| With the rapid development of Internet technology,the exchange of information between people has become more convenient and fast.The Internet is now not only a platform for information exchange,but also an important part of people's learning life and work,through which you can share the network information and quickly send out the information to help others,so that people with information needs can be the fastest speed to get their desired information.While the Internet brings so many benefits to people's lives,many criminals often exploit tiny vulnerabilities in network technology to attack users on other networks to achieve their own ulterior motives.APT(Advanced Persistent Threat)that is an advanced persistent threat attacks has posed a great threat to important information about businesses and governments.As a result of this threat controlled by experienced hackers with a strong technical,which is long duration,harm and other characteristics,is the recent emergence of a new type of integrated network attack means,so research and design methods which can detect network attacks has been very necessary and imminent.Because APT will conduct a large number of query activities of malicious domain name during the attack process,these malicious domain name activities will be recorded in the DNS traffic log.This article is mainly from the perspective of the detection of malicious domain name to find whether the host on the network was attacked by APT.In the method of detecting the length distribution of the domain name,the detection method of the abnormal length distribution of the two level domain name is the most commonly used method for detecting the malicious domain name.This method will firstly filter the newly collected domain name data,Using the filtered data packet to find the distance function value of the second-level domain name,observing the distribution of the distance function values of the second level domain name getting to obtain the threshold of the second-level domain name distribution of the malicious domain name.The threshold value is used to determine whether or not the domain name data is a malicious domain name.In the course of the experiment,this method detects that the malicious domain name containing many legitimate domain names,which indicates that there is false positives in this method.On the basis of this method,we add the method of detecting the content similarity of the second-level domain name.The combination of the two methods not only complements the inadequacy of the previous method,but also improves the accuracy of detecting malicious domain names.In the method of detecting the analytic behavior of domain name,the research on thebehavior of domain name is based on the length of the secondary domain name.By filtering the collected data and using known malicious domain names and legitimate domain names for training,some of these domain names are from well-known sites,some are from the security agencies to publish the domain name,and some are found in the experimental process domain name.The thresholds of the standard deviation of the legal domain name and the threshold of the standard deviation of the malicious domain name are trained by these known domain names data,and then the correctness of the two thresholds is verified by the real data.The domain name data of the two consecutive domain names are clustered according to the time interval of two consecutive query domain names,and the standard deviation of each cluster of the secondary domain name length is calculated after clustering.The standard deviation is then compared with the threshold of the standard deviation of the legal domain name and the threshold of the standard deviation of the malicious domain name.According to the results of the comparison determine which is a malicious domain name,which domain name data is a legitimate domain name.Through detecting malicious domain name the traces of APT attacks can be found,then the whole process of the APT attacks would be restored,and the hidden APT attacks nowhere to hide. |
PDF Full Text Request