Two statistical traffic features for certain APT group identification

Advanced Persistent Threat (APT) attack, which refers to the continuous and effective attack activities carried out by a group on a specific object, has become the major threats of highly protected networks. The attack traffics generated by a certain APT group, have a high similar distribution, espe...

Full description

Saved in:
Bibliographic Details
Published in:Journal of information security and applications 2022-06, Vol.67, p.103207, Article 103207
Main Authors: Liu, Jianyi, Liu, Ying, Li, Jingwen, Sun, Wenxin, Cheng, Jie, Zhang, Ru, Huang, Xingjie, Pang, Jin
Format: Article
Language:English
Subjects:
APT attack
APT group identification
Bad_rate
C2Load_fluct
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Advanced Persistent Threat (APT) attack, which refers to the continuous and effective attack activities carried out by a group on a specific object, has become the major threats of highly protected networks. The attack traffics generated by a certain APT group, have a high similar distribution, especially in the command and control (C&C) stage. This paper analyzes the DNS and TCP traffic of a certain APT group’s attack, and constructs two new features, C2Load_fluct (response packet load fluctuation) and Bad_rate (bad packet rate), which can be used to identify APT group. Experimental results show that the F1-score can reach above 0.98 and 0.94 respectively on the two datasets, which proves that the two new features are effective for APT group identification. •Design two new features to improve the identification results of APT group.•Combined new features with the features commonly to construct traffic feature set.•Propose a novel model for APT group identification.
ISSN:2214-2126
DOI:10.1016/j.jisa.2022.103207