摘要
高级持续性威胁(Advanced Persistent Threat,APT)攻击是经过精心策划的高隐蔽性攻击,具有较高的检测难度。但是在APT攻击过程中,内外网通信是必不可少的一环,攻击者往往采用C&C服务器方式或是DNS隐蔽信道方式进行通信。针对在APT攻击中广泛采用的几种隐蔽通信手段,结合了机器学习和威胁情报技术对DNS流量进行分析,在现有研究基础上,提出了新的基于威胁情报库的自进化检测算法,并取得较好的检测效果。
APT(Advanced Persistent Threat) attacks are carefully planned,sophisticated and highly- covert attacks. and it is of great difficulty to detect APT attacks. However,in the process of APT attacks,communication between the internal and external network is an essential part. Attackers often use CC server or DNS covert channel for covert communication. For several covert methods of communication widely used in APT attacks,Domain Name System Traffic is analyzed in combination with machine learning and Threat Intelligence Technology. On the basis of the existing research,the new self- evolution detection algorithm is proposed,and fairly good results also achieved.
出处
《信息安全与通信保密》
2016年第7期84-88,共5页
Information Security and Communications Privacy
基金
公安部重点实验室基金(No.C14612)
