| In recent years,various cyber attack incidents have continued to occur,and the network security situation has become increasingly tense.Advanced Persistent Phreat(APT),as a new network attack method in recent years,has a higher and higher proportion in current network attacks due to its strong target and high concealment.Traditional network threat detection methods cannot effectively detect APT attacks.However,the sandbox detection technology and full-traffic backtracking technology for APT attacks,due to the emergence of anti-sandbox escape technology and the extremely high requirements of full traffic for storage,make it difficult to APT attacks are accurately detected.Therefore,this paper proposes the following APT attack detection methods for the two aspects of DNS traffic characteristics and APT attack stage prediction during the attack.It studies the C & C communication phase in the APT attack life cycle,analyzes the traffic characteristics of the communication between the attacker and the infected host,and uses DNS request traffic as a starting point to propose an APT detection method for suspicious DNS traffic in this paper.First of all,this method is aimed at the characteristics of long time span of APT attack and the large amount of DNS request data in the life cycle.It applies a data preprocessing algorithm to the original DNS request records and deletes the trusted DNS request records from the original data.Then the method uses the training data set to train the J48 decision tree,uses machine learning algorithms to screen out suspicious APT attack traffic,and finally uses the similarity between the suspicious domain name and the popular domain name as the scoring basis to rank the suspicious traffic.The necessity of feature selection in data pre-processing algorithms and machine learning algorithms was verified in experiments,and the accuracy of detecting APT attacks using reputation similarity domain name verification methods was verified through comparative experiments.The method proposed in this paper can detect APT attacks when they invade peripheral devices and perform C & C communication.It solves the shortcomings of other detection methods that can be effectively detected only when the target system is infected on a large scale,and realizes early detection of APT attacks.In order to achieve active defense against APT attacks,this paper proposes a method that uses Hidden Markov Model to predict APT attack stages.In this method,the relevant alarm sequence output from the MLAPT(Machine-Learning Advanced Persistent Threat)detection framework is observable,the APT attack phase is hidden,and the alarm result is correlated with the APT attack phase to establish a hidden Markov model.The BW algorithm is used to train the hidden Markov model.The Viterbi algorithm and the FW algorithm are used to calculate the most likely attack sequence and predict the next APT attack stage.This experiment compares the effects of different observation times and the number of stages in the next stage of prediction on the experimental results.It also compares the experiments with machine learning prediction algorithms under the same conditions.Compared with other methods,the prediction method proposed in this paper has good portability,and has no special requirements for the network environment. |
PDF Full Text Request