.Veloso,D.Weld, D. W. Sri, A. Barrett, D. Christianson, et al., “Pddl: the planning domain definition language,” Technical Report, 1998. [12] M. Fox and D. Long, “Pddl2. 1: An extension to pddl for expressing temporal planning domains,” Journal of Artificial Intelligence Research, vol. 20, pp. 61–124, 2003. [13] H.L.YounesandM.L.Littman,“Ppddl1.0:Anextensiontopddlforexpressingplanning domains with probabilistic effects,” Techn. Rep. CMU-CS-04-162, vol. 2, p. 99, 2004. [14] A. Gerevini and D. Long, “Plan constraints and preferences in pddl3,” ICAPS 2006, p. 7, 2006. [15] D. Long, “Automated planning: Theory and practice,” Assembly Automation, vol. 25, no. 2, 2005. [16] Atomic-Red-Team. https://redcanary.com/blog/atomic-red-team-testing/, [Online; accessed 16-May-2024]. [17] The MITRE Corporation, “CALDERA.” https://caldera.mitre.org/, [Online; ac- cessed 16-May-2024]. [18] RedHunt Labs. https://github.com/redhuntlabs/RedHunt-OS, [Online; accessed 14-Aug-2024]. [19] Nextron Systems. https://github.com/NextronSystems/APTSimulator, [Online; accessed 14-Aug-2024]. [20] Mauricio Velazco. https://www.detectionlab.network/usage/purplesharp/, [Online; accessed 14-Aug-2024]. [21] O. Cherqi, H. Hammouchi, M. Ghogho, and H. Benbrahim, “Leveraging open threat exchange (otx) to understand spatio-temporal trends of cyber threats: Covid-19 case study,” in 2021 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 1–6, IEEE, 2021. [22] C. Wagner, A. Dulaunoy, G. Wagener, and A. Iklody, “Misp: The design and implementation of a collaborative threat intelligence sharing platform,” in Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, pp. 49–56, 2016. [23] L. Greenwald and R. Shanley, “Automated planning for remote penetration testing,” in MILCOM 2009-2009 IEEE Military Communications Conference, pp. 1–7, IEEE, 2009. [24] S. Shah and B. Mehtre, “An automated approach to vulnerability assessment and penetration testing using net-nirikshak 1.0,” in 2014 IEEE International Conference on Advanced Communications, Control and Computing Technologies, pp. 707–712, IEEE, 2014. [25] E. Jiang, Attack Planner: Systematization and Expansion of Persistence Knowledge. PhD thesis, Massachusetts Institute of Technology, 2022. [26] H. Shrobe, “Computational vulnerability analysis for information survivability,” AI Magazine, vol. 23, no. 4, pp. 81–81, 2002. [27] H. V. Nguyen and T. Uehara, “Multilayer action representation based on mitre att&ck for automated penetration testing,” Journal of Information Processing, vol. 31, pp. 562–577, 2023. [28] J. da Rocha Valente, Vulnerability Trends in IoT Devices and New Sensor-assisted Security Protections. PhD thesis, University of Texas at Dallas, 2018. [29] S.Chaudhary,A.O’Brien,andS.Xu,“Automated post-breach penetration testing through reinforcement learning,” in 2020 IEEE Conference on Communications and Network Security (CNS), pp. 1–2, IEEE, 2020. [30] K. Qian, D. Zhang, P. Zhang, Z. Zhou, X. Chen, and S. Duan, “Ontology and rein- forcement learning based intelligent agent automatic penetration test,” in 2021 IEEE In- ternational Conference on Artificial Intelligence and Computer Applications (ICAICA), pp. 556–561, IEEE, 2021. [31] T. Cody, P. Beling, and L. Freeman, “Towards continuous cyber testing with reinforcement learning for whole campaign emulation,” in 2022 IEEE AUTOTESTCON, pp. 1–5, IEEE, 2022. [32] S. Y. Enoch, Z. Huang, C. Y. Moon, D. Lee, M. K. Ahn, and D. S. Kim, “Harmer: Cyber- attacks automation and evaluation,” IEEE Access, vol. 8, pp. 129397–129414, 2020. [33] The MITRE Corporation, “APT37.” https://attack.mitre.org/groups/G0067/, [Online; accessed 29-July-2024]. [34] The MITRE Corporation, “APT29.” https://attack.mitre.org/groups/G0016/, [Online; accessed 29-July-2024]. [35] G. Deng, Y. Liu, V. Mayoral-Vilches, P. Liu, Y. Li, Y. Xu, T. Zhang, Y. Liu, M. Pinzger, and S. Rass, “Pentestgpt: An llm-empowered automatic penetration testing tool,” arXiv preprint arXiv:2308.06782, 2023. [36] J. Xu, J. W. Stokes, G. McDonald, X. Bai, D. Marshall, S. Wang, A. Swaminathan, and Z. Li, “Autoattacker: A large language model guided system to implement automatic cyber-attacks,” arXiv preprint arXiv:2403.01038, 2024. |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 您的 IP(校外) 位址是 216.73.216.216 現在時間是 2025-06-14 論文校外開放下載的時間是 2029-08-28 Your IP address is 216.73.216.216 The current date is 2025-06-14 This thesis will be available to you on 2029-08-28. |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 2029-08-28 |
QR Code |
國立中山大學 圖書與資訊處 │ 諮詢服務:2453 論文審查小組 │ 服務信箱 │ 系統開發維運:圖資處知識創新組
Office of Library and Information Services, National Sun Yat-sen University │ Contact Us : 2453 Thesis Format Review Team , Mail │ Development and operations : Knowledge Innovation Division, LIS