Research On APT Attack Detection Based On Behavior Analysis

Recent years,a new kind of network attack-advanced persistent penetration attack,because of its particularity and high risk,has attracted the attention of network security practitioners.Advanced persistent penetration attack is difficult to detect its existence and operation by traditional detection methods.Besides,the existing detection methods are often accompanied by the consumption of computing resources and time resources.Therefore,for the purpose of monitoring APT virus dynamically,the author adopts the method of behavior analysis which combines MapReduce and support vector machine algorithm,obtains a new APT detection model and calculates the analysis weight data.For building the APT attack detection model,the thesis is divided into three steps.First,the thesis uses various methods to obtain a sufficient number of APT virus samples and builds a network attack test platform.Secondly,the behavior model is refined by SVM algorithm and MapReduce programming model.The obtained virus samples are run on the test platform,and a large amount of behavior report data is obtained,and the Hadoop cluster is used for analysis and calculation together with a large amount of pure data and safe behavior data to generate a training set.Finally,the thesis constructs a suitable test set to test the function of the behavior detection model,using the horizontal comparison method to verify the performance optimization brought by the Hadoop cluster and SVM algorithm,and using the test set to obtain the false positive rate and false negative rate of the detection model.,for lateral comparison with other detection methods.In the test experiment using the test set on the detection model,the false negative rate and false positive rate of the APT virus detected by the model were 7.62% and 8.62%,which was much lower than the 12.96 using the detection model of the naive Bayes classifier.% and 13.22% are also much lower than 17.32% and 53.12% of the keyword-based judgment method.The average detection time of this model is 262 seconds,which is much lower than the 1985 seconds of the big data-based detection method.According to the results of the control experiments,the APT detection model constructed in this paper has better ability to detect APT virus,has lower false positive rate and false negative rate,and has lower time cost,and has certain research and practicality value.