Advanced persistent threats (APTs) have become a major cyber threat to large organizations. To steal confidential data from specific organizations, attackers adopt highly targeted intrusion schemes. Prior to stealing critical data, APT activities hide themselves in legitimate activities and consistently elevate their privileges, making them very difficult to detect. The detection of malicious domains during domain name service (DNS) analysis accounts for the majority of existing detection methods. However, a limited number of available samples and rapidly changing sets of malicious domain names reduce the efficacy of such approaches. By investigating numerous APT reports, we determined that the activities of DNS requests in APT attacks exhibit clear temporal patterns that are ignored by most existing schemes. Therefore, we can analyze the DNS sequences requested by each host and their time-related features to identify compromised hosts. This paper summarizes the patterns of host DNS requests and proposes several assumptions. We take advantage of machine learning to identify compromised hosts by quantifying these assumptions in the form of feature vectors. We deployed the proposed approach into large-scale network environments and experimental evaluations demonstrated that our method is able to detect hosts compromised by APTs efficiently with a precision of 97.3% and detection rate of 96.2%.

高级持久性威胁（APT）已成为对大型组织的主要网络威胁。为了窃取特定组织的机密数据，攻击者采用了针对性强的入侵方案。在窃取关键数据之前，APT活动将自己隐藏在合法活动中，并不断提升其特权，这使它们很难被发现。域名服务（DNS）分析期间对恶意域的检测占了现有检测方法的大多数。但是，数量有限的可用样本和迅速变化的恶意域名集降低了此类方法的效力。通过调查大量的APT报告，我们确定APT攻击中的DNS请求活动表现出清晰的时间模式，大多数现有方案都忽略了这些时间模式。所以，我们可以分析每个主机请求的DNS序列及其与时间相关的功能，以识别受感染的主机。本文总结了主机DNS请求的模式，并提出了一些假设。我们利用机器学习的优势，通过以特征向量的形式对这些假设进行量化来识别受感染的主机。我们将提出的方法部署到大规模网络环境中，实验评估表明，该方法能够高效地检测出APT入侵的主机，其准确度为97.3％，检测率为96.2％。我们利用机器学习的优势，通过以特征向量的形式对这些假设进行量化来识别受感染的主机。我们将提出的方法部署到大规模网络环境中，实验评估表明，该方法能够高效地检测出受APT侵害的主机，其准确度为97.3％，检测率为96.2％。我们利用机器学习的优势，通过以特征向量的形式对这些假设进行量化来识别受感染的主机。我们将提出的方法部署到大规模网络环境中，实验评估表明，该方法能够高效地检测出APT入侵的主机，其准确度为97.3％，检测率为96.2％。