中文摘要：

高级可持续威胁（advanced persistent threat, APT）级网络攻击对企业和政府的数据保护带来了极大的挑战．用Oday漏洞制作恶意软件来进行攻击是APT级网络攻击的常用途径，传统基于特征的安全系统很难检测这类攻击．为了检测泄漏敏感信息的恶意软件，首先分析已出现的APT恶意软件，描绘出窃取信息的攻击步骤，以此为基础提出1个针对数据泄漏行为的恶意软件检测方案用于检测同种攻击类型的恶意软件．该方案结合异常检测和误用检测，对被保护的主机和网络进行低开销的持续监控，同时提出一系列推断规则来描述攻击步骤中可以观察到的高级恶意事件．一旦监控到可疑事件，进一步收集主机和网络的低级行为，根据推断规则关联低级行为和高级恶意事件，据此重构窃取信息的攻击步骤，从而检测出攻击的存在．通过仿真实验验证了该方案的有效性．

英文摘要：

The advanced persistent threat （APT） attack is a big challenge towards enterprise and governmental data protection. The use of 0-day exploits is prevalent with malwares capable of APT attacks, and traditional security systems relying on known features can hardly detect them. In order to detect malwares which steal sensitive information, first of all we analyze existing APT malwares and describe the steps of their attacks. Based on the analysis, we propose a malware detection method focusing on data breach actions to the same kind of malwares. Combining anomaly detection with misuse detection, this method enables persistent monitoring, protecting hosts and network with low cost. Also proposed are inference rulesets which describe high-level malicious events observed in attack steps. Once suspicious events are detected, low-level actions from the hosts and the network will be further collected and correlated to high-level malicious events by the inference rules. Eventually we reconstruct the data breach attack procedure to judge the existence of the attacks. Simulation experiment verify the effectiveness of the method.