APT Detection Based On Temporal And Spatial Relevance Analysis

With the increase of openness and sharing degree of network,a large number of devices of governments',institutions' and enterprises' have connected to the Internet.Its high-value equipments and systems have become the primary target of hackers.Hackers use social engineering methods and Oday vulnerabilities to invade the system,and take long-term latent strategy,constantly search and steal high-value information.This attack is known as Advanced Persistent Threat(APT).The use of these advanced technologies and the strategy of long latent makes the traditional network monitoring,auditing technologies and protection systems unable to effectively detect,track and analyse APT attack.Through analysing the different stages of APT attack's life cycle,the remote control stage and data transmission stage of APT attack are selected as the breakthrough point of the research.Traffics are from real APT attack samples and APT malware ran in local sandbox.The design of the architecture of APT attack detection system is proposed based on the features analysed,and the periodicity analysis and relevance analysis are implemented in this paper.The main research contents are as follows:1.APT attack's traffic features mining and architecture design:the research object is APT attack's real traffic,through analysing the common features of traffic,a design of the architecture of APT attack detection system is proposed;2.Realize the APT attack detection method based on periodicity analysis:through the analysis of the periodicity of APT attack,a detection method based on TCP data's and DNS data's periodicity,and abnormal port use is proposed,this method is called APDM(APT Periodicity Detection Method).The effectiveness of APDM is verified by the experiments;3.Temporal and spatial relevance analysis of APT attack:including association rules mining and historical data backtracing.For the former,to mine association rules based on FP-Growth Algorithm on APT attack's temporal features,spatial features and category features.The relation between APT attack's features is analysed,and the rules are explained semantically commbining with the features of APT attack's;for the latter,a historical data backtrace method is proposed based on Bloom Filter algorithm.The method uses less space and could judge whether the data is in the current data set rapidly.