APT Detection Research Based On DNS Traffic And Threat Intelligence

Advanced persistent threat(APT),since first proposed in 2006,has been a hot topic in the information security community.In the past ten years,all kinds of APT keep appearring,their target throughout the world,including the government,large enterprises,scientific research institutions,universities and so on.According to various security vendors,over the past ten years,hundreds or even thousands of APT attack cases have been found,each case of APT attacks can cause huge economic losses.And in recent years,the case of APT attacks caused by the direct and indirect losses are showing increasing trend.Faced with the threat of APT,governments and enterprises laid great emphysis on the research of APT defense technology,it has also been a hot topic in related fields.There are many studies focused on different stages and different purposes of APT defense technology studied,including the APT attack prevention,APT attack detection,blocking-up of APT attack,forensics etc..Researches uses variety of different perspectives on APT defense research,including vulnerability research,protocol flaw research,traffic analysis,single point defense,threat intelligence,etc..This paper focused on the advanced persistent threat(APT)attacks.Attack phases,classic cases and recent cases are analyzed to find its feature in various stages of attack which is abnormal in network traffic or system behavior,so as to detect the overall attack behavior.During the course of the study,the author thinks that in all APT attack stages,C&C communication is an important part and almost unable to bypass.Except a few APT cases concentrated on destruction of the industrial control system,most APT attacks involves stealing confidential information;in the data transmission process,most cases used C&C for covert communication.This paper makes a deep research on the C&C communication,and selected the DNS traffic as the original data flow,detection algorithm is proposed based on machine learning,combined with big-data and threat intelligence.Multi detecting methods are deployed,in order to enhance the efficiency and accuracy of detection.Detecting system is implemented under Linux environment,using pyspark,python and Weka.The system is split into black list detection,domain name feature detection,domain name WHOIS information detection.And this paper has tested the prototype of the detection system.This paper analyzed DNS traffic,utilizing a variety of different detection features,and combined with the latest threat intelligence and big-data;has significant meaning in APT detection research.