Detection of command and control in advanced persistent threat based on independent access

Publication Type:
Conference Proceeding
2016 IEEE International Conference on Communications, ICC 2016, 2016, pp. 1-6
Issue Date:
Full metadata record
© 2016 IEEE. Advanced Persistent Threat (APT) imposes increasing threats on cyber security with the developing network attack technologies. APT is a highly interactive, specifically targeted and extremely harmful network-centric attack, which employs various technologies to evade detection during attacks leading to the result that victims will not be aware of attacks until they suffer from tremendous losses. Since command and control (C&C) is an essential component during the lifetime of APT, the detection of it is a practical measure to defend against the APT. In this paper, we analyze the features of C&C in APT and find that the HTTP-based C&C is widely used. Based on the analysis results, we propose a new feature of C&C, i.e., independent access, to characterize the difference between C&C communications and normal HTTP requests. Applying the independent access feature into DNS records, we implement a novel C&C detection method and validate it on public dataset. As a new feature of C&C, its advantages and drawbacks are also analyzed.
Please use this identifier to cite or link to this item: