Discovering Suspicious APT Behaviors Via Machine Learning And Deep Learning

According to a Kaspersky Lab research report,Advanced Persistent Threat(APT)is still a major threat in the field of computer security in 2019.Attack groups of different countries have attacked computer systems of financial,military,diplomatic,telecommunications and power companies,politicians and activists on a global scale.This kind of attack is characterized by its advanced and difficult to detect,and penetrates,attacks,lurks,spreads,and steals information on target in a relatively large time span.Due to its low traffic,long attack time,diverse attack methods and real-time evolution characteristics,it has certain detection difficulties.As a kind of complex and customized attack process,APT attacks have great harm to the existing network security.The entire attack process is very covert,and only generates a small amount of attack behavior in a long span,and is mixed in a large number of normal activities.Due to the role of the Domain Name System(DNS)in APT,DNS abnormal activities generated in different attack phases can generate suspicious malicious domain name lists,which can be used to help detect APT attacks.However,there are still several challenges in this field,such as(1)detection methods need to face long-span log data;(2)fewer attack sample data limit the application of supervised learning;(3)existing methods do not have Consider the relationship between response messages and request messages.In order to solve the problem of long-span log data,this paper proposes an APT Unsupervised Learning Detection framework(AULD)based on unsupervised machine learning to detect suspicious domain names in APT attacks.Ten characteristics based on host,domain name and time are extracted,and cluster analysis is performed to output a list of suspicious domain names,which can be used for subsequent APT attack analysis.The 1,584,225,274 DNS request records collected in the campus network of Jilin University were used to experimentally verify the correctness of the framework.The experiment's results show that the proposed framework can effectively detect suspicious domain names in APT attacks.In order to solve the problem that the connection between the request message and the response message is not clear,this article assigns the characteristics of the DNS response message and the relationship between the response message and the request message to the request message,and analyzes the request message as the subject.Get suspicious DNS request records that may not have been available in the past.Using deep learning to analyze DNS request records,the algorithm performs threat assessment on the DNS behavior to be detected based on the calculated suspicious values.The validity and correctness of the framework was verified by using the data of 4,907,147,146 DNS request records collected in the campus network of Jilin University to add simulated attack data.The experiment's results show that our method achieves an average accuracy of about 97.6% in detecting DNS suspicious behavior,False Positive Rate(FP)is about 2.3%,and Recall is about 96.8%.The proposed framework can effectively detect hidden suspicious DNS behavior in APT.This paper studies the detection of APT attacks through DNS behaviors from the above two directions and proposes relevant detection schemes.The DNS behaviors are evaluated by unsupervised learning methods and deep learning methods,and they are made to improve the security of the network environment.Through experiments,we prove that the work of this paper can be used to help find suspicious DNS behavior.