Discovering Suspicious APT Families Through a Large-Scale Domain Graph in Information-Centric IoT
Open Access
- 23 January 2019
- journal article
- research article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE Access
- Vol. 7, 13917-13926
- https://doi.org/10.1109/access.2019.2894509
Abstract
In recent years, a type of cyberattacks called advanced persistent threats has caused very serious losses to various organizations such as governments and enterprises. APT has the characteristics of long duration, complex attack means, and strong ability to conceal themselves, which make it difficult to detect them. Due to the lack of proper means to protect ICIoT(Information-centric IoT), ICIoT devices are extremely vulnerable to APT attacks. Moreover, among the existing APT detection methods, most researchers adopt those that extract the features of different APT attacks, and most of the features extracted are local, which leads to the fact that the related methods have poor scalability, thus reduce the accuracy. What’s more, attackers can easily avoid the detection by changing the local features. In this paper, we find that it is inevitable that the infected host will generate C&C communication with the command and control server (C&C server) , during the process of APT attacks, and the C&C domain names are the bridge connecting the internal infection with the C&C server. Moreover, a certain APT attack of one attack family which is the assembly of the same APT attacks tends to map the C&C domain names to the same IP subnet. Under the assumption that APT attackers have limited attack resources, the relationship between C&C domain names of APT and IP subnet is inevitable for APT attackers to get higher attack efficiency, which leads to effective tracking of APT attack behavior. Therefore, we construct a detection method based on the domain names’ graph structure. This detection method can improve the detection efficiency in the information-centric internet, especially for the IoT devices. And at the same time, we employ an appropriate pruning strategy and a preprocessing method to reduce the size of data to be processed and improve the computational efficiency. This detection method can also reduce the detection range, increase the detection accuracy, and improve the robustness and scalability of the detection system. In the actual experiment, the data size we process is 257535071 DNS requests and 73136 domain names. The experiment shows that the C&C domain names can be effectively detected even with a small-scale seed domain names.Funding Information
- National Natural Science Foundation of China (61772229, 61472162)
- Scientific and Technological Research Planning Projects in Colleges and Universities of Jilin Province (JJKH20190168KJ)
This publication has 14 references indexed in Scilit:
- An Unsupervised Multi-Detector Approach for Identifying Malicious Lateral MovementPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2017
- Malicious Domain Name Detection Based on Extreme Machine LearningNeural Processing Letters, 2017
- Unsupervised Detection of APT C&C Channels using Web Request GraphsLecture Notes in Computer Science, 2017
- Towards fast and lightweight spam account detection in mobile social networks through fog computingPeer-to-Peer Networking and Applications, 2017
- A Secure Mechanism for Big Data Collection in Large Scale Internet of VehicleIEEE Internet of Things Journal, 2017
- Modeling Attack Process of Advanced Persistent ThreatLecture Notes in Computer Science, 2016
- Discovering Malicious Domains through Passive DNS Data Graph AnalysisPublished by Association for Computing Machinery (ACM) ,2016
- A Hierarchical Security Framework for Defending Against Sophisticated Attacks on Wireless Sensor Networks in Smart CitiesIEEE Access, 2016
- Detecting Android malware using sequences of system callsPublished by Association for Computing Machinery (ACM) ,2015
- MLDS: Multi-Layer Defense System for Preventing Advanced Persistent ThreatsSymmetry, 2014