Abstract: In recent years, advanced persistent threats (APT) jeopardize the safety of enterprises, organizations and even countries, leading to heavy economic losses. An important feature of APT is that it can persist in attacking and can lurk in the target network for a long time. Unfortunately, we cannot detect APT effectively by current security measures. Recent researches have found that analyzing DNS request of the target network will help detect APT attacks. We add a time feature in the DNS traffic which is combined with change vector analysis (CVA) and reputation score to detect covert and suspicious DNS behavior. In this paper, we propose a new framework called APDD to detect covert and suspicious DNS behavior in long-term APT by analyzing a mass of DNS request data. We execute the data reduction algorithm on DNS request data and then extract their features. By using the CVA and the sliding time window method, we analyze the similarity between the access records of the domains to be detected and those of the related domains of current APT. We build a reputation scoring system to grade the domain access records of high similarity. The APDD framework will output a list of suspicious domain access records so that security experts are able to analyze the top-k records in the list, which will surely improve the detection efficiency of APT attacks. Finally, we use 1584225274 pieces of DNS request records which come from a large campus network and then simulate the attack data to verify the effectiveness and correctness of APDD. Experiments show that the APDD framework can effectively detect covert and suspicious DNS behavior in APT.

Key words: advanced persistent threats (APT), DNS request data, data reduction, change vector analysis (CVA), reputation score