Skip to main content
SpringerLink
Log in

Research of Snort Rule Extension and APT Detection Based on APT Network Behavior Analysis

  • Conference paper
  • First Online:
Trusted Computing and Information Security (CTCIS 2018)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 960))

Included in the following conference series:

  • 654 Accesses

Abstract

At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization’s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Li, M., Huang, W., Wang, Y., Fan, W., Li, J.: The study of APT attack stage model. In: IEEE/ACIS, International Conference on Computer and Information Science, pp. 1–5. IEEE (2016)

    Google Scholar 

  2. Li, H., Liu, G., Jiang, W., Dai, Y.: Designing snort rules to detect abnormal DNP3 network data. In: International Conference on Control, Automation and Information Sciences, pp. 343–348. IEEE (2015)

    Google Scholar 

  3. Kang, Y., Wei, Z.: Research on Apriori algorithm based on DNS visit records mining. Netinfo Security (2012)

    Google Scholar 

  4. Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., et al.: Sandnet: network traffic analysis of malicious software. In: ACM Eurosys Badgers, pp. 78–88 (2011)

    Google Scholar 

  5. Ju, A., Guo, Y., Zhu, T.: Big data network security situation awareness and early warning architecture based on open source toolset. Comput. Sci. 44(5), 125–131 (2017)

    Google Scholar 

  6. Xu, W., Wang, Y., Xue, Z.: Attack indicator automatic generation for threat intelligence. Commun. Technol. 50(1), 116–123 (2017)

    Google Scholar 

  7. Zeng, Y., Yin, S., Liu, J., et al.: Research of improved FP-Growth algorithm in association rules mining. Sci. Program. 2015, 6 (2015)

    Google Scholar 

  8. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)

    Google Scholar 

  9. Borgelt, C.: An implementation of the FP-growth algorithm, pp. 1–5 (2005)

    Google Scholar 

  10. Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: Usenix Conference on Networked Systems Design and Implementation, p. 26. USENIX Association (2010)

    Google Scholar 

  11. Xu, Y., Zhang, A.: Network packet analysis software design based on PCAP format. Mod. Electron. Technol. 36(10), 49–51 (2013)

    Google Scholar 

  12. Dai, Z., Cheng, G.: APT attack detection method based on communication features. Comput. Eng. Appl. 53(18), 77–83 (2017)

    Google Scholar 

  13. Qin, L., Shi, Z.: Mining network traffic association rules mining based on iceberg query. Comput. Eng. 31(7), 354–368 (2005)

    Google Scholar 

  14. Li, M., Fan, M.: Research and implementation of unknown malicious code detection system based on network behavior analysis. University of Electronic Science and technology, Chengdu (2009)

    Google Scholar 

  15. Khamphakdee, N., Benjamas, N., Saiyod, S.: Improving intrusion detection system based on snort rules for network probe attacks detection with association rules technique of data mining. J. ICT Res. Appl. 8(3), 234–250 (2015)

    Article  Google Scholar 

  16. Wang, J.J., Luo, K., Zhao, Z.X.: Snort network intrusion detection based on data mining techniques. Comput. Eng. Appl. 45(1), 121–123 (2009)

    Google Scholar 

  17. Zhou, Z., Zhongwen, C., Tiecheng, Z., Xiaohui, G.: The study on network intrusion detection system of Snort. In: 2010 2nd International Conference on Networking and Digital Society (ICNDS), vol. 2, pp. 194–196. IEEE (2010)

    Google Scholar 

  18. Kumar, V., Sangwan, O.P.: Signature based intrusion detection system using SNORT. Int. J. Comput. Appl. Inf. Technol. 1(3), 35–41 (2012)

    Google Scholar 

  19. Shah, S.N., Singh, M.P.: Signature-based network intrusion detection system using SNORT and WINPCAP. Int. J. Eng. Res. Technol. (IJERT) 1(10), 1–7 (2012)

    Google Scholar 

  20. Geng, X., Liu, B., Huang, X.: Investigation on security system for snort-based campus network. In: 2009 1st International Conference on Information Science and Engineering (ICISE), pp. 1756–1758. IEEE (2009)

    Google Scholar 

  21. Rani, S., Singh, V.: SNORT: an open source network security tool for intrusion detection in campus network environment. Int. J. Comput. Technol. Electron. Eng. 2(1), 137–142 (2012)

    Google Scholar 

  22. Huang, C., Xiong, J., Peng, Z.: Applied research on snort intrusion detection model in the campus network. In: 2012 IEEE Symposium on Robotics and Applications (ISRA), pp. 596–599. IEEE (2012)

    Google Scholar 

  23. Naiping, S., Genyuan, Z.: A study on intrusion detection based on data mining. In: 2010 International Conference of Information Science and Management Engineering (ISME), vol. 1, pp. 135–138. IEEE (2010)

    Google Scholar 

  24. Haixia, G.: Research of the intrusion detection system based on data mining. In: Proceeding of the International Conference on e-Education, Entertainment and e-Management, pp. 190–192. IEEE (2011)

    Google Scholar 

  25. Miao, C., Chen, W.: A study of intrusion detection system based on data mining. In: 2010 IEEE International Conference on Information Theory and Information Security (ICITIS), pp. 186–189. IEEE (2010)

    Google Scholar 

  26. Gongxing, W., Yimin, H.: Design of a new Intrusion detection system based on database. In: 2009 International Conference on Signal Processing Systems, pp. 814–817. IEEE (2009)

    Google Scholar 

  27. Uday, B.P., Visakh, R.: A dynamic system for intrusion detection accomplished with enhanced SVM through apt integration of data mining techniques with improved heuristic rules: performance evaluation with NSL KDD. In: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive Strategies, p. 46. ACM (2014)

    Google Scholar 

  28. Trabelsi, Z., Alketbi, L.: Using network packet generators and snort rules for teaching denial of service attacks. In: Proceedings of the 18th ACM Conference on Innovation and Technology in Computer Science Education, pp. 285–290. ACM (2013)

    Google Scholar 

Download references

Acknowledgments

This work was supported in part by the National Key Research and Development Program of China under Grant 2016YFB0801304.

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, Beijing Institute of Technology, Beijing, China

    Yan Cui, Jingfeng Xue, Yong Wang, Zhenyan Liu & Ji Zhang

Authors
  1. Yan Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jingfeng Xue
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yong Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhenyan Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ji Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yan Cui .

Editor information

Editors and Affiliations

  1. School of Cyber Science and Engineering, Wuhan University, Wuhan, China

    Huanguo Zhang

  2. School of Cyber Science and Engineering, Wuhan University, Wuhan, China

    Bo Zhao

  3. School of Cyber Science and Engineering, Wuhan University, Wuhan, China

    Fei Yan

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cui, Y., Xue, J., Wang, Y., Liu, Z., Zhang, J. (2019). Research of Snort Rule Extension and APT Detection Based on APT Network Behavior Analysis. In: Zhang, H., Zhao, B., Yan, F. (eds) Trusted Computing and Information Security. CTCIS 2018. Communications in Computer and Information Science, vol 960. Springer, Singapore. https://doi.org/10.1007/978-981-13-5913-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-981-13-5913-2_4

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-13-5912-5

  • Online ISBN: 978-981-13-5913-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation