Construction of Two Statistical Anomaly Features for Small-Sample APT Attack Traffic Classification

by   Ru Zhang, et al.

Advanced Persistent Threat (APT) attack, also known as directed threat attack, refers to the continuous and effective attack activities carried out by an organization on a specific object. They are covert, persistent and targeted, which are difficult to capture by traditional intrusion detection system(IDS). The traffic generated by the APT organization, which is the organization that launch the APT attack, has a high similarity, especially in the Command and Control(C2) stage. The addition of features for APT organizations can effectively improve the accuracy of traffic detection for APT attacks. This paper analyzes the DNS and TCP traffic of the APT attack, and constructs two new features, C2Load_fluct (response packet load fluctuation) and Bad_rate (bad packet rate). The analysis showed APT attacks have obvious statistical laws in these two features. This article combines two new features with common features to classify APT attack traffic. Aiming at the problem of data loss and boundary samples, we improve the Adaptive Synthetic(ADASYN) Sampling Approach and propose the PADASYN algorithm to achieve data balance. A traffic classification scheme is designed based on the AdaBoost algorithm. Experiments show that the classification accuracy of APT attack traffic is improved after adding new features to the two datasets so that 10 DNS features, 11 TCP and HTTP/HTTPS features are used to construct a Features set. On the two datasets, F1-score can reach above 0.98 and 0.94 respectively, which proves that the two new features in this paper are effective for APT traffic detection.


page 6

page 7

page 8

page 15


Attack based DoS attack detection using multiple classifier

One of the most common internet attacks causing significant economic los...

A review on Deep Neural Network for Computer Network Traffic Classification

Focus on Deep Neural Network based malicious and normal computer Network...

On the Feasibility and Enhancement of the Tuple Space Explosion Attack against Open vSwitch

Being a crucial part of networked systems, packet classification has to ...

Crypto Mining Makes Noise

A new cybersecurity attack (cryptojacking) is emerging, in both the lite...

Improving Homograph Attack Classification

A visual homograph attack is a way that the attacker deceives the web us...

Strategically-Motivated Advanced Persistent Threat: Definition, Process, Tactics and a Disinformation Model of Counterattack

Advanced persistent threat (APT) is widely acknowledged to be the most s...

ATHAFI: Agile Threat Hunting And Forensic Investigation

Attackers rapidly change their attacks to evade detection. Even the most...