Two statistical traffic features for certain APT group identification

Liu, Jianyi; Liu, Ying; Li, Jingwen; Sun, Wenxin; Cheng, Jie; Zhang, Ru; Huang, Xingjie; Pang, Jin

doi:10.1016/j.jisa.2022.103207

Cited by 2 publications

(1 citation statement)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…All APT attacks can be roughly divided into the following five phases: information gathering, embedded intrusion, communication control, lateral penetration, and data returning [ 7 , 8 ]. In the communication control phase, the malware usually uses DNS protocol to communicate with C&C servers, so building detection models for the anomalous DNS traffic characteristics exhibited throughout the process of establishing communication channels between the controlled hosts and C&C servers during APT attacks is an effective approach to detecting APT attacks [ 9 , 10 , 11 , 12 ]. However, most of the current approaches for detecting APT attacks based on anomalous DNS traffic have the following two problems: (1) the lack of means to count or reduce the DNS traffic, which leads to low effectiveness of training and testing on massive traffic datasets; (2) most of the DNS traffic features currently proposed for detecting APT attacks focus on the domain name itself, lacking a relationship between requests and accesses and time-dependent features.…”

Section: Introductionmentioning

confidence: 99%

APT Attack Detection Scheme Based on CK Sketch and DNS Traffic

Xue

Chi

et al. 2023

Sensors

View full text Add to dashboard Cite

In recent years, Advanced Persistent Threat (APT) attacks against sensors have emerged as a prominent security concern. Due to the low level of protection provided by sensors, APT attack organizations are able to develop intrusion schemes that allow them to infiltrate, attack, lurk, spread, and steal information from the target over an extended period of time. Through extensive research on the APT attack process and current defense mechanisms, it has been found that analyzing Domain Name Server (DNS) traffic in the communication control phase is an effective way of detecting APT attacks. However, analyzing APT attacks based on traffic usually involves the detection of a vast amount of DNS traffic, and current data preprocessing methods do not scale down data effectively, leading to low detection efficiency. In previous work, most efforts have been focused on calculating the features of request messages or corresponding messages without considering the association between request messages and corresponding messages. To address these issues, we propose a sketch-based APT attack traffic detection scheme. The scheme leverages the sketch structure to count and compress network traffic, improving the efficiency of APT detection. Our work also analyzes the limitations of traditional sketches in network traffic and proposes an improved sketch scheme. In addition, we propose several effective features for detecting APT attacks. We validate and evaluate our solution using 1,088,280 DNS traffic from a lab network and APT suspicious traffic from netresec and contagio, using eight machine learning models. The experimental results show that for the ExtraTrees model, our solution has a processing time of 0.0638 s and an accuracy of 0.97920, reducing the processing time by approximately 50 times and improving detection accuracy by a small margin compared to a dataset without sketch processing.

show abstract