DNS Behavior Detection In Lateral Movement And Data Communications Stages Of An APT Attack

Posted on:2020-06-03

Degree:Master

Type:Thesis

Country:China

Candidate:X W Pan

Full Text:PDF

GTID:2428330575969945

Subject:Software engineering

Abstract/Summary:

PDF Full Text Request

In recent years,APT(Advanced Persistent Threats,APT)has caused serious damage to network security.As a new type of attack,an APT has the features of long time-span and hidden latency.For a long time,attackers infiltrate,attack,conceal,spread and steal information of target groups through the compound use of various attacking means.While existing security measures based on single-time nodes cannot defend against such attacks.Due to the phased feature of APT attacks,the existing work develop many different models of the APT attack.There are many existing methods based on the detection of DNS traffic because a lot of DNS traffic generates during the APT attack.In this paper,to detect APT effectively,we analyze and summarize the features of each stage of an APT attack and we detect the APT attacks effectively according to the DNS features.In this paper,firstly,we find the APT's typical attacking model by analyzing a large number of public APT reports.We divide an APT attack into five stages:reconnaissance,initial compromise,privilege escalation,maintaining presence and data communication.And we refer to the privilege escalation and maintaining presence as lateral movement.Based on each stage of an APT attacking model,we propose a tree model of attacking features.The attack feature tree model effectively presents the attack features of APT at various stages and the correlation between them.Then,on the basis of DNS features in the existing related works,we analyze the features of DNS in lateral movement and data communications stages according to the stage division ofan APT attack.We extract the DNS behavior features over a long period of time from the tree of attacking features.Finally,we use the last 71 days' data in 99 days' DNS request records collected from a large education network,1,157,236,653 pieces in total.We add simulated APT attacking data to our data.We use a semi-supervised machine learning model decision tree to conduct experiments to analyze and compare the features and data.The experiment results show that the hidden DNS features extracted from the lateral movement and data communications stages can detect the attacking behavior of APT effectively.

Keywords/Search Tags:

APT, DNS, The tree model of features, Decision tree model

PDF Full Text Request

Related items

1	Research And Design Of Drug Procurement Recommendation Information Management System Based On Decision Tree Model
2	The Research Of Risk Decision For E Company Ssd Developing Based On Decision Tree Model
3	Prediction Of Merchandise Sales Based On Improved Decision Tree Model
4	Research On Model Decision Tree Method
5	Lending Risk Assessment Solution Based On Machine Learning Classification Algorithm
6	Research On Multiple Decision Tree And Its Distribution Computing Theory Over Unbalanced Big Data
7	Research On The Book Acquisition Decision Model Of University Library Based On Decision Tree Algorithm
8	Research On Personalized Recommendation Based On Tree Model
9	Research On High-score Image Classification Based On Decision Tree Model
10	Improvement Of C4.5 Decision Tree Algorithm