ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2017, Vol. 54 ›› Issue (10): 2334-2343.doi: 10.7544/issn1000-1239.2017.20170403

Previous Articles     Next Articles

Detection of Covert and Suspicious DNS Behavior in Advanced Persistent Threats

Wang Xiaoqi1, Li Qiang1,2, Yan Guanghua1, Xuan Guangzhe3, Guo Dong1,2   

  1. 1(College of Computer Science and Technology, Jilin University, Changchun 130012); 2(Key Laboratory of Symbol Computation and Knowledge Engineering (Jilin University), Ministry of Education, Changchun 130012); 3(Center of Big Data and Network Management, Jilin University, Changchun 130012)
  • Online:2017-10-01

Abstract: In recent years, advanced persistent threats (APT) jeopardize the safety of enterprises, organizations and even countries, leading to heavy economic losses. An important feature of APT is that it can persist in attacking and can lurk in the target network for a long time. Unfortunately, we cannot detect APT effectively by current security measures. Recent researches have found that analyzing DNS request of the target network will help detect APT attacks. We add a time feature in the DNS traffic which is combined with change vector analysis (CVA) and reputation score to detect covert and suspicious DNS behavior. In this paper, we propose a new framework called APDD to detect covert and suspicious DNS behavior in long-term APT by analyzing a mass of DNS request data. We execute the data reduction algorithm on DNS request data and then extract their features. By using the CVA and the sliding time window method, we analyze the similarity between the access records of the domains to be detected and those of the related domains of current APT. We build a reputation scoring system to grade the domain access records of high similarity. The APDD framework will output a list of suspicious domain access records so that security experts are able to analyze the top-k records in the list, which will surely improve the detection efficiency of APT attacks. Finally, we use 1584225274 pieces of DNS request records which come from a large campus network and then simulate the attack data to verify the effectiveness and correctness of APDD. Experiments show that the APDD framework can effectively detect covert and suspicious DNS behavior in APT.

Key words: advanced persistent threats (APT), DNS request data, data reduction, change vector analysis (CVA), reputation score

CLC Number: