Research On Harpoon Attack Model And Detection In Advanced Persistent Threats

In recent years,the continuous and rapid development of network attack technology has made the network security situation more severe.The destructive and threatening nature of advanced persistent threats is increasing.Spear-phishing attack is a new concept proposed in recent years to describe targeted network attacks.Advanced persistent threats use spear-phishing attacks more often to penetrate target networks.It is an advanced form of phishing attacks,a product of a combination of social engineering and malicious code,and is widely used to implement theft of sensitive data and control of network facilities.Spear-phishing attack detection technology is one of the key technologies to prevent advanced persistent threats in the early stage.It can intercept and warn of cyber attacks before the main attack is implemented.There are few related researches on spear-phishing attack.Traditional phishing email detection technology focuses on detecting phishing websites.Spear-phishing attacks are mainly carried out through complex malicious code rather than traditional phishing websites.And spear-phishing attacks make full use of social engineering,making traditional phishing email features ineffective.Therefore,the detection performance of phishing email detection technology on new spear-phishing attacks is limited.In response to the above issues,this thesis launched a study on spear-phishing attacks in advanced persistent threats.The main research contents are as follows:1.Summarize the characteristics and main processes of advanced persistent threats.The key technologies and the main defense strategies are analyzed.With spear-phishing attack as the main research content,a spear-phishing attack model is proposed.This model describes the characteristics,forms,detailed processes,and key technologies of spear-phishing attacks.2.The number of spear-phishing attack sample is small and attack forms change frequently.It is not suitable to use supervised learning technology after large-scale sample analysis.This thesis proposes a spear-phishing attack detection method based on anomaly detection.This method consists of three parts.Heuristic rule-based email risk assessment uses spear-phishing attack email characteristics and keyword frequency assessment methods to evaluate email risk from three aspects: sender,links,and files.Text classification based on text features uses the features of the text and attachments to categorize the mails to achieve the same subject and file form for the same type of mail.Email anomaly detection based on reputation and file type inherits some of the characteristics of phishing emails,and proposes new features such as reputation characteristics and file type characteristics.Anomaly detection techniques are used to identify abnormal emails.This method classifies complex mail data,thereby improving the regularity of the mail.For each type of mail,a corresponding anomaly detection model is constructed,and spear-phishing mail is identified in conjunction with the risk assessment of the mail.3.Through simulation experiments,the detection capabilities of this method and traditional phishing detection technology for spear-phishing attacks are compared and analyzed.Compared with other supervised learning methods,this method does not depend on the number of malicious samples.Under the condition that the amount of normal data is sufficient,it can have a better detection effect.The experimental results show that this method can effectively identify spear-phishing attacks.