Discovering Suspicious APT Families Through a Large-Scale Domain Graph in Information-Centric IoT

Abstract

In recent years, a type of cyberattacks called advanced persistent threats has caused very serious losses to various organizations such as governments and enterprises. APT has the characteristics of long duration, complex attack means, and strong ability to conceal themselves, which make it difficult to detect them. Due to the lack of proper means to protect ICIoT(Information-centric IoT), ICIoT devices are extremely vulnerable to APT attacks. Moreover, among the existing APT detection methods, most researchers adopt those that extract the features of different APT attacks, and most of the features extracted are local, which leads to the fact that the related methods have poor scalability, thus reduce the accuracy. What’s more, attackers can easily avoid the detection by changing the local features. In this paper, we find that it is inevitable that the infected host will generate C&C communication with the command and control server (C&C server) , during the process of APT attacks, and the C&C domain names are the bridge connecting the internal infection with the C&C server. Moreover, a certain APT attack of one attack family which is the assembly of the same APT attacks tends to map the C&C domain names to the same IP subnet. Under the assumption that APT attackers have limited attack resources, the relationship between C&C domain names of APT and IP subnet is inevitable for APT attackers to get higher attack efficiency, which leads to effective tracking of APT attack behavior. Therefore, we construct a detection method based on the domain names’ graph structure. This detection method can improve the detection efficiency in the information-centric internet, especially for the IoT devices. And at the same time, we employ an appropriate pruning strategy and a preprocessing method to reduce the size of data to be processed and improve the computational efficiency. This detection method can also reduce the detection range, increase the detection accuracy, and improve the robustness and scalability of the detection system. In the actual experiment, the data size we process is 257535071 DNS requests and 73136 domain names. The experiment shows that the C&C domain names can be effectively detected even with a small-scale seed domain names.