Detection Of APT Attacks Based On DNS Request Sequence

In the field of information security,Advanced Persistent Threat(APT)has received increasing attention,and this form of threat has become an important cyber threat.APT attacks mainly target internal networks of certain organizations.Their purpose is to carry out sabotage or steal confidential data.APT attacks involve a wide range of target areas,including military,political,scientific research,finance,and industrial control.In order to achieve the purpose of sabotage or theft,attackers formulate highly targeted intrusion programs,which will cause huge losses to the injured institutions or enterprises,and even the country.APT attacks are not only targeted and purposeful,but also difficult to detect.Before reaching the final goal,APT activities will be hidden in the target network system for a long time.They hide themselves in legitimate activities or traffic,and constantly elevate their rights in the target system,which makes detection difficult.With the frequent occurrence of APT cases such as the "Aurora" and "Stuxnet" that shocked the world,government departments,security vendors,and scientific research institutions around the world have gradually increased their attention and research on APT.Kaspersky,FireEye and other security vendors provide a large number of technical reports from real APT cases every year.Academia has also carried out a comprehensive study of APT attacks,divided the life cycle for APT attacks,and proposed defense strategies and detection methods at various stages.Because DNS logs can record requests made by APT activities to the outside,detecting malicious domain names based on DNS log analysis to help detect APT has become a hot area.However,the problem with the existing methods is that domain name features are not universally applicable and can be easily circumvented,attackers can adjust the domain name generation strategy based on published detection methods to invalidate the detection methods;the number of available malicious samples is limited,and rapidly changing malicious domain name sets also reduce the effectiveness of graph detection methods.Moreover,the long-term latency of APT attacks causes the regularity of APT activities in time to be ignored by most methods.After studying a large number of technical reports of real APT cases,we found that the time regularity of APT attacks reflected on the DNS log system is many and should not be ignored.Therefore,we need to analyze the sequence of DNS requests sent by each host and explore its time regularity to identify infected hosts.In order to solve the limitations of existing methods,this paper proposes detection methods from a different angle.The focus of this article is from the main body targeted by the attackers,the host,instead of focusing on the easily evaded features of the domain names themselves.In this paper,the time regularity of DNS request sequence sent by host mentioned in a large number of APT reports is summarized and assumptions are proposed.The detection method proposed in this paper is based on these assumptions.By quantifying the assumptions into feature vectors,unsupervised learning is used to find the hosts that are suspected to be infected.The specific steps of the detection method include data acquisition and preprocessing,feature extraction,and generation of suspicious lists.We added the simulation attack data from a large number of technical reports to the real large-scale campus network dataset of 200,000 hosts and the public dataset from 4tu.researchdata and conducted experiments,and verified the effectiveness of the method for individual features.In addition,we used the same data set to carry out comparative experiments with related work.Experimental results verify the effectiveness and performance of our method,as well as the limitations of existing methods.We also fully consider the feasibility of the method,to ensure that the method is highly available,portability and expansibility.The method can complete the detection of infected hosts independently,or it can be used in combination with other methods,which can be an important complement to the complete defense system.