The Detection Of Malicious PDF Documents In APT Attacks

APT attack is one kind of targeted,covert,continuous cyber attack which is focusing on the organizations' information assets.Attackers often have superb technology and rich resources,will use a variety of methods to gain access to the target network in the system control or unauthorized access,and gradually spread to the entire network.Different from traditional network attacks,APTs don't interrupt the normal service,but within the main long-term goal of the network system to steal sensitive information,confidential data or sabotage.They pose a serious threat to the organizations' normal benefits and information assets,so timely and accurately detects the potentially APT attack is particularly important.In this paper,we focused on the attack methods which using phishing emails and combined malicious PDF document attachments.We have analyzed a large number of APT attack cases and reports,summarized the different development stage of malicious PDF documents in APT attacks.Based on the similarity of attack methods and structure features among the malicious PDF documents used in APT attacks,we treated the malicious PDF documents as the detection object in APTs.We have analyzed the most popular malicious document detection methods which based on machine learning and various evasion technologies that used in APT attacks,We also surveyed the attack methods on machine learning,discussed the mimicry attack and the reverse mimicry attack which is the probably evasion method deployed in the malicious PDF to avoid the detection under the APTs scenarios.According to the attacker's knowledge and capability about the detection system,we proposed an improved method that based on training dataset,feature selection and algorithm model to detect the potential APT attack through the malicious PDF.By experiments on the Contagio dataset,the detection model we designed achieved a high accuracy on the detection of a malicious PDF documents.And through the comparison experiment,we also verified that our model's robustness and the resistance to the evasion attack.