Research On Typical Covert Communication Technology In Advanced Persistent Threat

With the wide application of Internet technology in various fields,the problem of information security comes with more and more attention.Advanced persistent threat(APT),which is perpetual and concealed based on advanced penetration and communication technology,has been a great threat to network security.APT has been a hotissue in the field of information security.This paper takes the typical concealed communication of APT attack in every period as research object.We design and implement several kinds of concealed communication methods and carries out experimental verification and analysis.The methods provide technical support for APT data flow modeling and analysis.The main work of the paper is as follows.(1)Based on the characteristics of APT attacks and the existing attack chain model,this paper makes a detailed analysis and introduction of the potential covert communication methods in all periods.(2)To access the address of C&C server is a major problem that needs to be solved by malicious nodes that sneak into the network to implement concealed communications.This paper makes a detailed introduction of the traditional address access method,then introduces the principle and testing method of normal DGA methods,and points out the deficiency of DGA.Finally,we design and implement a C&C server address access method by means of hiding the information into web pages.(3)Data handling mainly relies on concealed communication which based on behavior or protocol.This paper proposes a multi-disk data transfer method based on threshold password to achieve the concealed communication which is based on behavior.The method includes the design of data block algorithm and the design of data sharing protocol.The block algorithm is mainly based on the sharing of secret according to the threshold.The protocol implements the interaction between the attack node and the network disk.Finally,we design a system based on an open source API and verify the feasibility and validity of the proposed method.(4)In this paper,for protocol disguised concealed communication,we also design and implement a concealed communication based on SSL protocol to achieve the concealed communication.Based on the original SSL protocol,this method analyzes and models the behavior sequence,length sequence and time series of the packet from the typical application,which makes the concealed communication have higher similarity with normal communication.At the end of the paper,the author summarizes the whole thesis and prospects the further research.