Detection Of Covert And Suspicious Dns Behavior In Advanced Persistent Threats

In recent years,with the development of the network,various network security problems have emerged,among which a complex multi-step attack—advanced persistent threats(APT)has attracted much attention.APT jeopardize the safety of enterprises,organizations and even countries,leading to heavy economic losses.An important feature of APT is that it can persist in attacking and can lurk in the target network for a long time.APT attack is a new type of security threat that large organizations or groups use a variety of advanced technical means to organized,purposeful,concealment,and sustainable development of designated targets.Unfortunately,we cannot detect APT effectively by current security measures,such as firewalls,anti-virus tools,intrusion detection system.Data complexity,computing complexity and system complexity make it more difficult to detect APT.Recent researches have found that analyzing DNS request of the target network will help detect APT attacks.We add a time feature in the DNS traffic which is combined with change vector analysis(CVA)and reputation score to detect covert and suspicious DNS behavior.In this paper,we propose a new framework called APDD to detect covert and suspicious DNS behavior in long-term APT by analyzing a mass of DNS request data.The framework consists of data collection,data preprocessing,feature extraction,CVA and reputation score.In data collection module,we collect DNS request data inside the network.In data preprocessing module,we execute the data reduction algorithm on DNS request data.In feature extraction module,we extract their features.In CVA module,by using the CVA and the sliding time window method,we analyze the similarity between the access records of the domains to be detected and those of the related domains of current APT.In reputation score module,we build a reputation scoring system to grade the domain access records of high similarity.The APDD framework will output a list of suspicious domain access records so that security experts are able to analyze the top-k records in the list,which will surely improve the detection efficiency of APT attacks.Finally,we use 1,584,225,274 pieces of DNS request records which come from a large campus network and then simulate the attack data to verify the effectiveness and correctness of APDD.The framework APDD has good flexibility and expansibility.This paper presents data reduction algorithm and CAA algorithm.Data reduction algorithm is used to process data collected from DNS requests,reduce data scale and improve data analysis and processing efficiency.CAA algorithm is based on CVA method,which is used to find domain access records similar to the DNS behavior in APT.By five experiments of different parameters,the simulate attack ranked the position of the ranking list of suspicious domain name access records.Experiments show that the APDD framework can effectively detect covert and suspicious DNS behavior in APT.