WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

GUO Shize,ZHANG Fan,SONG Zhuoxue,ZHAO Ziming,ZHAO Xinjie,WANG Xiaojuan,LUO Xiangyang

DOI: https://doi.org/10.11959/j.issn.2096−109x.2022004

2022-01-01

Abstract:Network attack detection plays a vital role in network security. Existing detection approaches focus on typical attack behaviors, such as Botnets and SQL injection. The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol. With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks, a network traffic dataset including four SSL/TLS attacks, as well as benign flows was controlled. Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains, a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of “potential change” and obtain the “potential variation spectrum”. The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows. The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator. Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase, and there are similarities between some SSL/TLS attacks, the detection of SSL/TLS attacks not only needs to consider timing context information, but also needs to consider the high-separation representation of TLS network flows. Based on the flow spectrum theory, the threat template idea was used to extract the potential basis matrix, and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space. On the self-built SSL/TLS attack network flow data set, the validity of the flow spectrum theory is verified by means of classification performance comparison, potential variation spectrum dimensionality reduction visualization, threat behavior feature weight evaluation, threat behavior spectrum division assessment, and potential variation base matrix heatmap visualization.

Yong Fang,Kai Li,Rongfeng Zheng,Shan Liao,Yue Wang

DOI: https://doi.org/10.1016/j.comnet.2021.108297

IF: 5.493

2021-01-01

Computer Networks

Abstract:We present a novel method for detecting malicious TLS traffic based on communication channels that can detect deeply camouflaged malicious traffic. Moreover, we designed and extracted three types of channel features, namely, distribution features, consistency features of the Transport Layer Security (TLS) handshake field, and statistical features. Simultaneously, an efficacy feature selection method comprising a genetic algorithm is presented to obtain a global optimal feature subset, which reduces feature dimensions by 64% and increases accuracy by 1.5%. Comparison experiment results show that the proposed method possesses a more stable detection efficacy on different datasets with an accuracy of 97.65% and a much higher F1-score compared with other state-of-the-art classification methods.

Yong Fang,Yijia Xu,Cheng Huang,Liang Liu,Lei Zhang

DOI: https://doi.org/10.1007/978-981-32-9343-4_10

2020-01-01

Abstract:It has become a significant research direction to resist cyberattacks through traffic identification technology. Traditional traffic identification technology is often based on network port or feature matching, which has become inefficient in the increasingly complex network environment. Nowadays, the malicious cyberattacks usually encrypt their traffic to escape the traditional traffic identification, and the most common encryption method is the SSL/TLS encryption. In response to this phenomenon, this paper proposes an encrypted malicious traffic identification method based on the random forest, which uses features based on packet information, time, TCP Flags field, and application layer payload information. We designed the technology and application framework to ensure the success of the experiment and collected a large amount of SSL/TLS encrypted traffic as datasets. Benefit from model optimization by parameter adjusting, the experimental results showed that final model had highly accurate and predictive ability.

Shuang Wu,Shengli Liu,Wei Lin,Xing Zhao,Shi Chen

DOI: https://doi.org/10.1109/ancs.2017.27

2017-01-01

Abstract:The Remote Access Trojan (RAT), whose exposure often lags far behind its widespread infection, plays a part in the growing number of cyber-attacks. In terms of intrusion detection, signature-based methods still occupy the dominant position together with anomaly-based methods that are deployed to be complementary. The anomaly-based methods are efficient and resource saving, however, anomaly-based RAT detection mainly utilizes machine learning on collective features without considering packet sequences. In addition, imbalanced data has a negative impact on machine learning classification. Accordingly, we analyzed packet sequences from various applications and found a general correlation between the packet direction sequences and the external control behaviors of RATs. This research presents a novel framework for tracking external control at the borders of area networks. We extract packet payload-size sequences, inter-arrival time sequences and packet direction sequences of IP flows. Then, RAT network behavior is exposed in the packet direction sequences of flow slices, which are generated by the inter-arrival time sequences. Naïve Bayes is utilized for classification, and a frequent sequence mining algorithm is implemented to eliminate noise. After deploying the device, we detected all the RAT sample sessions. Our method achieves a false positive rate of less than 0.6% on real-world campus network data, which demonstrates its efficacy.

Rongfeng Zheng,Jiayong Liu,Kai Li,Shan Liao,Liang Liu

DOI: https://doi.org/10.1109/ICICN51133.2020.9205087

2020-01-01

Abstract:For highly camouflaged Command and Control (C&C) communications, especially those using the Transport Security Layer (TLS) protocol, traditional classifiers which only based on statistical features or TLS handshake features gradually fail to detect such behavior. In this context, exploring features of other dimensions to build a more targeted recognition model is one of the ways to alleviate this problem. This paper proposed a new method of detecting malicious TLS traffic by using the communication channel as the detection unit, and a new set of modeling features for the communication channel was designed, including distribution features, the consistency features and statistical features of TLS communication channel. Experiments show that compared with other two types of features, the consistency features contribute most, and combining these three types of features together can train a better classifier which the precision reaches 92.57%. Comparative experiments show that the proposed method is more advantageous when faced with highly camouflaged TLS flows because the proposed method also achieved highest F1 score, and the accuracy is about 2% higher than the classifier based on the TLS handshake features, and 12% higher than the clustering model based on the statistical features of flow.

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Jun Xiao,Yipeng Wang

DOI: https://doi.org/10.1109/NAS.2012.10

2012-01-01

Abstract:Because of the widespread Trojan, Internet users become more and more vulnerable to the threat of information leakage. Traditional techniques of Trojan detection were classified into two main categories: host-based and network-based. Unfortunately, existing techniques are insufficient and limited, because of the following reasons: (1)only uncover the known Trojan while inefficiently detecting novel samples, (2) should be adjusted in a timely fashion even a trivial change is applied, and (3)become computationally more expensive. In our work, we focus on a network behavior based method to address the limitations of previous network-based approaches. We analyze the profile of network behavior at two levels: (i)flow-level, (ii)IP-level. Our approach present two main advantages: (1)capture more detailed information to describe the network behavior profile, (2)consume lower computational overhead. We proposed a system, Manto, which detects Trojan communication with high accuracy using clustering technique. We implement Manto on real-world traces. The evaluation results exhibit that Manto is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 91% accuracy and less than 3.2% false positive ratio. We confidently regard our approach as a complementary way to the existing network-based techniques for we could address their main shortcomings.

Jiazhong Lu,Xiaosong Zhang,Wang Junfeng,Ying Lingyun

DOI: https://doi.org/10.1109/ICITBS.2016.87

2016-01-01

Abstract:APT(Advanced persist threat) is an emerging attack on the Internet. Attackers may combine phishing emails, malware, social engineering and botnets to create a series of attacks in one APT attack which makes it quite difficult for detection. In this way, attackers can remotely control the infected host, or steal sensitive information. In this paper, we proposed a time transform features approach for distinguishing APT attacks based on the observation that malicious payload must be transferred to the target hosts in an APT attack. By comparing the normal traffic with the traffic containing a malicious payload, we are able to catch the signal of malicious payload and further infer the existence of APT attacks. Then we use machine learning methods to detect APT attacks in big data. To verify this approach, we placed a device on the gateway of our university for catching the real Internet traffic of the university for one month. Then we mixed the APT traffic with these flows, and see whether our approach can identify the malicious payloads. We found our approach is not only accurate but also efficient for catching APT attacks.

Arun Raghuramu,Parth H. Pathak,Hui Zang,Jinyoung Han,Chang Liu,Chen-Nee Chuah

DOI: https://doi.org/10.1016/j.comcom.2016.04.011

IF: 5.047

2016-01-01

Computer Communications

Abstract:This paper presents a measurement study that analyzes large-scale traffic data gathered from two different wireless scenarios: cellular and Wi-Fi networks. We first analyze packet traces and security event logs generated by over 2 million devices in a major US-based cellular network, and show that 0.17% of mobile devices are affected by security threats. We then analyze the aggregate network footprint of malicious and benign traffic in the cellular network, and demonstrate that statistical network features (e.g., uplink data transfer volume, IP entropy) can be effectively used to distinguish such malicious and benign traffic. We next investigate over 2.4 TB of Wi-Fi traffic data, which are generated by 27 K distinct users, in a university campus network. Based on the lessons learned from a comprehensive exploration of a large feature space consisting of over 500 statistical attributes derived from network traffic to/from malicious and benign domains, we propose a novel, in-house traffic screening method, which has the capability of effectively identifying potential malicious domains. Our method achieves over 90% accuracy with only using a small set of simple statistical network features, without using any additional specialized datasets (e.g., geo-location database) or resource-intensive solutions (e.g., DPI boxes to collect HTTP traffic.). (C) 2016 Elsevier B.V. All rights reserved.

Zeyu Li,Meiqi Wang,Xuebin Wang,Jinqiao Shi,Kexin Zou,Majing Su

DOI: https://doi.org/10.1109/DSC53577.2021.00020

2021-01-01

Abstract:Nowadays, as networks grow in size, the scope of malware and malicious traffic is also increasing quickly. For example, some attacks turn a group of Internet-connected hacked devices into botnets, and a command-and-control(C2) tunnel is built to herd bots for illicit purposes such as massive DDoS. In order to evade Internet malware detection, a variety of techniques are used to obfuscate the C2 communications, of which Tor domain-fronting is one of the most sophisticated techniques. In this paper, a method based on deep learning for domain-fronting traffic identification is proposed. CNN model is adopted which integrates feature learning into the training process so that it can classify traffic based only on packet sequences. We identify the meek-azure traffic and meek-fastly traffic mixed with different types of traffic including tor traffic and non-tor traffic, and the method can achieve rather high precision and accuracy of 99.69%. Furthermore, we identify the domain fronting traffic mixed with the non-domain-fronting traffic with the same Server Name Indication (SNI), and the result shows that our method achieves the accuracy of 97.35% by identifying the domain fronting traffic from the mixed dataset. The results of this work provide a new approach to detect obfuscated C2 communications of the botnet.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

Tao Yi,Xingshu Chen,Qindong Li,Yi Zhu

DOI: https://doi.org/10.1016/j.cose.2024.103809

IF: 5.105

2024-03-29

Computers & Security

Abstract:APT attacks have the characteristics of low frequency, stealth, and persistence. Achieving attack objectives and preventing trace-back often involve diverse tactics, various tools, and changing processes and patterns. Additionally, the goals of APT attacks are diverse. Apart from service disruptions or network outages, the main goals include remotely penetrating target hosts through the network to steal information, unauthorized encryption, and destructive wiping. Existing methods for characterizing attack features lack sufficient research on the communication methods and data transmission patterns used in attacks. In particular, due to the non-associated addresses, low frequency, fragmentation, and silent requirements of attacks, the features exhibited in a single session are increasingly minimal. Traditional approaches are no longer sufficient to address these challenges that relying solely on single-sample statistical features and "packet-sniffing" windowed traffic grouping detection methods. To tackle these issues, we propose a innovative approach to characterize network attack traffic based on Spatial Pyramid Pooling (SPP) by analyzing the attack communication methods and data transmission patters in the network session traffic of APT attacks with the remote information theft. Specifically, it employs derived feature attributes that integrate mean, total, and concentration characteristics to longitudinally extract multi-level spatiotemporal correlated behavioral features from aggregated multi-session sets. These features are then fused with single-session characteristics, ensuring that each session sample possesses both current traffic features and correlated properties of contextual session traffic. Additionally, this approach meets the requirements of fixed-length input for heterogeneous data in deep learning. Extensive experiments have been conducted to demonstrate that this method enhances the effective detection of APT attacks by deep learning models. Experiments results show that this approach exhibits superior timeliness, precision, and specificity when compared to Principal Component Analysis (PCA) artificial feature engineering methods and other methods based on fixed-length deep learning for raw data.

computer science, information systems

Weina Niu,Zhongliu Zhuo,Xiaosong Zhang,Xiaojiang Du,Guowu Yang,Mohsen Guizani

DOI: https://doi.org/10.1109/tvt.2019.2894290

IF: 6.8

2019-01-01

IEEE Transactions on Vehicular Technology

Abstract:In recent years, malware with strong concealment uses encrypted protocol to evade detection. Thus, encrypted traffic identification can help security analysts to be more effective in narrowing down those encrypted network traffic. Existing methods are protocol independent, such as statistical-based and machine-learning- based approaches. Statistical-based approaches, however, are confined to payload length and machine-learning-based approaches have a low recognition rate for encrypted traffic using undisclosed protocols. In this paper, we proposed a heuristic statistical testing (HST) approach that combines both statistics and machine learning and has been proved to alleviate their respective deficiencies. We manually selected four randomness tests to extract small payload features for machine learning to improve real-time performances. We also proposed a simple handshake skipping method called HST-R to increase the classification accuracy. We compared our approach with other identification approaches on a testing dataset consisting of traffic that uses two known, two undisclosed, and one custom cryptographic protocols. Experimental results showed that HST-R performs better than other traditional coding-based, entropy-based, and ML-based approaches. We also showed that our handshake skipping method could generalize better for unknown cryptographic protocols. Finally, we also conducted experimental comparisons among different classification algorithms. The results showed that C4.5, with our method, has the highest identification accuracy for secure sockets layer and secure shell traffic.

Xiaodong Zang,Tongliang Wang,Xinchang Zhang,Jian Gong,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110598

IF: 5.493

2024-01-01

Computer Networks

Abstract:The focus on privacy protection has brought much-encrypted network traffic. However, attackers always abuse traffic encryption to conceal malicious behaviors. Although researchers have proposed several enlightening detection methods, they must enhance the generalization ability or improve detection performance. Our inspiration is that the packet header fields, as do the underlying grammatical rules for constructing sentences, have a strict order. We consider the original packet as text and devise a robust approach with natural language processing and a deep learning model to improve the generalization ability and detection performance. We capture the critical keywords as characteristic representations of the traffic and design an adaptive domain generalization algorithm with a new loss function. It is robust against various datasets by generating more malicious samples to augment the minority of malicious samples. Simultaneously, we design an efficient feature selection algorithm, which obtains an optimal feature subset and reduces feature dimensions by 75.3%. To evaluate our work, we conducted extensive experiments with open-source datasets (CICIDS 2017, CICDDoS 2019, and USTC-TFC 2016), the synthetic dataset from IoT-23, and Internet backbone traffic (CERNET). Experimental results demonstrate that our proposal improves detection accuracy by up to 22.8% compared to others not using domain generalization algorithms and achieves an average detection latency of 0.67 s in the backbone. Besides, our work applies to the Industrial Internet of Things (IIoT) environment. It can be deployed at edge nodes to provide network security support for IIoT devices.

Rui Gao,Hui Lu,Houlin Zhou,Chengcong Zheng,Zhihong Tian,Xiaojiang Du

DOI: https://doi.org/10.1109/wimob61911.2024.10770521

2024-01-01

Abstract:The encryption of traffic data offers a means of protecting the security of data and the private information of the public. However, this same technology also presents a potential avenue for attackers to conceal malicious activities. Attackers hide malicious behaviour in encrypted traffic data to bypass detection by firewalls or early intrusion detection systems (IDS). In order to cope with malicious encrypted traffic, traffic attack detection is classified into active and passive detection depending on the way it is handled. Active detection is mainly based on searchable traffic detection and traffic plaintext data parsing. Measures such as analysing controllable transmission protocols and trusted execution environments are used to ensure both attack detection efficiency and privacy security. Passive detection focuses on feature construction of encrypted traffic. The characterisation of traffic data from multiple perspectives, including channel and context, is achieved through the utilisation of machine learning or deep learning models, thereby facilitating the generation of accurate prediction outcomes. This paper offers an overview of existing detection methods from two distinct vantage points: active attack detection and passive attack detection. Finally, the paper presents a summary of the strengths and weaknesses of existing methods and suggests potential avenues for future research.

Weisha Zhang,Jiajia Liu,Jimin Peng,Qiang Liu,Kun Yu

DOI: https://doi.org/10.3389/fphy.2024.1350117

IF: 3.718

2024-04-23

Frontiers in Physics

Abstract:In recent years, a surge in malicious network incidents and instances of network information theft has taken place, with malware identified as the primary culprit. The primary objective of malware is to disrupt the normal functioning of computers and networks, all the while surreptitiously gathering users' private and sensitive information. The formidable concealment and latency capabilities of malware pose significant challenges to its detection. In light of the operational characteristics of malware, this paper conducts an initial analysis of prevailing malware detection schemes. Subsequently, it extracts fuzzy features based on the distinct characteristics of malware traffic. The approach then integrates traffic detection techniques with Type II fuzzy recognition theory to effectively monitor malware-related traffic. Finally, the paper classifies the identified malware instances according to fuzzy association rules. Experimental results showcase that the proposed method achieves a detection accuracy exceeding 90%, with a remarkably low false alarm rate of approximately 5%. This method adeptly addresses the challenges associated with malware detection, thereby making a meaningful contribution to enhancing our country's cybersecurity.

physics, multidisciplinary

Linxiao Yu,Jun Tao,Yifan Xu,Weice Sun,Zuyan Wang

DOI: https://doi.org/10.1016/j.comnet.2024.110475

IF: 5.493

2024-05-08

Computer Networks

Abstract:Recently, more and more applications have adopted security protocols like Transport Layer Security (TLS) for data encryption. However, these privacy-enhancing approaches have also been abused by the attackers to deliver malicious payloads. Many existing encrypted network classification methods suffer from the imbalanced volume of normal and malicious traffic, which leads to bad model robustness. In this paper, we propose a novel TLS fingerprinting approach to capture the characteristics of encrypted network traffic. The fingerprints are attributed graphs obtained from TLS sessions, which can simultaneously take into consideration the sequential and statistical features of these sessions. As the communication patterns of different applications differ considerably, the graphs representing TLS connections could be used to characterize the network with the help of the graph kernel method, which results in a model with high accuracy in malicious TLS session detection and application discrimination. Moreover, we adopt Locality-Sensitive Hashing (LSH) and filtering techniques to reduce the time cost of our model. Model evaluation on real-world datasets shows that our model is more robust than existing methods presented in this work when the malicious traffic takes up an extremely small portion of the whole traffic.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Weina Niu,Jian'an Xiao,Xiyue Zhang,Xiaosong Zhang,Xiaojiang Du,Xiaoming Huang,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2020.3029970

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:Advanced persistent threat (APT), with intense penetration, long duration, and high customization, has become one of the most grievous threats to cybersecurity. Furthermore, the design and development of Internet-of-Things (IoT) devices often do not focus on security, leading APT to extend to IoT, such as the Internet of emerging unmanned aerial vehicles (UAVs). Whether malware with attack payload can be successfully implanted into UAVs or not is the key to APT on the Internet of UAVs. APT malware on UAVs establishes communication with the command and control (C&C) server to achieve remote control for UAVs-aware information stealing. Existing effective methods detect malware by analyzing malicious behaviors generated during C&C communication. However, APT malware usually adopts a low-traffic attack mode, a large amount of normal traffic is mixed in each attack step, to avoid virus checking and killing. Therefore, it is difficult for traditional malware detection methods to discover APT malware on UAVs that carry weak abnormal signals. Fortunately, we found that most APT attacks use domain name system (DNS) to locate C&C server of malware for information transmission periodically. This behavior will leave some records in the network flow and DNS logs, which provides us with an opportunity to identify infected internal UAVs and external malicious domain names. This article proposes an APT malware on the Internet of UAVs detection method combining string matching and Fourier transformation based on DNS traffic, which is able to handle encrypted and obfuscated traffic due to packet payloads independence. We preprocessed the collected network traffic by converting DNS timestamps of DNS request to strings and used the trained random forest model to discover APT malware domain names based on features extracted through string-matching-based periodicity detection and Fourier transformation-based periodicity detection. The proposed method has been evaluated on the data set, including part of normal domains from the normal traffic and malicious domains marked by security experts from APT malware traffic. Experimental results have shown that our proposed detection method can achieve the accuracy of 94%, which is better than the periodicity detection algorithm alone. Moreover, the proposed method does not need to set the confidence to filter the periodicity with high confidence.

Michael Siracusano,Stavros Shiaeles,Bogdan Ghita

DOI: https://doi.org/10.1109/GIIS.2018.8635701

2019-03-13

Abstract:Low-rate application layer distributed denial of service (LDDoS) attacks are both powerful and stealthy. They force vulnerable webservers to open all available connections to the adversary, denying resources to real users. Mitigation advice focuses on solutions that potentially degrade quality of service for legitimate connections. Furthermore, without accurate detection mechanisms, distributed attacks can bypass these defences. A methodology for detection of LDDoS attacks, based on characteristics of malicious TCP flows, is proposed within this paper. Research will be conducted using combinations of two datasets: one generated from a simulated network, the other from the publically available CIC DoS dataset. Both contain the attacks slowread, slowheaders and slowbody, alongside legitimate web browsing. TCP flow features are extracted from all connections. Experimentation was carried out using six supervised AI algorithms to categorise attack from legitimate flows. Decision trees and k-NN accurately classified up to 99.99% of flows, with exceptionally low false positive and false negative rates, demonstrating the potential of AI in LDDoS detection.

Networking and Internet Architecture,Machine Learning

Longkang Shang,Dong Guo,Yuede Ji,Qiang Li

DOI: https://doi.org/10.1016/j.comnet.2021.107937

IF: 5.493

2021-01-01

Computer Networks

Abstract:Command and control channel(C&C) is used in some cyber attacks to remotely control infected hosts to steal data or conduct espionage. An effective type of C&C detection methods is network flow based. The insight is that network flow is evitable because the hidden malware in the target system has to communicate with the external C&C server to either receive commands or send data. However, existing network flow-based methods face two challenges to efficiently detect C&C of APT(Advanced persistent threat) attacks, i.e., stealth and flexible attack techniques. To combat these two challenges, we design a new network flow-based C&C detection method. Our work is inspired from two observations that different APT attacks share the same intrusion tools and services, and the unknown malware evolves from existing one. Therefore, the malwares of different groups have some shared attributes that are not easy to find, which leads to some hidden shared features in the network flows between the malware and the C&C server in different attacks. Based on this, we propose a method to detect the hidden C&C channel of unknown APT attacks. First, we use deep learning techniques to mine the shared network flow features from the known multi-class attack flows. Later, we use an appropriate classifier to detect the C&C network flow . Finally, we test our method on public available dataset. The experimental results show that our method can achieve up to F1 score of 0.968 when dealing with unknown malicious network flows. This will help discover unknown APT attacks.