ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2017, Vol. 54 ›› Issue (10): 2334-2343.doi: 10.7544/issn1000-1239.2017.20170403

• 信息安全 • 上一篇    下一篇

高级持续性威胁中隐蔽可疑DNS行为的检测

王晓琪1,李强1,2,闫广华1,玄光哲3,郭东1,2   

  1. 1(吉林大学计算机科学与技术学院 长春 130012); 2(符号计算与知识工程教育部重点实验室(吉林大学) 长春 130012); 3(吉林大学大数据和网络管理中心 长春 130012) (xqwang15@mails.jlu.edu.cn)
  • 出版日期: 2017-10-01
  • 基金资助: 
    国家自然科学基金项目(61472162,61772229)

Detection of Covert and Suspicious DNS Behavior in Advanced Persistent Threats

Wang Xiaoqi1, Li Qiang1,2, Yan Guanghua1, Xuan Guangzhe3, Guo Dong1,2   

  1. 1(College of Computer Science and Technology, Jilin University, Changchun 130012); 2(Key Laboratory of Symbol Computation and Knowledge Engineering (Jilin University), Ministry of Education, Changchun 130012); 3(Center of Big Data and Network Management, Jilin University, Changchun 130012)
  • Online: 2017-10-01

摘要: 近年来,高级持续性威胁(advanced persistent threats, APT)危害企业、组织甚至国家安全,给目标带来了巨大的经济损失,其重要特征是攻击持续时间跨度大,在目标网络内长期潜伏.现有的安全防御措施还无法有效检测APT.现有研究认为通过分析APT攻击中目标网络的DNS请求,可以帮助检测APT攻击.增加DNS流量中的时间特征结合变化向量分析和信誉评分方法来检测隐蔽可疑的DNS行为.提出一种协助检测APT的框架APDD,通过分析大量的DNS请求数据检测长时间周期下APT中隐蔽可疑的DNS行为.将收集到的DNS请求数据执行数据缩减并提取特征;利用变化向量分析方法(change vector analysis, CVA)和滑动时间窗口方法分析待检测域名访问记录与现有APT相关域名之间的相似度;建立一个信誉评分系统对相似度较高的待检测域名访问记录进行打分;APDD框架输出一个可疑域名访问记录排名列表,可用于后续人工优先分析最可疑的记录,从而提高APT攻击的检测效率;利用一个大型校园网中收集的包含1584225274条DNS请求记录的数据加入仿真攻击数据来验证框架的有效性与正确性,实验结果表明:提出的框架可以有效地检测到APT中隐蔽可疑的DNS行为.

关键词: 高级持续威胁, DNS请求数据, 数据缩减, 变化向量分析, 信誉评分

Abstract: In recent years, advanced persistent threats (APT) jeopardize the safety of enterprises, organizations and even countries, leading to heavy economic losses. An important feature of APT is that it can persist in attacking and can lurk in the target network for a long time. Unfortunately, we cannot detect APT effectively by current security measures. Recent researches have found that analyzing DNS request of the target network will help detect APT attacks. We add a time feature in the DNS traffic which is combined with change vector analysis (CVA) and reputation score to detect covert and suspicious DNS behavior. In this paper, we propose a new framework called APDD to detect covert and suspicious DNS behavior in long-term APT by analyzing a mass of DNS request data. We execute the data reduction algorithm on DNS request data and then extract their features. By using the CVA and the sliding time window method, we analyze the similarity between the access records of the domains to be detected and those of the related domains of current APT. We build a reputation scoring system to grade the domain access records of high similarity. The APDD framework will output a list of suspicious domain access records so that security experts are able to analyze the top-k records in the list, which will surely improve the detection efficiency of APT attacks. Finally, we use 1584225274 pieces of DNS request records which come from a large campus network and then simulate the attack data to verify the effectiveness and correctness of APDD. Experiments show that the APDD framework can effectively detect covert and suspicious DNS behavior in APT.

Key words: advanced persistent threats (APT), DNS request data, data reduction, change vector analysis (CVA), reputation score

中图分类号: