Research of snort rule extension and APT detection based on APT network behavior analysis

Yan Cui; Jingfeng Xue; Yong Wang; Zhenyan Liu; Ji Zhang

doi:10.1007/978-981-13-5913-2_4

Research of snort rule extension and APT detection based on APT network behavior analysis

Yan Cui^*, Jingfeng Xue, Yong Wang, Zhenyan Liu, Ji Zhang

^*此作品的通讯作者

计算机学院

Beijing Institute of Technology

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

2 引用（Scopus）

摘要

At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization’s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.

源语言	英语
主期刊名	Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers
编辑	Huanguo Zhang, Bo Zhao, Fei Yan
出版商	Springer Verlag
页	51-64
页数	14
ISBN（印刷版）	9789811359125
DOI	https://doi.org/10.1007/978-981-13-5913-2_4
出版状态	已出版 - 2019
活动	12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018 - Wuhan, 中国期限: 18 10月 2018 → 18 10月 2018

出版系列

姓名	Communications in Computer and Information Science
卷	960
ISSN（印刷版）	1865-0929

会议

会议	12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018
国家/地区	中国
市	Wuhan
时期	18/10/18 → 18/10/18

访问文件

10.1007/978-981-13-5913-2_4

其它文件与链接

链接到 Scopus 的出版物

引用此

Cui, Y., Xue, J., Wang, Y., Liu, Z., & Zhang, J. (2019). Research of snort rule extension and APT detection based on APT network behavior analysis. 在 H. Zhang, B. Zhao, & F. Yan (编辑), Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers (页码 51-64). (Communications in Computer and Information Science; 卷 960). Springer Verlag. https://doi.org/10.1007/978-981-13-5913-2_4

Cui, Yan ; Xue, Jingfeng ; Wang, Yong 等. / Research of snort rule extension and APT detection based on APT network behavior analysis. Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers. 编辑 / Huanguo Zhang ; Bo Zhao ; Fei Yan. Springer Verlag, 2019. 页码 51-64 (Communications in Computer and Information Science).

@inproceedings{790ccc463ba14eef9afcb3a42b57de3e,

title = "Research of snort rule extension and APT detection based on APT network behavior analysis",

abstract = "At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization{\textquoteright}s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.",

keywords = "APT, Data mining, Network behavior, Snort rule",

author = "Yan Cui and Jingfeng Xue and Yong Wang and Zhenyan Liu and Ji Zhang",

note = "Publisher Copyright: {\textcopyright} 2019, Springer Nature Singapore Pte Ltd.; 12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018 ; Conference date: 18-10-2018 Through 18-10-2018",

year = "2019",

doi = "10.1007/978-981-13-5913-2_4",

language = "English",

isbn = "9789811359125",

series = "Communications in Computer and Information Science",

publisher = "Springer Verlag",

pages = "51--64",

editor = "Huanguo Zhang and Bo Zhao and Fei Yan",

booktitle = "Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers",

address = "Germany",

}

Cui, Y, Xue, J , Wang, Y , Liu, Z & Zhang, J 2019, Research of snort rule extension and APT detection based on APT network behavior analysis. 在 H Zhang, B Zhao & F Yan (编辑), Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers. Communications in Computer and Information Science, 卷 960, Springer Verlag, 页码 51-64, 12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018, Wuhan, 中国, 18/10/18. https://doi.org/10.1007/978-981-13-5913-2_4

Research of snort rule extension and APT detection based on APT network behavior analysis. / Cui, Yan; Xue, Jingfeng ; Wang, Yong 等.
Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers. 编辑 / Huanguo Zhang; Bo Zhao; Fei Yan. Springer Verlag, 2019. 页码 51-64 (Communications in Computer and Information Science; 卷 960).

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

TY - GEN

T1 - Research of snort rule extension and APT detection based on APT network behavior analysis

AU - Cui, Yan

AU - Xue, Jingfeng

AU - Wang, Yong

AU - Liu, Zhenyan

AU - Zhang, Ji

PY - 2019

Y1 - 2019

N2 - At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization’s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.

AB - At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization’s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.

KW - APT

KW - Data mining

KW - Network behavior

KW - Snort rule

UR - http://www.scopus.com/inward/record.url?scp=85060236743&partnerID=8YFLogxK

U2 - 10.1007/978-981-13-5913-2_4

DO - 10.1007/978-981-13-5913-2_4

M3 - Conference contribution

AN - SCOPUS:85060236743

SN - 9789811359125

T3 - Communications in Computer and Information Science

SP - 51

EP - 64

BT - Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers

A2 - Zhang, Huanguo

A2 - Zhao, Bo

A2 - Yan, Fei

PB - Springer Verlag

T2 - 12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018

Y2 - 18 October 2018 through 18 October 2018

ER -

Cui Y, Xue J , Wang Y , Liu Z , Zhang J. Research of snort rule extension and APT detection based on APT network behavior analysis. 在 Zhang H, Zhao B, Yan F, 编辑, Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers. Springer Verlag. 2019. 页码 51-64. (Communications in Computer and Information Science). doi: 10.1007/978-981-13-5913-2_4

Research of snort rule extension and APT detection based on APT network behavior analysis

摘要

出版系列

会议

访问文件

其它文件与链接

指纹

引用此