Detecting Advanced Persistent Threats Based On Traffic Analysis

With the development of the Internet technology,cyber security has been a critical problem of information system for everyone,every organization or even every government of the nation.The high pertinence,disguise and phasing make it even more difficult to be discovered by traditional detection technologies.APTs continuously gather information and data from target objects,using various of exploits to penetrate the organization.The current threat detection methods take advantage of machine learning algorithms using statistical and behavioral characteristics of network traffic.The key problem of machine learning algorithm is to find an appropriate feature vector to feed into the learner.This thesis combines entropy invoked in information theory and kinds of machine learning algorithms,deeply into the detection of Advanced Persistent Threats research.We find the inadequate of the current detection solutions and propose detection method of Advanced Persistent Threats based on entropy and support machine and anomaly network traffic identification based on imbalanced data gravitation classification.Our main contributions are as follow:1.Proposed a detection framework that detects Advanced Persistent Threats in two phases.Firstly,we find the suspicious volumns of network traffic and then identify the exact attacking streams.By this means,we could simplify the massive traffic data a lot,which can reduce the consumption of computation and improve the effeciency and accuracy of detection.2.Introduced the concept of entropy invoked in information theory,converted some characteristics of network traffic into brand new features,and apply them into support vector machine.What's more,we proposed the detection method of Advanced Persistent Threats based on entropy and support vector machine.And the experiment showed good effectiveness and efficiency of detecting a volumn of network traffic which contains attack traffic.3.With referenc to the imbalanced data classification problems,we introduced imbalanced data gravitation classificatin algorithm.After detectinga volumn of network traffic which contains attack traffic,it's very easily to identify the exact attcking traffic via using imbalanced data gravitation classification algorithm.And compared with other machine learning algorithms,our method is better than k NN and SVM algorithm in identification of anomaly traffic on many aspects.