近年的網路攻擊中，以勒索病毒最為眾人所知的APT(Advanced Persistent Threat)攻擊類型比例逐漸升高，針對此類多步驟攻擊行為的預防也顯得更為重要，而APT攻擊在執行攻擊程式碼之前通常會先藉由在設備間轉移並利用弱點進行準備動作，但此類行為通常本身並不具有威脅性，在傳統的弱點掃描中不容易辨識，因此需要找出能在事前觀察出可能的攻擊路徑對於預防APT攻擊的方法，攻擊圖是一種非常適合做為事前觀察攻擊途徑的方式，然而攻擊圖及事件描述本身並沒有明確規範，所幸在攻擊圖方面MulVAL作為開源攻擊圖生成框架被當前研究中廣泛接受，而事件的描述方面，MITRE所提出之ATT&CK Framework近年也被業界逐漸接受並使用，因此本研究將事件組合中的Event_ID及弱掃報告等資訊映射至ATT&CK Matrix中，並利用Unified Kill Chain及其他APT攻擊模型解決MITRE ATT&CK本身不具有順序性的問題，再將其套用至MulVAL輸出之攻擊圖中，以確保相同的事件能夠產生相同的攻擊路徑圖。
本論文提出利用MITRE ATT&CK為基礎，對MulVAL攻擊圖生成架構進行擴增及修改的方法，研究中利用三種描述APT攻擊常用模型進行路徑過濾，利用攻擊動作的連貫性解決當前攻擊圖生成研究大多侷限於弱點本身的問題，並利用APT攻擊常見行為組合為剩餘路徑評分並簡化路徑，以求將複雜的原始攻擊圖簡化成可能性最高且易於閱讀的攻擊路徑圖。

In recent years, network attacks have increasingly become multi-step and targeted at individual organizations, shifting research focus from real-time detection to proactive prevention. Previous studies, often conducted in closed network environments and based on CVSS scores, were easily influenced by single nodes. Our framework calculates path scores using event combinations and filters paths through the Advanced Persistent Threat (APT) attack model. In this study, three APT models were employed to design an attack path filtering method, achieving nearly a 90% reduction rate in open network environments. Event combinations specific to APT attacks were used for scoring, resulting in attack paths that closely resemble real-world events. For visualization, Levenshtein distance similarity and the simplification of non-essential information nodes were applied to enhance user experience.

[1] Ana Maria Pirca, Harjinder Singh Lallie, “An empirical evaluation of the effectiveness of attack graphs and MITRE ATT&CK matrices in aiding cyber attack perception amongst decision-makers”, Computers & Security, Vol.130, pp.130 ,2023.
[2] Xinming Ou, Sudhakar Govindavajhala and Andrew W Appel, "MulVAL: A logic-based network security analyzer", Proc. USENIX Secur, Vol.14, pp.8, 2005.
[3] Artz and Michael Lyle , “NetSPA : a Network Security Planning Architecture”, Massachusetts Institute of Technology, 2002.
[4] Sushil Jajodia and Steven Noel “Topological Vulnerability Analysis: A Powerful New Approach For Network Attack Prevention, Detection, and Response”, Algorithms, Architectures and Information Systems Security, Vol.3, pp. 285-305 , 2008.
[5] Shengwei Yi and Yong Peng, “Overview on attack graph generation and visualization technology,” Anti-Counterfeiting Security and Identification, Vol.1, pp. 1-6, 2013.
[6] Tenable Nessus, https://www.tenable.com/products/nessus.
[7] MITRE ATT&CK, “ATT&CK Matrix for Enterprise”, https://attack.mitre.org/.
[8] Intelligence Driven Defense model, “The Cyber Kill Chain,” https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.
[9] Pols, Paul and Francisco Domínguez. “The Unified Kill Chain.” , 2021.
[10] EC-Council. Certified Ethical Hacker (CEH), https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.
[11] Tienchih Lin, “Automated Event Log Analysis System based on Correlation Rule and Machine Learning”, National Cheng Kung University Institute of Computer and Communication Engineering, 2019.
[12] Shuhan Yao, "Detection and Handling of Web Attack on Linux Web Server using Signature-based Approach: A Study of Cryptojacking", National Cheng Kung University Institute of Computer and Communication Engineering, 2020.
[13] Visoottiviseth and V. Moonkhaen, “A Centralized System for Detecting Attacks from Windows Event Logs,” 2023 International Electrical Engineering Congress (iEECON), pp. 367-371, 2023.
[14] Wataru Matsuda, Mariko Fujimoto and Takuho Mitsunaga, “Detecting APT Attacks Against Active Directory Using Machine Leaning,” IEEE Conference on Application, Information and Network Security (AINS) , pp. 60-65, 2018.
[15] Thomas Patzke, “Sigma- Format for SIEM,” https://github.com/SigmaHQ/sigma.
[16] Ahmed Khlief, “APT-HUNTER V3.0”, https://github.com/ahmedkhlief/APT-Hunter/.
[17] Octavian Grigorescu, Andreea Nica, Mihai Dascalu,"CVE2ATT&CK: BERT-Based Mapping of CVEs to MITRE ATT&CK Techniques". Algorithms2022, pp.15-24, 2022.
[18] Jonathan Evans, Jon Baker, and Richard Struse, “CVE + MITRE ATT&CK® to Understand Vulnerability Impact,” MITRE-Engenuity, 2021.
[19] EVTX-ATTACK, https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.
[20] Renwei Liou, “Development of Early Attack Prediction Using Trustworthy Probability Estimation and Evidence Mapping on Attack Graph,” National Chiayi University Computer Science and Information Engineering, 2019.
[21] Xin Song , “A Markov attack path prediction method based on CVSS,” 2022.
[22] Qingguan Gao, Bo Zhang, “A threat detection method, device and equipment based on APT attack graph,” 2022.
[23] Chunlin Xiong et al., “Conan: A Practical Real-Time APT Detection System With High Accuracy and Efficiency,” IEEE Transactions on Dependable and Secure Computing, vol. 19, pp. 551-565, 2022.
[24] Orly Stan et al., "Extending Attack Graphs to Represent Cyber-Attacks in Communication Protocols and Modern IT Networks," in IEEE Transactions on Dependable and Secure Computing, vol.19, no. 3, pp. 1936-1954, 2022.
[25] Eugen Bacic, Michael Froh and Glen Henderson, “Mulval extensions for dynamic asset protection,” Defence R&D Canada contract report, 2006.
[26] Iman Elmir, Kandoussi El Mehdi, Hanini Mohamed, Haqiq Abdelkrim and Dong Seong Kim, “A game theoretic approach based virtual machine migration for cloud environment security,” Int. J. Commun. Netw. Inf. Secur., vol.9, pp. 345-357, 2017.
[27] Monali Mavani and Krishna Asawa, “Modeling and analyses of IP spoofing attack in 6LoWPAN network,” Comput. Secur., vol.70, pp. 95-110, 2017.
[28] CVE-2019-15876, https://nvd.nist.gov/vuln/detail/CVE-2019-15876 .
[29] Levenshtein, https://www.sciencedirect.com/computer-science/levenshtein-distance.
[30] The Heartbleed Bug, https://heartbleed.com/.
[31] REvil, https://blog.trendmicro.com.tw/?tag=revil.
[32] Darkside, https://blog.trendmicro.com.tw/?tag=Darkside.
[33] BlackSuit, https://www.sentinelone.com/anthology/blacksuit/.
[34] Xue Qiu, Qiong Jia, Shuguang Wang, Chunhe Xia and Liangshuang Lv, “Automatic Generation Algorithm of Penetration Graph in Penetration Testing,” 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, pp. 531-537, 2014.
[35] Erxia Li; Chaoqun Kang, Deyu Huang, Modi Hu, Fangyuan Chang, Lianjie He and Xiaoyong Li, “Quantitative Model of Attacks on Distribution Automation Systems Based on CVSS and Attack Trees.” Information,Vol.10, pp.251, 2019.
[36] Ioannis Stellios, Panayiotis Kotzanikolaou, Christos Grigoriadis, “Assessing IoT enabled cyber-physical attack paths against critical systems,” Computers & Security, Vol.107, pp.2714-2754, 2021.
[37] T1210 Exploitation of Remote Services , https://attack.mitre.org/techniques/T1210/.
[38] CVE-2021-20016, https://nvd.nist.gov/vuln/detail/cve-2021-20016.
[39] CVE-2019-11510, https://nvd.nist.gov/vuln/detail/cve-2019-11510.
[40] MulVAL introduction and Execution process explanation, https://blog.csdn.net/Dalongggggg/article/details/134149701.
[41] EVTX to Att&ck, https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack.
[42] EternalBlue, https://www.avast.com/c-eternalblue.