摘要
高级持续性威胁(APT)已经在全球范围内产生了严重的危害,APT攻击检测已经成为网络安全防护领域的重点。由于APT具有攻击手段多样,持续时间长等特点,传统的检测技术已经起不到理想的效果。利用从国际安全公司报告中提取的APT通信特征,提出了一种基于通信特征的APT攻击检测方法。为了提高该方法的检测效果,还提出了利用bloom filter对报文进行快速筛选和精确匹配相结合的双层通信特征匹配算法。实验结果表明,该方法具有较高的检测率和较低的误报率。
Advanced Persistent Threat(APT)is a serious threat to the world,APT detection has become the key point ofnetwork security protection.Due to the complexity of APT,the traditional detection technology cannot perform well.AnAPT detection method is proposed by using APT communication features extracted from international security companyreports.In order to improve the detection effect of this method,an algorithm for double feature matching is put forward.The initial feature matching method uses bloom filter to filter out some messages quickly,and then the exact matchingmethod is set up to determine whether it is APT malicious traffic.The experimental results show that the method has higherdetection rate and fewer false positives.
作者
戴震
程光
DAI Zhen;CHENG Guang(School of Computer Science and Engineering, Southeast University, Nanjing 211189, China;Key Laboratory of Computer Network and Information Integration, Ministry of Education, Southeast University, Nanjing 211189, China)
出处
《计算机工程与应用》
CSCD
北大核心
2017年第18期77-83,共7页
Computer Engineering and Applications
基金
国家高技术研究发展计划(863计划)(No.2015AA015603)
国家自然科学基金(No.61602114)
无线通信技术协同创新
软件新技术协同创新
关键词
APT检测
特征提取
特征匹配
BLOOM
FILTER
Advanced Persistent Threat(APT)detection
feature extraction
feature matching
bloom filter
