Detection of Covert and Suspicious DNS Behavior in Advanced Persistent Threats

Wang Xiaoqi; Li Qiang; Yan Guanghua; Xuan Guangzhe; Guo Dong

doi:10.7544/issn1000-1239.2017.20170403

Journal of Computer Research and Development > 2017 > 54(10): 2334-2343. > DOI: 10.7544/issn1000-1239.2017.20170403 CSTR: 32373.14.issn1000-1239.2017.20170403

Wang Xiaoqi, Li Qiang, Yan Guanghua, Xuan Guangzhe, Guo Dong. Detection of Covert and Suspicious DNS Behavior in Advanced Persistent Threats[J]. Journal of Computer Research and Development, 2017, 54(10): 2334-2343. DOI: 10.7544/issn1000-1239.2017.20170403

Citation:

PDF (1537 KB)

Detection of Covert and Suspicious DNS Behavior in Advanced Persistent Threats

¹(College of Computer Science and Technology, Jilin University, Changchun 130012)
²(Key Laboratory of Symbol Computation and Knowledge Engineering (Jilin University), Ministry of Education, Changchun 130012)
³(Center of Big Data and Network Management, Jilin University, Changchun 130012)

More Information

Published Date: September 30, 2017

Graphical Abstract

Abstract

Abstract

In recent years, advanced persistent threats (APT) jeopardize the safety of enterprises, organizations and even countries, leading to heavy economic losses. An important feature of APT is that it can persist in attacking and can lurk in the target network for a long time. Unfortunately, we cannot detect APT effectively by current security measures. Recent researches have found that analyzing DNS request of the target network will help detect APT attacks. We add a time feature in the DNS traffic which is combined with change vector analysis (CVA) and reputation score to detect covert and suspicious DNS behavior. In this paper, we propose a new framework called APDD to detect covert and suspicious DNS behavior in long-term APT by analyzing a mass of DNS request data. We execute the data reduction algorithm on DNS request data and then extract their features. By using the CVA and the sliding time window method, we analyze the similarity between the access records of the domains to be detected and those of the related domains of current APT. We build a reputation scoring system to grade the domain access records of high similarity. The APDD framework will output a list of suspicious domain access records so that security experts are able to analyze the top-k records in the list, which will surely improve the detection efficiency of APT attacks. Finally, we use 1584225274 pieces of DNS request records which come from a large campus network and then simulate the attack data to verify the effectiveness and correctness of APDD. Experiments show that the APDD framework can effectively detect covert and suspicious DNS behavior in APT.
- advanced persistent threats (APT),
- DNS request data,
- data reduction,
- change vector analysis (CVA),
- reputation score

FullText(HTML)

References (0)

[1]	Zhang Chunyun, Zhao Hongyan, Deng Jiqin, Cui Chaoran, Dong Xiaolin, Chen Zhumin. Category Adversarial Joint Learning Method for Cross-Prompt Automated Essay Scoring[J]. Journal of Computer Research and Development, 2025, 62(5): 1190-1204. DOI: 10.7544/issn1000-1239.202440266
[2]	Lu Feng, Li Wei, Gu Lin, Liu Shuai, Wang Runheng, Ren Yufei, Dai Xiaohai, Liao Xiaofei, Jin Hai. Selection of Reputable Medical Participants Based on an Iterative Collaborative Learning Framework[J]. Journal of Computer Research and Development, 2024, 61(9): 2347-2363. DOI: 10.7544/issn1000-1239.202330270
[3]	Lu Yuxuan, Kong Lanju, Zhang Baochen, Min Xinping. MC-RHotStuff: Multi-Chain Oriented HotStuff Consensus Mechanism Based on Reputation[J]. Journal of Computer Research and Development, 2024, 61(6): 1559-1572. DOI: 10.7544/issn1000-1239.202330195
[4]	Zheng Susu, Fu Xiaodong, Yue Kun, Liu Li, Liu Lijun, Feng Yong. Online Service Reputation Measurement Method Based on Kendall tau Distance[J]. Journal of Computer Research and Development, 2019, 56(4): 884-894. DOI: 10.7544/issn1000-1239.2019.20180034
[5]	Ma Haiyan, Liang Yongquan, Ji Shujuan, Li Da. A Trust-Distrust Based Reputation Attacks Defending Strategy and Its Stability Analysis[J]. Journal of Computer Research and Development, 2018, 55(12): 2685-2702. DOI: 10.7544/issn1000-1239.2018.20170587
[6]	Zhang Yuanpeng, Deng Zhaohong, Chung Fu-lai, Hang Wenlong, Wang Shitong. Fast Self-Adaptive Clustering Algorithm Based on Exemplar Score Strategy[J]. Journal of Computer Research and Development, 2018, 55(1): 163-178. DOI: 10.7544/issn1000-1239.2018.20160937
[7]	Lin Hui, Ma Jianfeng, Xu Li. A Secure Routing Protocol for MWNs Based on Cross-Layer Dynamic Reputation Mechanism[J]. Journal of Computer Research and Development, 2014, 51(7): 1486-1496.
[8]	Ma Shouming, Wang Ruchuan, Ye Ning. Secure Data Aggregation Algorithm Based on Reputations Set Pair Analysis in Wireless Sensor Networks[J]. Journal of Computer Research and Development, 2011, 48(9): 1652-1658.
[9]	Zhao Xiang, Huang Houkuan, Dong Xingye, and He Lijian. A Trust and Reputation System Model for Open Multi-Agent System[J]. Journal of Computer Research and Development, 2009, 46(9): 1480-1487.
[10]	He Lijian, Huang Houkuan, Zhang Wei. A Survey of Trust and Reputation Systems in Multi Agent Systems[J]. Journal of Computer Research and Development, 2008, 45(7).