Construction of Two Statistical Anomaly Features for Small-Sample APT Attack Traffic Classification

TL;DR

This paper introduces two novel statistical features derived from DNS and TCP traffic to improve the detection accuracy of APT attack traffic, demonstrating high classification performance with enhanced feature sets.

Contribution

The paper proposes two new statistical features, C2Load_fluct and Bad_rate, and a modified sampling method PADASYN, to enhance APT traffic classification accuracy.

Findings

F1-score exceeds 0.98 and 0.94 on two datasets

New features significantly improve detection accuracy

Proposed PADASYN effectively balances data with boundary samples

Abstract

Advanced Persistent Threat (APT) attack, also known as directed threat attack, refers to the continuous and effective attack activities carried out by an organization on a specific object. They are covert, persistent and targeted, which are difficult to capture by traditional intrusion detection system(IDS). The traffic generated by the APT organization, which is the organization that launch the APT attack, has a high similarity, especially in the Command and Control(C2) stage. The addition of features for APT organizations can effectively improve the accuracy of traffic detection for APT attacks. This paper analyzes the DNS and TCP traffic of the APT attack, and constructs two new features, C2Load_fluct (response packet load fluctuation) and Bad_rate (bad packet rate). The analysis showed APT attacks have obvious statistical laws in these two features. This article combines two new features with common features to classify APT attack traffic. Aiming at the problem of data loss and boundary samples, we improve the Adaptive Synthetic(ADASYN) Sampling Approach and propose the PADASYN algorithm to achieve data balance. A traffic classification scheme is designed based on the AdaBoost algorithm. Experiments show that the classification accuracy of APT attack traffic is improved after adding new features to the two datasets so that 10 DNS features, 11 TCP and HTTP/HTTPS features are used to construct a Features set. On the two datasets, F1-score can reach above 0.98 and 0.94 respectively, which proves that the two new features in this paper are effective for APT traffic detection.