Detection of Covert and Suspicious DNS Behavior in Advanced Persistent Threats

Wang Xiaoqi; Li Qiang; Yan Guanghua; Xuan Guangzhe; Guo Dong

doi:10.7544/issn1000-1239.2017.20170403

Journal of Computer Research and Development > 2017 > 54(10): 2334-2343. > DOI: 10.7544/issn1000-1239.2017.20170403 CSTR: 32373.14.issn1000-1239.2017.20170403

Wang Xiaoqi, Li Qiang, Yan Guanghua, Xuan Guangzhe, Guo Dong. Detection of Covert and Suspicious DNS Behavior in Advanced Persistent Threats[J]. Journal of Computer Research and Development, 2017, 54(10): 2334-2343. DOI: 10.7544/issn1000-1239.2017.20170403

Citation:

PDF (1537 KB)

Detection of Covert and Suspicious DNS Behavior in Advanced Persistent Threats

¹(College of Computer Science and Technology, Jilin University, Changchun 130012)
²(Key Laboratory of Symbol Computation and Knowledge Engineering (Jilin University), Ministry of Education, Changchun 130012)
³(Center of Big Data and Network Management, Jilin University, Changchun 130012)

More Information

Published Date: September 30, 2017

Graphical Abstract

Abstract

Abstract

In recent years, advanced persistent threats (APT) jeopardize the safety of enterprises, organizations and even countries, leading to heavy economic losses. An important feature of APT is that it can persist in attacking and can lurk in the target network for a long time. Unfortunately, we cannot detect APT effectively by current security measures. Recent researches have found that analyzing DNS request of the target network will help detect APT attacks. We add a time feature in the DNS traffic which is combined with change vector analysis (CVA) and reputation score to detect covert and suspicious DNS behavior. In this paper, we propose a new framework called APDD to detect covert and suspicious DNS behavior in long-term APT by analyzing a mass of DNS request data. We execute the data reduction algorithm on DNS request data and then extract their features. By using the CVA and the sliding time window method, we analyze the similarity between the access records of the domains to be detected and those of the related domains of current APT. We build a reputation scoring system to grade the domain access records of high similarity. The APDD framework will output a list of suspicious domain access records so that security experts are able to analyze the top-k records in the list, which will surely improve the detection efficiency of APT attacks. Finally, we use 1584225274 pieces of DNS request records which come from a large campus network and then simulate the attack data to verify the effectiveness and correctness of APDD. Experiments show that the APDD framework can effectively detect covert and suspicious DNS behavior in APT.
- advanced persistent threats (APT),
- DNS request data,
- data reduction,
- change vector analysis (CVA),
- reputation score

FullText(HTML)

References (0)

[1]	Xiong Xin, Tan Xin, Zhang Yuan. Kernel Refcount Bug Detection Based on the Consistency of Error Path Behavior[J]. Journal of Computer Research and Development, 2023, 60(7): 1489-1500. DOI: 10.7544/issn1000-1239.202220768
[2]	Zhao Xiaolei, Chen Zhaoyun, Shi Yang, Wen Mei, Zhang Chunyuan. Kernel Code Automatic Generation Framework on FT-Matrix[J]. Journal of Computer Research and Development, 2023, 60(6): 1232-1245. DOI: 10.7544/issn1000-1239.202330058
[3]	Hou Pengpeng, Zhang Heng, Wu Yanjun, Yu Jiageng, Tai Yang, Miao Yuxia. Kernel Configuration Infographic Based on Multi-Label and Its Application[J]. Journal of Computer Research and Development, 2021, 58(3): 651-667. DOI: 10.7544/issn1000-1239.2021.20200186
[4]	Yang Hongzhang, Yang Yahui, Tu Yaofeng, Sun Guangyu, Wu Zhonghai. Proactive Fault Tolerance Based on “Collection—Prediction—Migration—Feedback” Mechanism[J]. Journal of Computer Research and Development, 2020, 57(2): 306-317. DOI: 10.7544/issn1000-1239.2020.20190549
[5]	Zhang Liancheng, Wei Qiang, Tang Xiucun, Fang Jiabao. Path and Port Address Hopping Based SDN Proactive Defense Technology[J]. Journal of Computer Research and Development, 2017, 54(12): 2761-2771. DOI: 10.7544/issn1000-1239.2017.20160461
[6]	Yang Bo, Feng Dengguo, Qin Yu, Zhang Qianying, Xi Li, Zheng Changwen. Research on Direct Anonymous Attestation Scheme Based on Trusted Mobile Platform[J]. Journal of Computer Research and Development, 2014, 51(7): 1436-1445.
[7]	Tan Liang, Meng Weiming, Zhou Mingtian. An Improved Direct Anonymous Attestation Scheme[J]. Journal of Computer Research and Development, 2014, 51(2): 334-343.
[8]	Wang Yong, Fang Juan, Ren Xingtian, and Lin Li. Formal Verification of TCG Remote Attestation Protocols Based on Process Algebra[J]. Journal of Computer Research and Development, 2013, 50(2): 325-331.
[9]	Wang Qi'an and Chen Bing. Intrusion Detection System Using CVM Algorithm with Extensive Kernel Methods[J]. Journal of Computer Research and Development, 2012, 49(5): 974-982.
[10]	Huang Wei, Zhan Jianfeng, Fan Jianpin. DCFT-Kernel: A Fault-Tolerant Cluster Middleware Based on Group Service[J]. Journal of Computer Research and Development, 2005, 42(6): 993-999.