The Design And Implementation Of Apt Attack Detection And Defensive Tool For Mailbox Server

With the rapid development of computer technology, the business in computer is developed from giving a single arithmetic, file processing, internel business processing that based on the simple connection internal network, office automation, to the enterprise computer processing system that based on an complex internal network, enterprise external network, the global Internet and worldwide information sharing and business processing. With the improvement of processing capacity of the system, the connection capacity of the system also improved. Our people enjoy the convenience that computer and network bring to us, and thus create a variety of industry. But the network connection security issues have become increasingly prominent. However, the more terrible thing is a new attack methord emerging:APT attack, the full name of APT attack is called advanced persistent threat, refers to those with careful preparation, strong pertinence, concealment, high permeability of network intrusion. The emergence of APT attack, make the passive defense had became the Maginot Line, the APT attacker can be an easy job to go deep into the internal of an enterprise, steal important information.The APT attack detection and defense tool for mailbox server is designed and implemented in this paper is running on the windows server platform, to protect the mailbox server from APT attack. The defense tool is mainly composed of three parts: DTAS Agent, APT Filter Scanning and Web Configuration. The main function of DTAS Agent is responsible for the further processing of ATSE(Aggressive Threat Scan Engine) detected threats, including isolation down the file is uploaded to the DTAS(Dynamic Threat Analysis System) server, return the results form the DTAS server, according to the results add the new markers in mail head and resend it. APT Filter Scanning is processing the email scaning logic, Web Configuration is the configuration of the tool, The mailbox server administrator can complete the company’s defense strategy by this part to configure the parameters of the tool. Now the tools have cpmpleted testing, and successfully running in the mailbox server in trend micro Chinese develop center. My main work in this project is discussed in demand, completed all the code work of the Web Configuration and part of the DTAS Agent code, and test.At first, this thesis introduces the research background, analysis current status of network and APT attack and give some examples of APT attack, describes the main work of the thesis, and then introduces the relevant technology and development tools used in the project. Then the thesis describes the requirement analysis, preliminary design and detail design of the detection and defense of APT attack tool. The requirement analysis includes functional requirements and nonfunctional requirements analysi of the system, the outline design introduce three subsystems work processes, the detail design introduces the implementation principle and the implementation technical details. Finally, the thesis gives the summary of the whole thesis and the future work of the project.