Research And Implementation Of Detection APT Attack Method Based On Behavior Analysis

With the rapid development of the Internet,its scale is expanding and its application is more extensive.The key business activities of many departments and enterprises are increasingly dependent on the network,and the incidence of various network attacks and information security incidents is rising.APT(advanced persistent threat)Advanced persistent threats have become one of the most important threats to highly confidential networks of high security,such as governments,financial companies,and military agencies.The main purpose of APT attacks is to steal sensitive data information.Once an APT attack occurs,it will bring serious economic and reputation losses to the victim.It will even pose a major threat to national strategic security.The APT attack is a high-level network attack behavior in which the attack time is long,the attack mode is concealed,the attack method is advanced,and the attack is advanced.It is difficult to detect the entire APT cycle.According to the attack time chain,the staged analysis of APT attacks can have more targeted detection.The paper divides the APT attack cycle into six stages:directed intelligence collection,internal host intrusion,establishment of monitoring channels,advanced internal host penetration,data resource discovery and upload,and intrusion trace removal.Analyze possible attack detection scenarios based on different stages of attack behavior.In the targeted information gathering phase,the WebShell attack scenario for the associated website is proposed.The C&C(Command And Control)communication attack scenario during the intrusion process is detected during the monitoring channel phase and the data resource discovery and upload phase.The main research contents of the thesis are as follows:1.For the detection of the WebShell attack scenario of the associated website,the existing detection method mainly detects the Web Shell source code and the detection accuracy is low.This paper mainly detects the Web log,and accesses the APT attack behavior and the normal access behavior in the log record.There is a big difference between continuous access and continuous access.Two detection algorithms based on access frequency feature detection and continuous access detection are used to detect WebShell.Through these two detection algorithms,the detection accuracy is effectively improved.On the one hand,it can detect when the source code cannot be obtained,which reduces the limitation of the source of the detected data.2.For the detection of C&C communication attack scenarios,compared with the current situation of high detection time complexity in the existing research,the communication traffic under the same malware(family)when issuing control commands has great similarity,and proposes downlink traffic.The detection algorithm of payload similarity detects C&C communication and effectively reduces the time complexity at a higher accuracy rate.3.According to the WebShell attack scenario and the C&C communication attack scenario,the real attack experiment is designed to verify,the WebShell attack and C&C communication attack detection have achieved high accuracy.For WebShell detection,the accuracy rate is above 94%when the threshold is set to 5‰,and for the C&C communication detection,when the similarity threshold is 21%,the accuracy is over 88%,The accuracy of both test indicators is higher than that of the similar basic test methods.