Research On APT Attack Sample Acquisition And Analysis Method Based On Probe And Neural Network

In the short-term,national finance,government and other infrastructure sectors are suffering from persistent persistent threat(APT)attacks.However,due to the lack of analysis samples,the research on APT attacks has not made breakthrough progress.With the occurrence of power outages and the theft of the NSA weapons arsenal,people have gradually transformed into this kind of cyber attack with a long duration,high attack complexity,and high harm.And because traditional access control,black-and-white list and other detection methods cannot cope with APT attacks well,some artificial intelligence methods have also been appointed to detect APT attacks.Based on its existing research results,most of them focus on the anomaly detection of certain samples or the study of macro game methodology,and they have not paid special attention to the overall process of this staged attack.For this reason,this article starts from the latest theoretical framework and conducts an in-depth analysis of the phase characteristics of APT attacks.Starting from the attack surface of each phase,this article summarizes and simplifies the steps required to launch an APT attack.Based on this theory,a targeted detection method is designed for the common attack methods in the load delivery and lateral movement phases,and the effectiveness of the detection method is verified by simulation attack experiments.Finally,the improved neural network is used to predict and analyze the attack samples intercepted by the detection method,and achieve a higher accuracy rate and a lower loss rate.The detection system detects APT behavior from multiple dimensions such as logs and traffic.It combines active defense honeypots and passive traffic probes to effectively intercept attack samples.At the same time,it uses neural networks to predict attack samples,which can reach about 90%.Accuracy,the prediction result can well reflect the attacker's attack intention and provide guidance for subsequent defense.The specific content is as follows(1)Based on the existing Kill Chain and Mitre ATT&CK frameworks,a more concise and applicable four-stage theoretical framework is summarized.Based on this framework,the attack methods most commonly used by attackers in the load delivery and lateral movement stages are analyzed.And through the simulation attack experiment according to these four stages,the APT attack for mining is reproduced,which verifies the authenticity of the theoretical framework proposed in this paper.(2)The mail gateway and SMTP traffic probe are designed for the behavior of phishing mail sending malware used in the payload delivery stage.Analyze common malicious email attachments from the email header,email body,and email attachments.At the same time,it also supports the function of restoring emails from traffic.Aiming at the attacker's use of the SMB protocol for lateral movement,SMB traffic probes and active defense honeypots are designed.The SMB traffic probe supports the discovery of suspected lateral movement behaviors such as file sharing behaviors based on the SMB protocol from the traffic,while actively defending against honey.The virtual Honeytoken can effectively prevent the hash transfer attack in the lateral movement.Through the simulation attack experiment,it is obvious that the attack behavior can be found from the traffic and logs.(3)Whether it is passive traffic probes or active defense honeypots in nature or intercepting attack samples used by attackers in launching attacks,based on these attack samples,a sandbox execution detection method is proposed,which runs through sandbox isolation.The malware then uses the system API called at runtime as input,and predicts the type of malicious attack through the improved neural network.Experiments show that the model can achieve 90% accuracy and close to 0.43 loss on8-classification tasks.Compared with other models,the improved neural network has higher accuracy and lower loss.