Abstract
At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization’s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Li, M., Huang, W., Wang, Y., Fan, W., Li, J.: The study of APT attack stage model. In: IEEE/ACIS, International Conference on Computer and Information Science, pp. 1–5. IEEE (2016)
Li, H., Liu, G., Jiang, W., Dai, Y.: Designing snort rules to detect abnormal DNP3 network data. In: International Conference on Control, Automation and Information Sciences, pp. 343–348. IEEE (2015)
Kang, Y., Wei, Z.: Research on Apriori algorithm based on DNS visit records mining. Netinfo Security (2012)
Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., et al.: Sandnet: network traffic analysis of malicious software. In: ACM Eurosys Badgers, pp. 78–88 (2011)
Ju, A., Guo, Y., Zhu, T.: Big data network security situation awareness and early warning architecture based on open source toolset. Comput. Sci. 44(5), 125–131 (2017)
Xu, W., Wang, Y., Xue, Z.: Attack indicator automatic generation for threat intelligence. Commun. Technol. 50(1), 116–123 (2017)
Zeng, Y., Yin, S., Liu, J., et al.: Research of improved FP-Growth algorithm in association rules mining. Sci. Program. 2015, 6 (2015)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)
Borgelt, C.: An implementation of the FP-growth algorithm, pp. 1–5 (2005)
Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: Usenix Conference on Networked Systems Design and Implementation, p. 26. USENIX Association (2010)
Xu, Y., Zhang, A.: Network packet analysis software design based on PCAP format. Mod. Electron. Technol. 36(10), 49–51 (2013)
Dai, Z., Cheng, G.: APT attack detection method based on communication features. Comput. Eng. Appl. 53(18), 77–83 (2017)
Qin, L., Shi, Z.: Mining network traffic association rules mining based on iceberg query. Comput. Eng. 31(7), 354–368 (2005)
Li, M., Fan, M.: Research and implementation of unknown malicious code detection system based on network behavior analysis. University of Electronic Science and technology, Chengdu (2009)
Khamphakdee, N., Benjamas, N., Saiyod, S.: Improving intrusion detection system based on snort rules for network probe attacks detection with association rules technique of data mining. J. ICT Res. Appl. 8(3), 234–250 (2015)
Wang, J.J., Luo, K., Zhao, Z.X.: Snort network intrusion detection based on data mining techniques. Comput. Eng. Appl. 45(1), 121–123 (2009)
Zhou, Z., Zhongwen, C., Tiecheng, Z., Xiaohui, G.: The study on network intrusion detection system of Snort. In: 2010 2nd International Conference on Networking and Digital Society (ICNDS), vol. 2, pp. 194–196. IEEE (2010)
Kumar, V., Sangwan, O.P.: Signature based intrusion detection system using SNORT. Int. J. Comput. Appl. Inf. Technol. 1(3), 35–41 (2012)
Shah, S.N., Singh, M.P.: Signature-based network intrusion detection system using SNORT and WINPCAP. Int. J. Eng. Res. Technol. (IJERT) 1(10), 1–7 (2012)
Geng, X., Liu, B., Huang, X.: Investigation on security system for snort-based campus network. In: 2009 1st International Conference on Information Science and Engineering (ICISE), pp. 1756–1758. IEEE (2009)
Rani, S., Singh, V.: SNORT: an open source network security tool for intrusion detection in campus network environment. Int. J. Comput. Technol. Electron. Eng. 2(1), 137–142 (2012)
Huang, C., Xiong, J., Peng, Z.: Applied research on snort intrusion detection model in the campus network. In: 2012 IEEE Symposium on Robotics and Applications (ISRA), pp. 596–599. IEEE (2012)
Naiping, S., Genyuan, Z.: A study on intrusion detection based on data mining. In: 2010 International Conference of Information Science and Management Engineering (ISME), vol. 1, pp. 135–138. IEEE (2010)
Haixia, G.: Research of the intrusion detection system based on data mining. In: Proceeding of the International Conference on e-Education, Entertainment and e-Management, pp. 190–192. IEEE (2011)
Miao, C., Chen, W.: A study of intrusion detection system based on data mining. In: 2010 IEEE International Conference on Information Theory and Information Security (ICITIS), pp. 186–189. IEEE (2010)
Gongxing, W., Yimin, H.: Design of a new Intrusion detection system based on database. In: 2009 International Conference on Signal Processing Systems, pp. 814–817. IEEE (2009)
Uday, B.P., Visakh, R.: A dynamic system for intrusion detection accomplished with enhanced SVM through apt integration of data mining techniques with improved heuristic rules: performance evaluation with NSL KDD. In: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive Strategies, p. 46. ACM (2014)
Trabelsi, Z., Alketbi, L.: Using network packet generators and snort rules for teaching denial of service attacks. In: Proceedings of the 18th ACM Conference on Innovation and Technology in Computer Science Education, pp. 285–290. ACM (2013)
Acknowledgments
This work was supported in part by the National Key Research and Development Program of China under Grant 2016YFB0801304.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Cui, Y., Xue, J., Wang, Y., Liu, Z., Zhang, J. (2019). Research of Snort Rule Extension and APT Detection Based on APT Network Behavior Analysis. In: Zhang, H., Zhao, B., Yan, F. (eds) Trusted Computing and Information Security. CTCIS 2018. Communications in Computer and Information Science, vol 960. Springer, Singapore. https://doi.org/10.1007/978-981-13-5913-2_4
Download citation
DOI: https://doi.org/10.1007/978-981-13-5913-2_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-5912-5
Online ISBN: 978-981-13-5913-2
eBook Packages: Computer ScienceComputer Science (R0)