Detection of command and control in advanced persistent threat based on independent access
Xu Wang, Kangfeng Zheng, Xinxin Niu, Bin Wu, Chunhua Wu
2016 IEEE International Conference on Communications (ICC)
Advanced Persistent Threat (APT) imposes increasing threats on cyber security with the developing network attack technologies. APT is a highly interactive, specifically targeted and extremely harmful network-centric attack, which employs various technologies to evade detection during attacks leading to the result that victims will not be aware of attacks until they suffer from tremendous losses. Since command and control (C&C) is an essential component during the lifetime of APT, the detection of it is a practical measure to defend against the APT. In this paper, we analyze the features of C&C in APT and find that the HTTP-based C&C is widely used. Based on the analysis results, we propose a new feature of C&C, i.e., independent access, to characterize the difference between C&C communications and normal HTTP requests. Applying the independent access feature into DNS records, we implement a novel C&C detection method and validate it on public dataset. As a new feature of C&C, its advantages and drawbacks are also analyzed.