Detecting mobile advanced persistent threats based on large-scale DNS logs

Abstract Advanced persistent threats (APTs) are complex, sophisticated threats that attempt to steal sensitive information or destroy a target network system by performing continuous activities over an extended period. Originally, APT primarily target personal computers (PCs); however, experts have recently identified some APTs that attack mobile devices, i.e., mobile advanced persistent threats (MAPTs). MAPTs differ significantly from APTs that target PC platforms. MAPTs can act jointly with APTs that target PC platforms, i.e., a multiplatform APT attack that delivers payloads to both PCs and mobile devices. Multiplatform attacks render it difficult to detect APTs based on domain name system (DNS) logs. Owing to differences between mobile devices and PC devices, it is difficult to detect multiplatform APT attacks using previous detection methods. This paper analyzes several cases of MAPTs and multiplatform APT attacks and identifies some significant changes in comparison with individual MAPTs or APT attacks on PCs. Based on these changes, a method that uses DNS logs to detect multiplatform APTs is proposed. First, the proposed method determines whether the DNS request logs are a request record of a mobile device or PC. Subsequently, according to changes in the MAPT, different features are extracted from two separated parts of the data; subsequently, the detection effect is detected using several machine learning algorithms. The experiments demonstrate that the separation of DNS logs between PCs and mobile devices can increase the detection rate of multiplatform APTs by over 15%.

[1]  Xiaosong Zhang,et al.  APT Traffic Detection Based on Time Transform , 2016, 2016 International Conference on Intelligent Transportation, Big Data & Smart City (ICITBS).

[2]  Reza Sharifnya,et al.  DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic , 2015, Digit. Investig..

[3]  Laurent Vanbever,et al.  Unsupervised Detection of APT C&C Channels using Web Request Graphs , 2017, DIMVA.

[4]  Peng Gao,et al.  SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection , 2018, USENIX Security Symposium.

[5]  William H. Sanders,et al.  An Unsupervised Multi-Detector Approach for Identifying Malicious Lateral Movement , 2017, 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS).

[6]  Naren Ramakrishnan,et al.  Long-Span Program Behavior Modeling and Attack Detection , 2017, ACM Trans. Priv. Secur..

[7]  Michele Colajanni,et al.  Analysis of high volumes of network traffic for Advanced Persistent Threat detection , 2016, Comput. Networks.

[8]  Yong Shi,et al.  Malicious Domain Name Detection Based on Extreme Machine Learning , 2017, Neural Processing Letters.

[9]  Jianfang Li,et al.  The study of APT attack stage model , 2016, 2016 IEEE/ACIS 15th International Conference on Computer and Information Science (ICIS).

[10]  Xiaosong Zhang,et al.  Modeling Attack Process of Advanced Persistent Threat Using Network Evolution , 2017, IEICE Trans. Inf. Syst..

[11]  Leyla Bilge,et al.  Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[12]  Nitesh Saxena,et al.  Sensing-enabled channels for hard-to-detect command and control of mobile devices , 2013, ASIA CCS '13.

[13]  Paul Smith,et al.  Attack Models for Advanced Persistent Threats in Smart Grid Wide Area Monitoring , 2017, SPSR-SG@CPSWeek.

[14]  Alva Erwin,et al.  Analysis of educational institution DNS network traffic for insider threats , 2016, 2016 International Conference on Computer, Control, Informatics and its Applications (IC3INA).

[15]  Quanyan Zhu,et al.  On Multi-Phase and Multi-Stage Game-Theoretic Modeling of Advanced Persistent Threats , 2018, IEEE Access.

[16]  Guowu Yang,et al.  Identifying APT Malware Domain Based on Mobile DNS Logging , 2017 .

[17]  Zhou Li,et al.  Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data , 2014, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[18]  Jong Hyuk Park,et al.  MLDS: Multi-Layer Defense System for Preventing Advanced Persistent Threats , 2014, Symmetry.

[19]  Xiaoying Gan,et al.  An Intelligence-Driven Security-Aware Defense Mechanism for Advanced Persistent Threats , 2019, IEEE Transactions on Information Forensics and Security.

[20]  Tom LaPorta,et al.  Optimal Cyber-Defense Strategies for Advanced Persistent Threats: A Game Theoretical Analysis , 2017, 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS).

[21]  B. Wu,et al.  Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis , 2015, IEEE Access.

[22]  Ping Chen,et al.  A Study on Advanced Persistent Threats , 2014, Communications and Multimedia Security.

[23]  Kevin Jones,et al.  Early Stage Malware Prediction Using Recurrent Neural Networks , 2017, Comput. Secur..

[24]  Kalamullah Ramli,et al.  Real time DNS traffic profiling enhanced detection design for national level network , 2017, 2017 International Seminar on Intelligent Technology and Its Applications (ISITIA).

[25]  Anna Esparcia-Alcázar,et al.  Semi-Supervised Classification System for the Detection of Advanced Persistent Threats , 2016, Recent Advances in Computational Intelligence in Defense and Security.

[26]  Xinxin Niu,et al.  Detection of command and control in advanced persistent threat based on independent access , 2016, 2016 IEEE International Conference on Communications (ICC).

[27]  Khaled M. Rabie,et al.  Detection of advanced persistent threat using machine-learning correlation analysis , 2018, Future Gener. Comput. Syst..