APT Attack Detection and Scenario Construction based on Classification Model

• 1、College of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876

Abstract：The full name of APT attack is Advanced Persistent Threats. This attack starts from social engineering and uses high-end, targeted means permeating states and influential organizations for the purpose of stealing information or destroying infrastructure. Because APT attacks of different organizations have different characteristics, and APT attacks of the same organization have certain similarities, it is necessary to detect APT attack behaviors of specific organizations. This paper starts with the APT samples obtained from the same organization, first select the DNS, TCP, HTTP/HTTPS traffic generated by the attack process to extract the traffic characteristic sequence, and then use the AdaBoostRF algorithm to classify normal traffic and malicious traffic to get the classification status of the three types of traffic. Finally, the causal knowledge killing chain model is used to construct attack scenarios on traffic nodes and state nodes to obtain a more detailed C&C stage division, thereby preventing early malicious attacks and preventing data leakage during the DNS connection or TCP connection stage. According to experiments, for the above three types of traffic, the F1-score of AdaBoostRF algorithm used in this paper are 0.901, 0.893 and 0.947 respectively. There are 41 chains generated by the scene generation algorithm, in which come from the successful C&C connection and beyond. So, the above method can effectively detect the APT attack of this organization.

Keywords： Information Security Technology Flow Detection AdaBoostRF Causal Knowledge Kill Chain Model