Abstract:With the rapid development of information technology and application, all kinds of network information systems are also coping with a large number of information security risks and hidden danger, and all kinds of network information security incidents occur frequently. The Advanced Persistent Threats (APT) have theft the confidential data (destroyed the critical information system) of government, civil aviation and other organizations. It not only arises all kinds of significant security risks in the information systems, hinders the normal operation of industry and business, and also seriously affects public security and even national security. In order to solve the problem that zero-day attacks are hard to identify, we proposed a APTIZDM method, which consists of three key parts. In the first part, we use CSPOC (Situation Awareness Ontology Construction) to describe attributes and characteristics of IoT activities. The second part is MCCDRM (Malicious C&C DNS Response Mining), identifying malicious C&C communication in APT attacks, controlling activity scope and start time. The third part is ZDAARA (Zero-Day Attack Recognition in APT), using Bayesian networks and security risk propagation to identify missed zero-day attacks. The exhaustive experimental results demonstrate that the two kernel modules, i.e., MCCDRM and ZDAARA in our APTIZDM, can achieve both higher accuracy rate and lower false positive rate, accomplishing effectively identify the APT attack activities.