Detecting mobile advanced persistent threats based on large-scale DNS logs

摘要

Advanced persistent threats (APTs) are complex, sophisticated threats that attempt to steal sensitive information or destroy a target network system by performing continuous activities over an extended period. Originally, APT primarily target personal computers (PCs); however, experts have recently identified some APTs that attack mobile devices, i.e., mobile advanced persistent threats (MAPTs). MAPTs differ significantly from APTs that target PC platforms. MAPTs can act jointly with APTs that target PC platforms, i.e., a multiplatform APT attack that delivers payloads to both PCs and mobile devices. Multiplatform attacks render it difficult to detect APTs based on domain name system (DNS) logs. Owing to differences between mobile devices and PC devices, it is difficult to detect multiplatform APT attacks using previous detection methods. This paper analyzes several cases of MAPTs and multiplatform APT attacks and identifies some significant changes in comparison with individual MAPTs or APT attacks on PCs. Based on these changes, a method that uses DNS logs to detect multiplatform APTs is proposed. First, the proposed method determines whether the DNS request logs are a request record of a mobile device or PC. Subsequently, according to changes in the MAPT, different features are extracted from two separated parts of the data; subsequently, the detection effect is detected using several machine learning algorithms. The experiments demonstrate that the separation of DNS logs between PCs and mobile devices can increase the detection rate of multiplatform APTs by over 15%.