Research On Detection Technology For Abnormal Communication In The Advanced Persistent Threat Remote Control Phase

With the rapid development and widespread application of computer and network technology,it not only brings people with great convenience,but also a variety of security issues.In recent years,the APT(Advanced Persistent Threat),which is characterized by zero-day penetration,great hidden and persistent control,has become the biggest concern in the field of network security,and attracts extensive attention from the industry and the scientific community.In order to resist APT threat,one of the important problems is how to discover the possible APT attack threat in our network in time.Combined with some APT attack cases and sample data,this paper analyzes the behavior characteristics of anomalous communication in the remote control phase of APT attack.Based on this,we design the relevant features of anomaly remote control communication detection,and propose a strong application-based anomaly communication detection method based on machine learning.The detection program of anomaly communication in the remote control phase of APT attack is designed and implemented by this method as the core,and the effectiveness of the detection program is verified by experiments.Specifically,this paper mainly completed the following work:(1)Through in-depth study of the abnormal communication in the remote control phase of APT attack,detailed analysis of the reason why controlled hosts usually use DGA dynamic domain name obtain C&C server’s IP address,the working principle of the dynamic domain name generated by the DGA and the differences from the normal domain name is made in this paper.On the other hand,this paper analyze the TCP communication behavior differences between the remote control phase of APT attack and the normal communication from several perspectives.Based on these characteristics,an abnormal communication detection method based on machine learning is proposed.(2)According to the comparison and analysis of the characters of DGA dynamic domain names and legal domain names,the paper designs and extracts multiple features,and verifies the distinguishing ability of these features through the relevant domain name samples.And considering the accuracy and efficiency of the detection model,using feature selection algorithm to determine the 11 features for the actual detection of DGA dynamic domain name.(3)According to the characteristic of TCP communication behavior in remote control phase of APT attack,the TCP flow is determined as the feature extraction source by the method of network traffic analysis.Then,several features are designed and extracted,and the validity of these features is analyzed through the actual data.And also use the feature selection algorithm to determine the 10 optimal detection features.(4)Based on the designed features,the performance of the detection model constructed by various machine learning methods is compared and analyzed.Finally,the DGA dynamic domain name and abnormal TCP communication detection model are determined as both GBDT classifiers.Then,we design and implement the detection program of anomaly communication in remote control phase of APT attack.The detection program uses the Libpcap interface provided by PF RING to capture the network data,and we design domain name and IP whitelist to reduce workload and false alarm rate of the detection program.And the effectiveness of the detection program is verified by simulation experiments.Finally,we give a summarization of the whole paper,and point out the next research direction.