| With the rapid development and popularization of network information technology,internet has become an indispensable element of human life.However,the issue of internet security is increasingly serious at the same time and become a big threat to the healthy development of informatized society gradually.Advanced Persistent Threat(APT)has become the biggest cyber threat faced by countries,governments,and enterprises,because of its advanced attack methods and huge perniciousness.APT targets at the secrets or data of countries,governments,military,and enterprises,with most importance and highest value.APT sometimes even destroys the targeted network and industrial facilities after stealing their information.APT attacks are technically supported by groups with rich resources and top technology personnel who are proficient in network technologies.They are always able to discover and exploit odays,create new variants of malware,and disarm traditional internet security defense facilities,such as signature-based intrusion detection systems and firewalls.As a result,the detection of APT attacks has become one of the most important research contents in the field of network security today.Previous researches showed that although the malware used by APT attacks has kept updating,the communication modes between malware and Control and Command(C&C)servers are often similar.This paper,based on the analysis of abnormal communication behavior of APT attack's remote-control phase,designed detection systems according to related characteristics of TCP flow and DNS traffic.The main research contents and outcomes of this study are as follows:1.This study analyzed a great number of APT attack sample and extracted TCP flow characteristics as APT attack malware communicated with C&C server.Based on these characteristics,a detection prototype system of APT attack depth flow was designed.2.In order to improve the detection accuracy of APT attack depth flow detection prototype system,a multi-window correlation detection algorithm based on continuous hypothesis testing is proposed in this paper.The origin IP is employed as the identifier to store suspicious session flow information,and only send an alarm when the algorithm discriminates the attacked traffic.This detection algorithm greatly improves the accuracy of the detention system and reduces the false alarm rate.3.This study analyzed some examples of APT attacks against DNS flow,extracted the DNS flow characteristics from multiple feature space dimensions,and design an APT attack detection model based on malicious DNS traffic characteristics.4.Since the single classifier based on a single feature space descriptor often ignores information in other feature spaces,the model detection performance is poor.In order to improve the precision of model detection,a voting rule based on classifier confidence is designed to comprehensively vote test results of each feature space. |
PDF Full Text Request