| With the advent of the information age and the rapid development of network technologies,today's society has undergone enormous changes.More and more people are beginning to enjoy the convenience of network technologies,such as the use of Weibo,WeChat,Facebook,and Twitter.At the same time,many organizations,companies,government agencies,etc.have also increasingly valued their own network construction.However,with the popularization and rapid development of network technology,a variety of new types of network security problems have gradually emerged.In particular,the Advanced Persistent Threat(APT,advanced persistent threat)that has emerged in recent years has a significant difference from traditional network attack methods.It not only poses a serious threat to all infrastructures,but also gradually becomes a major threat to high-level security networks.This article begins with research on advanced persistent threat detection and defense technologies.The main contents and contributions are as follows:1.Introduces an overview of advanced persistent threats,including the attack phase model and attack characteristics.This article describes the work of the APT attack phase model and analyzes two common attack phase models that describe advanced persistent threats.The concept of APT attack is described and the three main phases related to the main features of APT attack are pointed out.Combining the three major phases of the attack process,detailed analysis of the APT attack targeted,organized,continuous,hidden,indirect and other characteristics.2.Explained the existing advanced persistent threat defense strategy.This article describes in detail the existing APT attack defense strategies,including security awareness training,traditional defense mechanisms,advanced malware detection,and abnormal behavior detection.For the information collection process before the first intrusion of APT attacks,this article points out that it is necessary to improve the network user's own security awareness and avoid social engineering attacks such as phishing and counterfeiting.Introduced the firewall technology in the traditional defense mechanism,compared and analyzed the principle and structure of computer firewall and network firewall.The working principles of the host-based intrusion detection system and the network-based intrusion detection system in the traditional defense mechanism are respectively described,and their limitations in detecting APT attacks are analyzed.3.An APT attack detection method based on network traffic characteristics is proposed.Based on the intrusion detection technology based on network traffic,this paper proposes an intrusion detection method based on multiple data feature attributes.The intrusion detection model is constructed by the clustering and classification related algorithms in machine learning,and the abnormality in APT attacks is achieved.In the experiment,the j48 algorithm,the Naive Bayes algorithm and the k-means algorithm were used to train and classify the source data,and three kinds of anomaly detection models were constructed.The ROC curve of the corresponding model was drawn in combination with the evaluation results of the weka system output.This paper comprehensively analyzes the ROC curves of the three detection models,and proves that the detection method based on network data features can detect abnormal data in APT attacks and achieve high accuracy and extremely low false positive rate. |
PDF Full Text Request