APT Attack Modeling And Detection Technology Based On Depth Analysis Of Whole Network Traffic And Logs

In recent years,major cyberattacks have emerged in an endless stream,posing great threats to enterprises,institutions,and governments.In severe cases,national security will be in danger.The main cause of the problem is that Advanced Persistent Threat(APT)is characterized by high level,long duration and high threat when attacking.Advanced performance is characterized by novel attack methods,diverse technical means,and customized design according to the characteristics of the attack object.In addition,it is highly concealed and extremely difficult to detect,therefore it can continue to attack for a long time;and it may continue to attack until it succeeds.The rate is very high and the damage is extremely great.At present,the detection of APT is a major technical problem in academia.For this reason,many scholars have invested a lot of energy.Among them,APT node modeling,traffic detection,and log analysis have made some progress,but the specific technical methods still need to be improved.This paper firstly investigates the classic cases,attack modes,and defense measures of APT attacks,and combines the APT attack detection schemes proposed by domestic and foreign researchers and information security technicians to find out the technical bottlenecks and detection difficulties in APT attack detection.For the initial stage of APT attack,this paper analyzes the network device logs in the network layer to the application layer,performs network traffic detection on APT attacks,and models the botnets commonly used in APT attacks.Considering the diversity of APT attacks,this paper also detects hardware Trojan signals from the physical layer to the data link layer,and then formalizes the network intrusion of APT and establishes a network node model.Therefore,the reality is based on APT detection and modeling of network traffic and log depth analysis,and further defend against APT attacks.The main research contents of each part of this paper are as follows:1.The problem of a single protocol is usually used for traffic-based APT detection.This paper proposes a temporal-based multi-protocol detection algorithm,which filters traffic by calculating the relationship between attack time and the number of packets.The algorithm introduces temporal features,traffic features,content features and combination features to detection.The real APT data set is used to test and compare the other methods.The experimental results show that the false positive rate of the algorithm is only 3%,and the false negative rate is 2.95% for detection from the network layer to the application layer.At the same time,for the hardware Trojan in APT,this paper also proposes an electromagnetic signal intrusion detection algorithm based on big data analysis.According to the signal source of abnormal hardware,it has different power characteristics at different positions,combined with machine learning classification technology.The data in the physical layer is detected abnormally by feature comparison and signal analysis,and position the signal source are determined by three-point positioning and signal attenuation.The compare experimental results show that the accuracy of anomaly detection is 96.6% and the method can detect abnormal electromagnetic signals and classify abnormal electromagnetic signals well,and realize the detection from the physical layer to the data link layer.It has considerable reference value for APT defense and information protection.2.Aiming at solving problem that APT attack path is difficult to restore,this paper proposes a multi-stage APT network intrusion detection algorithm based on traffic and network device logs.The algorithm can correlate flow information and log information,and improve the Restricted Boltzmann machine(RBM)algorithm to increase the detection surface,thereby improving the detection accuracy.The test results show that the false positive rate and false negative rate of the algorithm are below 3%.At the same time,the algorithm can also restore the path of the APT network intrusion,reflecting the current state of the network device and the abnormal behavior of the network device.Experiments have tested four kinds of network attacks commonly used by APT,which can achieve attack reconstruction and path backtracking,and promote the prevention of APT attacks in the initial stage.3.Aiming at solving problem that the botnet in APT attack is difficult to detect,this paper proposes a modified Susceptible-Exposed-Infective-RecoveredSusceptible(SEIRS)model.The model adds the latency factor to make it more similar to the APT attack mode.It can more accurately reflect the propagation characteristics of botnet hosts in the actual network.Based on the model,a control strategy based on scale-free botnet is proposed,which can provide a theoretical basis for the detecting,tracking and containing botnets.Based on this strategy,the traffic detection of the Fast-flux botnet in the botnet classification is also carried out.The simulation experimental results show that the model and strategy can not only identify Fast-flux botnets,but also identify multiple types of botnets which provides a good foundation for identifying unknown botnets and APT attacks in the future.4.For the network channel after APT attack,the defense capability is weakened.This paper proposes a network intrusion feature mapping node equalization algorithm based on improved step-size constant-mode blind equalization(MISO-VSS-MCMA).The algorithm constructs the node transport channel model after APT network intrusion,and uses the variable structure feedback link control method to process the intrusion nodes sequentially.Then,the diversity spread spectrum technology is used to compensate the channel loss after network intrusion,and the network intrusion mapping feature is extracted.Finally,according to the extracted feature vector,the MISO-VSS-MCMA method is used to perform channel equalization processing on the cost function to reduce the damage of the APT attack intrusion to the network channel,and at the same time improve the balance of the network intrusion feature mapping node and the impedance capability of the network intrusion.The simulation experimental results show that the proposed method has better anti-interference ability,stronger signal recovery capability,lower bit error,and improved balance performance and anti-intrusion capability.