Research On APT Attack Detection Technology Based On Traffic Analysis

Since the advent of the Internet,the game between offense and defense in network security has never stopped.In recent years,with the development of Internet technology,network security issues are constantly escalating,among which advanced persistent threats are the most representative.As an emerging attack method,APT attacks have complicated and diverse attack behaviors that make traditional network security defense systems extremely difficult to detect.Research on defense-oriented frameworks shows obvious deficiencies in unknown APT attacks.Research on malicious code has extremely high requirements on the operating environment when extracting code features,and it is difficult to achieve rapid and accurate detection of APT attacks.Therefore,this article proposes the following detection methods for the DNS flow characteristics and TCP flow characteristics in the communication control phase of the APT attack.The process of obtaining the IP address of the C&C server by the malicious software in the APT attack is analyzed,and the suspicious DNS traffic is analyzed based on the DNS request packets initiated by the malicious software during the rebound connection with the C&C server.The domain generation algorithm is analyzed in detail,the structural difference between the domain name of the C&C server and the normal domain name is introduced,and the characteristics of the low frequency concealment time span of the APT attack are long,and the characteristics of the domain name itself and time correlation are proposed.According to the characteristics of excessively large original traffic,the original DNS messages are preprocessed,normal traffic is removed from the sample,and the DNS features are divided and detected by constructing a support vector machine SVM model to filter out suspicious DNS traffic.Calculate the domain name information entropy to sort the suspicious domain names and output the suspicious domain names to realize the defense detection against APT attacks.Verify the effectiveness of feature selection through self-comparison experiments,and compare experiments with other models to analyze model performance.By analyzing the abnormal TCP traffic characteristics during data transmission between the malware and the C&C server in the APT attack,a detection method based on the spatiotemporal characteristics of TCP traffic is proposed.The original TCP traffic is preprocessed,a large amount of normal traffic is removed and the traffic is divided according to the data flow.Starting from the time characteristics and flow characteristics of TCP traffic,a C4.5 decision tree is constructed to filter the traffic and filter out suspicious abnormal TCP traffic.The periodicity detection algorithm is used to determine whether the traffic exhibits periodicity.The self-comparison experiment is carried out by removing the major types of features to verify the effectiveness of feature selection,and compare with other models to analyze the detection performance.