||Recently, malware infection has become one of the most serious threats against information security. Analysis and detection against malware are regarded as an important issue by the researchers, government units, and enterprises. In recent years, the APT (Advanced Persistent Threats) attack is seen as a notorious attack made by hackers and quite many well-known enterprises or organizations have become the victims. APT adopts a target attack model that focuses on some specific target in organization. Hackers design exclusive malware to invade specific targets through the e-mails with the function of embedded software exploits. Once any weakness exists in the specific application, the exploit will be triggered and further automatically install delicately customized malware. Due to the fact that the malware is primarily programmed for a specific victim, any anti-virus software is not capable of detecting the malware with corresponding signatures. When a compromised host was infected by malware, the hacker can utilize the infected individual to conduct some malicious activities, in which the primary intention is to steal the confidential|
information in some (key) user’s computer. Before the compromised hosts receive any commands, they must obtain the IP address of the C&C server (Control and Command server), and therefore there are a lot of behaviors and information of APT malware behind DNS traffic. Considering this situation, we attempt to utilize some time features of the malware to analyze whether the hosts were infected by malware or backdoor programs. The method we design can not only detect the APT malware, but also recognize its variation efficiently.