UHH-ISS/rt-kcsm

GitHub: UHH-ISS/rt-kcsm

基于杀伤链状态机模型关联 IDS 告警以实时检测多阶段攻击并降低误报率的安全研究工具。

Stars: 7 | Forks: 1

[![论文](https://img.shields.io/badge/CNS66487.2025.11194951-blue?style=flat-rounded&logo=doi&logoColor=flat)](https://doi.org/10.1109/CNS66487.2025.11194951) [![在 Code Ocean 中打开](https://codeocean.com/codeocean-assets/badge/open-in-code-ocean.svg)](https://codeocean.com/capsule/2288451/tree) # 实时杀伤链状态机 (RT-KCSM) 通过关联来自入侵检测系统 (IDS) 的警报来检测多阶段攻击,从而生成场景图。 [我们的论文](https://doi.org/10.1109/CNS66487.2025.11194951) 的实现: ``` @inproceedings{kistenmacher2025rtkcsm, title={Real-Time Detection of Multi-Stage Attacks Using Kill Chain State Machines}, author={Kistenmacher, Liliana and Talpur, Anum and Fischer, Mathias}, booktitle={2025 IEEE Conference on Communications and Network Security (CNS)}, pages={1--9}, year={2025}, organization={IEEE}, doi={10.1109/CNS66487.2025.11194951} } ``` ## 使用 Docker 运行 ``` docker run --rm -v ./data/alerts/:/data/ -p 8080:8080 ghcr.io/uhh-iss/rt-kcsm:latest --server :8080 --file /data/ids2018-apt/notice.json --reader zeek ``` CLI 选项: ``` $ rtkcsm -h Usage: rtkcsm [--file FILE] [--listen LISTEN] [--server SERVER] [--import IMPORT] [--reader READER] [--transport TRANSPORT] [--export EXPORT] [--risk RISK] [--profile PROFILE] [--profile-graph-ranking-id PROFILE-GRAPH-RANKING-ID] [--stage-weight STAGE-WEIGHT] [--profile-log-resolution PROFILE-LOG-RESOLUTION] Options: --file FILE filepath of logs from suricata (eve.json) or zeek (JSON format) --listen LISTEN TCP port to listen on for alerts --server SERVER web interface port for visualization --import IMPORT Import existing graphs --reader READER format for reading from transport: 'zeek', 'suricata', 'ocsf', 'suricata-tenzir' [default: suricata] --transport TRANSPORT 'file', 'stdin', or 'tcp' for ingesting alerts [default: file] --export EXPORT file name of exported graphs from RT-KCSM --risk RISK set risk score (low=0.5,default=1.0,high=1.5) of an IP address for a host/asset: --risk 10.0.0.1=1.5 --profile PROFILE performance profile options: memory=/path/to/file, cpu=/path/to/file, alerts=/path/to/file, graphs=/path/to/file, graph-ranking=/path/to/file, progress=true --profile-graph-ranking-id PROFILE-GRAPH-RANKING-ID graph id for profiling ranking --stage-weight STAGE-WEIGHT set custom stage weights (incoming, same-zone, different-zone, outgoing): --stage-weight incoming=0.1 --profile-log-resolution PROFILE-LOG-RESOLUTION resolution of updating alert count [default: 1000] --help, -h display this help and exit ``` ## 运行实验 ### 1. 安装以下前置条件 前置条件: - `Golang 1.24` - `Node.js 23.11.0` - `npm 10.9.2` - `Python 3.13` 和 `pipenv` - `bash` 或 `zsh` ### 2. 运行评估脚本 ``` ./code/evaluation/run-evaluation.sh ``` 结果图表位于 `results/figures/` 中
标签:Metaprompt, MITM代理, 告警关联, 安全可视化, 日志审计, 杀伤链, 网络安全, 请求拦截, 逆向工具, 隐私保护