Research of Snort Rule Extension and APT Detection Based on APT Network Behavior Analysis

  • Yan Cui
  • Jingfeng Xue
  • Yong Wang
  • Zhenyan Liu
  • Ji Zhang
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 960)


At present, APT attack detection has become the focus of the network security protection field. APT attacks are one of the most difficult attacks in cyber attacks. The complexity and variability of APT attack behavior greatly increases the difficulty of attack detection. In order to cope with APT attack, some well-known network security companies at home and abroad have developed a commercial APT intrusion detection system. This highly targeted attack can not be identified by the traditional intrusion detection system. Therefore, in order to deal with this new type of cyber attack. The paper proposes a new method to detect APT attack from different organizations. Data mining algorithm is used to analyze every organization’s APT network attack behavior and obtain association rules, so as to customize the design of the Snort rules and apply them to intrusion detection system. Experiments have shown that the evaluation index of the intrusion detection system using the extended Snort rule is significantly better than the traditional Snort intrusion detection system when detecting the same test data. The precision of the extended Snort intrusion detection system is as high as 98.3%, and the false alarm rate is almost 0, which ultimately achieves the purpose of APT detection.


APT Snort rule Network behavior Data mining 



This work was supported in part by the National Key Research and Development Program of China under Grant 2016YFB0801304.


  1. 1.
    Li, M., Huang, W., Wang, Y., Fan, W., Li, J.: The study of APT attack stage model. In: IEEE/ACIS, International Conference on Computer and Information Science, pp. 1–5. IEEE (2016)Google Scholar
  2. 2.
    Li, H., Liu, G., Jiang, W., Dai, Y.: Designing snort rules to detect abnormal DNP3 network data. In: International Conference on Control, Automation and Information Sciences, pp. 343–348. IEEE (2015)Google Scholar
  3. 3.
    Kang, Y., Wei, Z.: Research on Apriori algorithm based on DNS visit records mining. Netinfo Security (2012)Google Scholar
  4. 4.
    Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., et al.: Sandnet: network traffic analysis of malicious software. In: ACM Eurosys Badgers, pp. 78–88 (2011)Google Scholar
  5. 5.
    Ju, A., Guo, Y., Zhu, T.: Big data network security situation awareness and early warning architecture based on open source toolset. Comput. Sci. 44(5), 125–131 (2017)Google Scholar
  6. 6.
    Xu, W., Wang, Y., Xue, Z.: Attack indicator automatic generation for threat intelligence. Commun. Technol. 50(1), 116–123 (2017)Google Scholar
  7. 7.
    Zeng, Y., Yin, S., Liu, J., et al.: Research of improved FP-Growth algorithm in association rules mining. Sci. Program. 2015, 6 (2015)Google Scholar
  8. 8.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)Google Scholar
  9. 9.
    Borgelt, C.: An implementation of the FP-growth algorithm, pp. 1–5 (2005)Google Scholar
  10. 10.
    Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: Usenix Conference on Networked Systems Design and Implementation, p. 26. USENIX Association (2010)Google Scholar
  11. 11.
    Xu, Y., Zhang, A.: Network packet analysis software design based on PCAP format. Mod. Electron. Technol. 36(10), 49–51 (2013)Google Scholar
  12. 12.
    Dai, Z., Cheng, G.: APT attack detection method based on communication features. Comput. Eng. Appl. 53(18), 77–83 (2017)Google Scholar
  13. 13.
    Qin, L., Shi, Z.: Mining network traffic association rules mining based on iceberg query. Comput. Eng. 31(7), 354–368 (2005)Google Scholar
  14. 14.
    Li, M., Fan, M.: Research and implementation of unknown malicious code detection system based on network behavior analysis. University of Electronic Science and technology, Chengdu (2009)Google Scholar
  15. 15.
    Khamphakdee, N., Benjamas, N., Saiyod, S.: Improving intrusion detection system based on snort rules for network probe attacks detection with association rules technique of data mining. J. ICT Res. Appl. 8(3), 234–250 (2015)CrossRefGoogle Scholar
  16. 16.
    Wang, J.J., Luo, K., Zhao, Z.X.: Snort network intrusion detection based on data mining techniques. Comput. Eng. Appl. 45(1), 121–123 (2009)Google Scholar
  17. 17.
    Zhou, Z., Zhongwen, C., Tiecheng, Z., Xiaohui, G.: The study on network intrusion detection system of Snort. In: 2010 2nd International Conference on Networking and Digital Society (ICNDS), vol. 2, pp. 194–196. IEEE (2010)Google Scholar
  18. 18.
    Kumar, V., Sangwan, O.P.: Signature based intrusion detection system using SNORT. Int. J. Comput. Appl. Inf. Technol. 1(3), 35–41 (2012)Google Scholar
  19. 19.
    Shah, S.N., Singh, M.P.: Signature-based network intrusion detection system using SNORT and WINPCAP. Int. J. Eng. Res. Technol. (IJERT) 1(10), 1–7 (2012)Google Scholar
  20. 20.
    Geng, X., Liu, B., Huang, X.: Investigation on security system for snort-based campus network. In: 2009 1st International Conference on Information Science and Engineering (ICISE), pp. 1756–1758. IEEE (2009)Google Scholar
  21. 21.
    Rani, S., Singh, V.: SNORT: an open source network security tool for intrusion detection in campus network environment. Int. J. Comput. Technol. Electron. Eng. 2(1), 137–142 (2012)Google Scholar
  22. 22.
    Huang, C., Xiong, J., Peng, Z.: Applied research on snort intrusion detection model in the campus network. In: 2012 IEEE Symposium on Robotics and Applications (ISRA), pp. 596–599. IEEE (2012)Google Scholar
  23. 23.
    Naiping, S., Genyuan, Z.: A study on intrusion detection based on data mining. In: 2010 International Conference of Information Science and Management Engineering (ISME), vol. 1, pp. 135–138. IEEE (2010)Google Scholar
  24. 24.
    Haixia, G.: Research of the intrusion detection system based on data mining. In: Proceeding of the International Conference on e-Education, Entertainment and e-Management, pp. 190–192. IEEE (2011)Google Scholar
  25. 25.
    Miao, C., Chen, W.: A study of intrusion detection system based on data mining. In: 2010 IEEE International Conference on Information Theory and Information Security (ICITIS), pp. 186–189. IEEE (2010)Google Scholar
  26. 26.
    Gongxing, W., Yimin, H.: Design of a new Intrusion detection system based on database. In: 2009 International Conference on Signal Processing Systems, pp. 814–817. IEEE (2009)Google Scholar
  27. 27.
    Uday, B.P., Visakh, R.: A dynamic system for intrusion detection accomplished with enhanced SVM through apt integration of data mining techniques with improved heuristic rules: performance evaluation with NSL KDD. In: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive Strategies, p. 46. ACM (2014)Google Scholar
  28. 28.
    Trabelsi, Z., Alketbi, L.: Using network packet generators and snort rules for teaching denial of service attacks. In: Proceedings of the 18th ACM Conference on Innovation and Technology in Computer Science Education, pp. 285–290. ACM (2013)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  • Yan Cui
    • 1
  • Jingfeng Xue
    • 1
  • Yong Wang
    • 1
  • Zhenyan Liu
    • 1
  • Ji Zhang
    • 1
  1. 1.School of Computer Science and TechnologyBeijing Institute of TechnologyBeijingChina

Personalised recommendations