Discovering Suspicious APT Families Through a Large-Scale Domain Graph in Information-Centric IoT

In recent years, a type of cyberattacks, known as advanced persistent threats, has resulted in very serious losses to various organizations such as governments and enterprises. The APT has the characteristics of long duration, complex attack means, and strong ability to conceal themselves, which make it difficult to detect them. Due to the lack of proper means to protect the Information-centric IoT (ICIoT), the ICIoT devices are extremely vulnerable to APT attacks. Moreover, among the existing APT detection methods, most researchers adopt those that extract the features of different APT attacks, and most of the features extracted are local, which leads to the fact that the related methods have poor scalability, thus reducing the accuracy. Furthermore, the attackers can easily avoid the detection by changing the local features. In this paper, we find that it is inevitable that the infected host will generate C&C communication with the command and control server (C&C server), during the process of APT attacks, and the C&C domain names are the bridge connecting the internal infection with the C&C server. Moreover, a certain APT attack of one attack family, which is the assembly of the same APT attacks, tends to map the C&C domain names to the same IP subnet. Under the assumption that the APT attackers have limited attack resources, the relationship between C&C domain names of APT and IP subnet is inevitable for the APT attackers to get higher attack efficiency, which leads to the effective tracking of APT attack behavior. Therefore, we construct a detection method based on the domain names’ graph structure. This detection method can improve the detection efficiency in the information-centric internet, especially for the IoT devices. And, at the same time, we employ an appropriate pruning strategy and a preprocessing method to reduce the size of data to be processed and improve the computational efficiency. This detection method can also reduce the detection range, increase the detection accuracy, and improve the robustness and scalability of the detection system. In the actual experiment, the data size we process is 257535071 DNS requests and 73136 domain names. The experiment shows that the C&C domain names can be effectively detected even with a small-scale seed domain names.

[1]  Mianxiong Dong,et al.  FCSS: Fog-Computing-based Content-Aware Filtering for Security Services in Information-Centric Social Networks , 2019, IEEE Transactions on Emerging Topics in Computing.

[2]  Kenli Li,et al.  Modeling Attack Process of Advanced Persistent Threat , 2016, SpaCCS.

[3]  Ping Chen,et al.  A Study on Advanced Persistent Threats , 2014, Communications and Multimedia Security.

[4]  Boxiang Dong,et al.  Efficient Discovery of Abnormal Event Sequences in Enterprise Security Systems , 2017, CIKM.

[5]  Jun Wu,et al.  NLES: A Novel Lifetime Extension Scheme for Safety-Critical Cyber-Physical Systems Using SDN and NFV , 2019, IEEE Internet of Things Journal.

[6]  Qiang Li,et al.  Towards fast and lightweight spam account detection in mobile social networks through fog computing , 2018, Peer Peer Netw. Appl..

[7]  William H. Sanders,et al.  An Unsupervised Multi-Detector Approach for Identifying Malicious Lateral Movement , 2017, 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS).

[8]  Jianhua Li,et al.  Big Data Analysis-Based Secure Cluster Management for Optimized Control Plane in Software-Defined Networks , 2018, IEEE Transactions on Network and Service Management.

[9]  Eric Medvet,et al.  Detecting Android malware using sequences of system calls , 2015, DeMobile@SIGSOFT FSE.

[10]  Jianhua Li,et al.  A Secure Mechanism for Big Data Collection in Large Scale Internet of Vehicle , 2017, IEEE Internet of Things Journal.

[11]  Zhou Li,et al.  Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data , 2014, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[12]  Mianxiong Dong,et al.  A Hierarchical Security Framework for Defending Against Sophisticated Attacks on Wireless Sensor Networks in Smart Cities , 2016, IEEE Access.

[13]  Jong Hyuk Park,et al.  MLDS: Multi-Layer Defense System for Preventing Advanced Persistent Threats , 2014, Symmetry.

[14]  Laurent Vanbever,et al.  Unsupervised Detection of APT C&C Channels using Web Request Graphs , 2017, DIMVA.

[15]  Ting Yu,et al.  Discovering Malicious Domains through Passive DNS Data Graph Analysis , 2016, AsiaCCS.

[16]  Yong Shi,et al.  Malicious Domain Name Detection Based on Extreme Machine Learning , 2017, Neural Processing Letters.

[17]  Jeslin Thomas John State of the Art Analysis of Defense Techniques against Advanced Persistent Threats , 2017 .