Next Article in Journal
Non-Contact Damage Detection under Operational Conditions with Multipoint Laservibrometry
Next Article in Special Issue
Reusable Mesh Signature Scheme for Protecting Identity Privacy of IoT Devices
Previous Article in Journal
Expressure: Detect Expressions Related to Emotional and Cognitive Activities Using Forehead Textile Pressure Mechanomyography
Previous Article in Special Issue
A Novel Cost-Efficient Framework for Critical Heartbeat Task Scheduling Using the Internet of Medical Things in a Fog Cloud System
 
 
Article

Discovering Suspicious APT Behaviors by Analyzing DNS Activities

1
College of Computer Science and Technology, Jilin University, Changchun 130012, China
2
Key Laboratory of Symbol Computation and Knowledge Engineering, Jilin University, Ministry of Education, Changchun 130012, China
*
Author to whom correspondence should be addressed.
Sensors 2020, 20(3), 731; https://doi.org/10.3390/s20030731
Received: 24 December 2019 / Revised: 22 January 2020 / Accepted: 23 January 2020 / Published: 28 January 2020
As sensors become more prevalent in our lives, security issues have become a major concern. In the Advanced Persistent Threat (APT) attack, the sensor has also become an important role as a transmission medium. As a relatively weak link in the network transmission process, sensor networks often become the target of attackers. Due to the characteristics of low traffic, long attack time, diverse attack methods, and real-time evolution, existing detection methods have not been able to detect them comprehensively. Current research suggests that a suspicious domain name can be obtained by analyzing the domain name resolution (DNS) request to the target network in an APT attack. In past work based on DNS log analyses, most of the work would simply calculate the characteristics of the request message or the characteristics of the response message or the feature set of the request message plus the response message, and the relationship between the response message and the request message was not considered. This may leave out the detection of some APT attacks in which the DNS resolution process is incomplete. This paper proposes a new feature that represents the relationship between a DNS request and the response message, based on a deep learning method used to analyze the DNS request records. The algorithm performs threat assessment on the DNS behavior to be detected based on the calculated suspicious value. This paper uses the data of 4, 907, 147, 146 DNS request records (376, 605, 606 records after DNS Data Pre-processing) collected in a large campus network and uses simulation attack data to verify the validity and correctness of the system. The results of the experiments show that our method achieves an average accuracy of 97.6% in detecting suspicious DNS behavior, with the orange false positive (FP) at 2.3% and the recall at 96.8%. The proposed system can effectively detect the hidden and suspicious DNS behavior in APT. View Full-Text
Keywords: APT attack; DNS; deep learning; behavior detection; sensor network APT attack; DNS; deep learning; behavior detection; sensor network
Show Figures

Figure 1

MDPI and ACS Style

Yan, G.; Li, Q.; Guo, D.; Meng, X. Discovering Suspicious APT Behaviors by Analyzing DNS Activities. Sensors 2020, 20, 731. https://doi.org/10.3390/s20030731

AMA Style

Yan G, Li Q, Guo D, Meng X. Discovering Suspicious APT Behaviors by Analyzing DNS Activities. Sensors. 2020; 20(3):731. https://doi.org/10.3390/s20030731

Chicago/Turabian Style

Yan, Guanghua, Qiang Li, Dong Guo, and Xiangyu Meng. 2020. "Discovering Suspicious APT Behaviors by Analyzing DNS Activities" Sensors 20, no. 3: 731. https://doi.org/10.3390/s20030731

Find Other Styles
Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Article Access Map by Country/Region

1
Back to TopTop