计算机工程与应用 ›› 2017, Vol. 53 ›› Issue (18): 77-83.DOI: 10.3778/j.issn.1002-8331.1703-0552

• 网络、通信与安全 • 上一篇    下一篇

基于通信特征的APT攻击检测方法

戴  震1,2,程  光1,2   

  1. 1.东南大学 计算机科学与工程学院,南京 211189
    2.东南大学 计算机网络和信息集成教育部重点实验室,南京 211189
  • 出版日期:2017-09-15 发布日期:2017-09-29

Advanced persistent threat detection based on characteristics of communications

DAI Zhen1,2, CHENG Guang1,2   

  1. 1.School of Computer Science and Engineering, Southeast University, Nanjing 211189, China
    2.Key Laboratory of Computer Network and Information Integration, Ministry of Education, Southeast University, Nanjing 211189, China
  • Online:2017-09-15 Published:2017-09-29

摘要: 高级持续性威胁(APT)已经在全球范围内产生了严重的危害,APT攻击检测已经成为网络安全防护领域的重点。由于APT具有攻击手段多样,持续时间长等特点,传统的检测技术已经起不到理想的效果。利用从国际安全公司报告中提取的APT通信特征,提出了一种基于通信特征的APT攻击检测方法。为了提高该方法的检测效果,还提出了利用bloom filter对报文进行快速筛选和精确匹配相结合的双层通信特征匹配算法。实验结果表明,该方法具有较高的检测率和较低的误报率。

关键词: APT检测, 特征提取, 特征匹配, bloom filter

Abstract: Advanced Persistent Threat(APT) is a serious threat to the world, APT detection has become the key point of network security protection. Due to the complexity of APT, the traditional detection technology cannot perform well. An APT detection method is proposed by using APT communication features extracted from international security company reports. In order to improve the detection effect of this method, an algorithm for double feature matching is put forward. The initial feature matching method uses bloom filter to filter out some messages quickly, and then the exact matching method is set up to determine whether it is APT malicious traffic. The experimental results show that the method has higher detection rate and fewer false positives.

Key words: Advanced Persistent Threat(APT) detection, feature extraction, feature matching, bloom filter