Research of snort rule extension and APT detection based on APT network behavior analysis

Yan Cui; Jingfeng Xue; Yong Wang; Zhenyan Liu; Ji Zhang

doi:10.1007/978-981-13-5913-2_4

Research of snort rule extension and APT detection based on APT network behavior analysis

Yan Cui^*, Jingfeng Xue, Yong Wang, Zhenyan Liu, Ji Zhang

^*Corresponding author for this work

School of Computer Science and Technology

Beijing Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Citations (Scopus)

Abstract

At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization’s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.

Original language	English
Title of host publication	Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers
Editors	Huanguo Zhang, Bo Zhao, Fei Yan
Publisher	Springer Verlag
Pages	51-64
Number of pages	14
ISBN (Print)	9789811359125
DOIs	https://doi.org/10.1007/978-981-13-5913-2_4
Publication status	Published - 2019
Event	12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018 - Wuhan, China Duration: 18 Oct 2018 → 18 Oct 2018

Publication series

Name	Communications in Computer and Information Science
Volume	960
ISSN (Print)	1865-0929

Conference

Conference	12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018
Country/Territory	China
City	Wuhan
Period	18/10/18 → 18/10/18

Keywords

APT
Data mining
Network behavior
Snort rule

Access to Document

10.1007/978-981-13-5913-2_4

Cite this

Cui, Y., Xue, J., Wang, Y., Liu, Z., & Zhang, J. (2019). Research of snort rule extension and APT detection based on APT network behavior analysis. In H. Zhang, B. Zhao, & F. Yan (Eds.), Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers (pp. 51-64). (Communications in Computer and Information Science; Vol. 960). Springer Verlag. https://doi.org/10.1007/978-981-13-5913-2_4

Cui, Yan ; Xue, Jingfeng ; Wang, Yong et al. / Research of snort rule extension and APT detection based on APT network behavior analysis. Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers. editor / Huanguo Zhang ; Bo Zhao ; Fei Yan. Springer Verlag, 2019. pp. 51-64 (Communications in Computer and Information Science).

@inproceedings{790ccc463ba14eef9afcb3a42b57de3e,

title = "Research of snort rule extension and APT detection based on APT network behavior analysis",

abstract = "At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization{\textquoteright}s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.",

keywords = "APT, Data mining, Network behavior, Snort rule",

author = "Yan Cui and Jingfeng Xue and Yong Wang and Zhenyan Liu and Ji Zhang",

note = "Publisher Copyright: {\textcopyright} 2019, Springer Nature Singapore Pte Ltd.; 12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018 ; Conference date: 18-10-2018 Through 18-10-2018",

year = "2019",

doi = "10.1007/978-981-13-5913-2_4",

language = "English",

isbn = "9789811359125",

series = "Communications in Computer and Information Science",

publisher = "Springer Verlag",

pages = "51--64",

editor = "Huanguo Zhang and Bo Zhao and Fei Yan",

booktitle = "Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers",

address = "Germany",

}

Cui, Y, Xue, J , Wang, Y , Liu, Z & Zhang, J 2019, Research of snort rule extension and APT detection based on APT network behavior analysis. in H Zhang, B Zhao & F Yan (eds), Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers. Communications in Computer and Information Science, vol. 960, Springer Verlag, pp. 51-64, 12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018, Wuhan, China, 18/10/18. https://doi.org/10.1007/978-981-13-5913-2_4

Research of snort rule extension and APT detection based on APT network behavior analysis. / Cui, Yan; Xue, Jingfeng ; Wang, Yong et al.
Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers. ed. / Huanguo Zhang; Bo Zhao; Fei Yan. Springer Verlag, 2019. p. 51-64 (Communications in Computer and Information Science; Vol. 960).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Research of snort rule extension and APT detection based on APT network behavior analysis

AU - Cui, Yan

AU - Xue, Jingfeng

AU - Wang, Yong

AU - Liu, Zhenyan

AU - Zhang, Ji

PY - 2019

Y1 - 2019

N2 - At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization’s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.

AB - At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization’s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.

KW - APT

KW - Data mining

KW - Network behavior

KW - Snort rule

UR - http://www.scopus.com/inward/record.url?scp=85060236743&partnerID=8YFLogxK

U2 - 10.1007/978-981-13-5913-2_4

DO - 10.1007/978-981-13-5913-2_4

M3 - Conference contribution

AN - SCOPUS:85060236743

SN - 9789811359125

T3 - Communications in Computer and Information Science

SP - 51

EP - 64

BT - Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers

A2 - Zhang, Huanguo

A2 - Zhao, Bo

A2 - Yan, Fei

PB - Springer Verlag

T2 - 12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018

Y2 - 18 October 2018 through 18 October 2018

ER -

Cui Y, Xue J , Wang Y , Liu Z , Zhang J. Research of snort rule extension and APT detection based on APT network behavior analysis. In Zhang H, Zhao B, Yan F, editors, Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers. Springer Verlag. 2019. p. 51-64. (Communications in Computer and Information Science). doi: 10.1007/978-981-13-5913-2_4

Research of snort rule extension and APT detection based on APT network behavior analysis

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this