Discovering Suspicious APT Families Through a Large-Scale Domain Graph in Information-Centric IoT

• Main Authors: Zhen Ma, Qiang Li, Xiangyu Meng
• Format: Article
• Language: English
• Published: IEEE 2019-01-01
• Series: IEEE Access
• Subjects: APT; malicious domain; graph; ICIoT; C&C server
• Online Access: https://ieeexplore.ieee.org/document/8624251/

In recent years, a type of cyberattacks, known as advanced persistent threats, has resulted in very serious losses to various organizations such as governments and enterprises. The APT has the characteristics of long duration, complex attack means, and strong ability to conceal themselves, which make it difficult to detect them. Due to the lack of proper means to protect the Information-centric IoT (ICIoT), the ICIoT devices are extremely vulnerable to APT attacks. Moreover, among the existing APT detection methods, most researchers adopt those that extract the features of different APT attacks, and most of the features extracted are local, which leads to the fact that the related methods have poor scalability, thus reducing the accuracy. Furthermore, the attackers can easily avoid the detection by changing the local features. In this paper, we find that it is inevitable that the infected host will generate C&C communication with the command and control server (C&C server), during the process of APT attacks, and the C&C domain names are the bridge connecting the internal infection with the C&C server. Moreover, a certain APT attack of one attack family, which is the assembly of the same APT attacks, tends to map the C&C domain names to the same IP subnet. Under the assumption that the APT attackers have limited attack resources, the relationship between C&C domain names of APT and IP subnet is inevitable for the APT attackers to get higher attack efficiency, which leads to the effective tracking of APT attack behavior. Therefore, we construct a detection method based on the domain names' graph structure. This detection method can improve the detection efficiency in the information-centric internet, especially for the IoT devices. And, at the same time, we employ an appropriate pruning strategy and a preprocessing method to reduce the size of data to be processed and improve the computational efficiency. This detection method can also reduce the detection range, increase the detection accuracy, and improve the robustness and scalability of the detection system. In the actual experiment, the data size we process is 257535071 DNS requests and 73136 domain names. The experiment shows that the C&C domain names can be effectively detected even with a small-scale seed domain names.