Identifying compromised hosts under APT using DNS request sequences

Abstract Advanced persistent threats (APTs) have become a major cyber threat to large organizations. To steal confidential data from specific organizations, attackers adopt highly targeted intrusion schemes. Prior to stealing critical data, APT activities hide themselves in legitimate activities and consistently elevate their privileges, making them very difficult to detect. The detection of malicious domains during domain name service (DNS) analysis accounts for the majority of existing detection methods. However, a limited number of available samples and rapidly changing sets of malicious domain names reduce the efficacy of such approaches. By investigating numerous APT reports, we determined that the activities of DNS requests in APT attacks exhibit clear temporal patterns that are ignored by most existing schemes. Therefore, we can analyze the DNS sequences requested by each host and their time-related features to identify compromised hosts. This paper summarizes the patterns of host DNS requests and proposes several assumptions. We take advantage of machine learning to identify compromised hosts by quantifying these assumptions in the form of feature vectors. We deployed the proposed approach into large-scale network environments and experimental evaluations demonstrated that our method is able to detect hosts compromised by APTs efficiently with a precision of 97.3% and detection rate of 96.2%.