| Autor: |
Satoru Torii, Masahiko Takenaka, Masahiro Yamada, Masanobu Morinaga, Yuki Unno |
| Rok vydání: |
2015 |
| Předmět: |
|
| Zdroj: |
ICITST |
| DOI: |
10.1109/icitst.2015.7412113 |
| Popis: |
The detection of APT has recently become an urgent problem needing to be resolved. Attackers use Remote Access Trojan/Remote Administration Tools (RATs), which often bypass general security measures, and the traditional detection techniques don't consider reconnaissance activities after RAT infections. We analyzed the behavior of the reconnaissance for this paper so that RAT-based malicious activities on internal networks can be divided from the operations of normal users. Based on the features of their behaviors, we propose a detection technique that monitors the communications on internal networks and extracts the communication sequences of the reconnaissance. The result from our evaluation showed that the proposed technique can detect 99.26 % of the experimental reconnaissance communications by using the real 34 RATs (29 families) and 4 SMB-based remote management methods, and also work without false-positive on an actual organization's internal network. |
| Databáze: |
OpenAIRE |
| Externí odkaz: |
|
