Abstract

APT(Advanced persist threat) is an emerging attack on the Internet. Attackers may combine phishing emails, malware, social engineering and botnets to create a series of attacks in one APT attack which makes it quite difficult for detection. In this way, attackers can remotely control the infected host, or steal sensitive information. In this paper, we proposed a time transform features approach for distinguishing APT attacks based on the observation that malicious payload must be transferred to the target hosts in an APT attack. By comparing the normal traffic with the traffic containing a malicious payload, we are able to catch the signal of malicious payload and further infer the existence of APT attacks. Then we use machine learning methods to detect APT attacks in big data. To verify this approach, we placed a device on the gateway of our university for catching the real Internet traffic of the university for one month. Then we mixed the APT traffic with these flows, and see whether our approach can identify the malicious payloads. We found our approach is not only accurate but also efficient for catching APT attacks.