| The rapid development of network and technology has brought convenience to peo-ple's daily life and work,but at the same time,some network attacks have caused many security problems.Among them,advanced persistent threat attacks have become one of the biggest threats to network security.Advanced Persistent Threat(APT)refers to the per-sistent and effective attacks carried out by some organizations on specific victims.These hacker organizations have a high level of expertise and sufficient resources to carry out continuous attacks.It is difficult to detect this kind of attack,which is highly targeted,and able to bypass common security strategies,such as anti-virus,intrusion detection systems,and other mainstream security detection technologies.The existing effective method is to detect malware by analyzing malicious behaviors generated during C&C communication.However,APT malware usually adopts a low-traffic attack mode,in which a large amount of normal traffic is mixed in each attack step to avoid virus detecting and killing.Therefore,it is difficult for traditional malware detection methods to detect APT malware in time.However,since most APT attacks use DNS to regularly locate the malware's C&C server for information transmission,this behavior will leave some records in the network flow and DNS logs,which give us an opportunity to identify APT malicious domains.opportunity.In view of this,based on the related research of DNS detection of malicious traffic,this thesis deeply researches the characteristics of APT malicious domain attack,and pro-poses a detection method based on time and space characteristics of DNS.The detection method converts the DNS request time into a string to preprocess the traffic.Through the string periodicity detection algorithm based on the suffix tree,the periodic confidence of the DNS timestamp is extracted as the time feature.And according to the relationship between the domain name and the server IP address in the DNS data packet,we generate a DNS association map,and the improved belief propagation algorithm is used to calculate the malicious probability of an unknown domain name as a spatial feature on the basis of the domain name knowledge set.The two confidence levels are integrated into the fea-ture vector of the domain name and we select the LightGBM algorithm for training and detection.Finally,this thesis uses data set which combined by Contagio and other public data sets and self-collected traffic to evaluate the detection methods proposed in this thesis.The experimental results show that the detection method proposed in this thesis has a certain improvement in accuracy and recall rate compared with other methods.The detection accuracy reaches 96.6%and the recall rate reaches 97.2%.And our method can handle data packets due to Encrypted and obfuscated traffic caused by independent payloads,which is also the advantage of the proposed method in this dissertation. |
PDF Full Text Request