Research On APT Malware Traffic Detection Method Based On Association Rules And Timing Characteristics

As the pace of global network informatization accelerates,the data of various enterprises and institutions is also moving closer to network and digitalization,but it also gives illegal technical personnel the opportunity to monitor enterprises,institutions,and obtain private data.In addition,attackers often insert specific backdoors,Trojans,or other monitoring software for attack targets to achieve long-term control of enterprises and institutions.At present,commonly used malware includes Gh0 st,DarkComet,Hupigon,etc.In APT attacks,in order to be more concealed,attackers often improve the malware,making more and more variants of malware.At present,the detection of malware often uses signature matching,and directly uses static traffic information combined with machine learning to classify,and it is difficult to deal with the increasing number of variants of APT malware.For the above problems,this article researches the latest malware detection methods,this paper proposes a method for detecting malware traffic and distinguishing which malware belongs to malicious traffic.The main research contents and innovations are as follows:1.First perform feature extraction and difference analysis on APT malware traffic.This paper extracts the static information such as the data packet time,port number,and flag bit in the traffic data packet.Then analyzed the variation of time difference of transmission time of different malware data packets,the variation of port number,the variation of TCP flag bit,etc.The analysis results found that the variation curve of different types of software traffic in the time dimension has certain differences.2.Based on the above analysis results,a method for extracting traffic time series features based on LSTM is proposed.Normalize the extracted static information first,and then use the LSTM model to further extract the time-series features.In addition,this paper improves the LSTM model,In order to further strengthen the long-term memory capability of the LSTM structure,referring to the residual network structure,the early time slice state in the LSTM structure is transferred to the later time slice,and a RESNET_LSTM structure is proposed.In order to extract the characteristics of multiple time dimensions of the normalized data at the same time,in this paper,data of different time steps are passed in parallel to multiple LSTM structures,and a parallel network structure called PARALLEL_LSTM structure is proposed.3.Combining previous research on traffic static data,this paper proposes a malware classification method that combines timing characteristics and association rules.The research contents include association analysis,establishment of a class rule base,rule quantification(quantization of a data packet into a vector with a dimension of a traffic class according to the rule base),feature fusion,then use machine learning or deep learning classifiers to achieve multi-classification of malware traffic.4.Finally,based on Gh0 st,DarkComet,Hupigon and other 106 types of malware traffic data and normal traffic data collected in this paper,experimental verification is performed.the experimental verification shows that the accuracy of prediction is more than 94% when using only time-series features for classification.When using the fusion features combined with quantization rules and time-series features for classification,the accuracy of prediction is above 96%.In the past,based on machine learning,the traffic static feature information was used for classification directly,and the accuracy rate was about 85%.The results show that the method proposed in this paper can effectively detect malware traffic,and has a higher detection accuracy rate than previous methods using machine learning to classify static features.