| With the wide-scale application of computer network and the growing Internet, the network brings people with great convenience, but it also brings a popular range of security issues. Network attacks, intrusions and other problems are increasing. Since Google admitted to suffering a serious hacker attacks in2010, APT (Advanced Persistent Threat) has aroused widespread concern in security circles. APT, as an efficient, accurate network attacks has been frequently used in various network attacks among the events in recent years, and it quickly becomes one of the biggest threats to corporate information security. The widespread use of unknown Trojans makes it hard to extract behavior features of Trojans. This has brought great challenges to the traditional intrusion detection technology. How to detect attacks against APT for unknown Trojans accurately and improve detection capabilities to APT, what’s more, to detect possible APT attack in the network as soon as possible is of an important significance to the maintenance of the network order and security.In this paper, firstly by the analysis of the characteristics and the procedure of the APT attacks, as well as features of Trojans communication behavior, we combined with the existing APT attack detection methods. And then we proposed APT attack detection method based on the user-defined detection mode. At last, we implemented and tested this scheme.The paper’s main tasks are as follows: (1) We firstly introduced the characteristics and the procedure of the APT attacks, and then we analyzed the advantages and disadvantages of the existing APT attack detection methods, meanwhile, our APT attack detection method was proposed based on the idea of a custom detection mode;(2) After we studied and summarized the features of Trojans communication behavior, we developed the rule description language. Then we designed APT attack detection scheme based on user-defined detection modes, which supported the detection for the real-time and storage network traffic. What’s more, this method provided users interface for defining detection rules, and it completed the detection of suspicious APT attacks that existed in the network environment with custom detection pattern;(3) On the basis of the APT attack detection scheme mode-based, we discussed about the specific features of the program and the realization of the principle of each module in detail, meanwhile, we researched and implemented the related key technologies, and finally, this system’s detection capability and performance was tested. The test results showed that the detection method was feasible. |
PDF Full Text Request