Host based Feature Description Method for Detecting APT Attack

Abstract

As the social and financial damages caused by APT attack such as 3.20 cyber terror are increased, the technical solution against APT attack is required. Itis, however, difficult to protect APT attack with existing security equipments because the attack use a zero-day malware persistingly. In this paper, wepropose a host based anomaly detection method to overcome the limitation of the conventional signature-based intrusion detection system. First, wedefined 39 features to identify between normal and abnormal behavior, and then collected 8.7 million feature data set that are occurred during runningboth malware and normal executable file. Further, each process is represented as 83-dimensional vector that profiles the frequency of appearance offeatures. the vector also includes the frequency of features generated in the child processes of each process. Therefore, it is possible to represent thewhole behavior information of the process while the process is running. In the experimental results which is applying C4.5 decision tree algorithm, wehave confirmed 2.0% and 5.8% for the false positive and the false negative, respectively.3.20 As APT attacks such as cyber terrorism cause enormous social and economic damage, technical measures to defend against APT attacks areurgently required, but there is a limit to responding with signature-based security equipment. Therefore, in this paper, to overcome the limitations of theexisting signature-based intrusion detection system, we propose a method for detecting malicious codes based on behavioral information generated inthe host PC. First, 39 characteristic factors to distinguish malicious code from normal executable files were defined, and 8.7 million characteristic factordata generated while malicious code and normal executable files were executed were collected. In addition, for the collected data, the occurrencefrequency of each characteristic factor was reconstructed for each process ID, and behavior information while the executable file was executed in the hostwas expressed as an 83-dimensional vector. In particular, it was possible to express behavior information more accurately by including the frequency ofoccurrence of characteristic factor events occurring in the child process. As a result of classifying malicious code and normal files by applying the C4.5decision tree method, the false positive rate was 2.0% and the false positive rate was 5.8%, respectively.KeywordsAdvanced Persistent Threat ;APT ;Anomaly Detection ;HIDSDOI QR CodeHost based Feature Description Method for Detecting APTAttackHost-based feature expression method for APT attack detectioncoreanoinglés