A graph analytic metric for mitigating advanced persistent threat

Johnson, John R.; Hogan, Emilie

doi:10.1109/isi.2013.6578801

Cited by 25 publications

(6 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, Chapman et al [25] simulate pivoting-based attacks through a gametheoretic framework and propose some best practices based on their observations. Johnson et al [26] present an original graph metric that quantifies whether granting a certain privilege to an employee may increase chances of pivoting in Windows domains.…”

Section: Related Workmentioning

confidence: 99%

Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Pierazzi

Colajanni

Marchetti

2020

IEEE Trans. Emerg. Topics Comput.

View full text Add to dashboard Cite

Several advanced cyber attacks adopt the technique of "pivoting" through which attackers create a command propagation tunnel through two or more hosts in order to reach their final target. Identifying such malicious activities is one of the most tough research problems because of several challenges: command propagation is a rare event that cannot be detected through signatures, the huge amount of internal communications facilitates attackers evasion, timely pivoting discovery is computationally demanding. This paper describes the first pivoting detection algorithm that is based on network flows analyses, does not rely on any a-priori assumption on protocols and hosts, and leverages an original problem formalization in terms of temporal graph analytics. We also introduce a prioritization algorithm that ranks the detected paths on the basis of a threat score thus letting security analysts investigate just the most suspicious pivoting tunnels. Feasibility and effectiveness of our proposal are assessed through a broad set of experiments that demonstrate its higher accuracy and performance against related algorithms

show abstract

Section: Related Workmentioning

confidence: 99%

Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Pierazzi

Colajanni

Marchetti

2020

IEEE Trans. Emerg. Topics Comput.

View full text Add to dashboard Cite

show abstract

“…In the research of Johnson et al [18], the authors proposed a novel graph analytic metric that can be used to measure the potential vulnerability of a cyber network to specific types of attacks that use lateral movement and privilege escalation, such as the well-known Pass the Hash, (PTH). The metric can be calculated dynamically from the authorization and auditing layers during the network security authorization phase and will potentially enable predictive de terrence against attacks, such as PTH.…”

Section: Existing Apt Detection Methodsmentioning

confidence: 99%

Discovering Suspicious APT Behaviors by Analyzing DNS Activities

Yan

Guo

et al. 2020

Sensors

View full text Add to dashboard Cite

As sensors become more prevalent in our lives, security issues have become a major concern. In the Advanced Persistent Threat (APT) attack, the sensor has also become an important role as a transmission medium. As a relatively weak link in the network transmission process, sensor networks often become the target of attackers. Due to the characteristics of low traffic, long attack time, diverse attack methods, and real-time evolution, existing detection methods have not been able to detect them comprehensively. Current research suggests that a suspicious domain name can be obtained by analyzing the domain name resolution (DNS) request to the target network in an APT attack. In past work based on DNS log analyses, most of the work would simply calculate the characteristics of the request message or the characteristics of the response message or the feature set of the request message plus the response message, and the relationship between the response message and the request message was not considered. This may leave out the detection of some APT attacks in which the DNS resolution process is incomplete. This paper proposes a new feature that represents the relationship between a DNS request and the response message, based on a deep learning method used to analyze the DNS request records. The algorithm performs threat assessment on the DNS behavior to be detected based on the calculated suspicious value. This paper uses the data of 4, 907, 147, 146 DNS request records (376, 605, 606 records after DNS Data Pre-processing) collected in a large campus network and uses simulation attack data to verify the validity and correctness of the system. The results of the experiments show that our method achieves an average accuracy of 97.6% in detecting suspicious DNS behavior, with the orange false positive (FP) at 2.3% and the recall at 96.8%. The proposed system can effectively detect the hidden and suspicious DNS behavior in APT.

show abstract

“…In some cases, the introduced methods and tools are not complete, meaning that they may only be able to detect the vulnerability of the environment or network and not be able to detect the attack in the environment, as in [25] that Johnson and Hogan have proposed a method to investigate whether the network environment is vulnerable to an APT attack or not. This tool allows the network security administrators to check the vulnerability of the network environment after initial configuration and then make changes if necessary.…”

Section: Literature Reviewmentioning

confidence: 99%

Early Detection of the Advanced Persistent Threat Attack Using Performance Analysis of Deep Learning

et al. 2020

View full text Add to dashboard Cite

One of the most common and critical destructive attacks on the victim system is the advanced persistent threat (APT)-attack. An APT attacker can achieve its hostile goal through obtaining information and gaining financial benefits from the infrastructure of a network. One of the solutions to detect a unanimous APT attack is using network traffic. Due to the nature of the APT attack in terms of being on the network for a long time and the fact that the system may crash due to the high traffic, it is difficult to detect this type of attack. Hence, in this study, machine learning methods of C5.0 decision tree, Bayesian network, and deep learning are used for the timely detection and classification of APT-attacks on the NSL-KDD dataset. Moreover, a 10-fold cross-validation method is used to experiment with these models. As a result, the accuracy (ACC) of the C5.0 decision tree, Bayesian network, and 6-layer deep learning models is obtained as 95.64%, 88.37%, and 98.85%, respectively. Also, in terms of the critical criterion of the false positive rate (FPR), the FPR value for the C5.0 decision tree, Bayesian network, and 6-layer deep learning models is obtained as 2.56, 10.47, and 1.13, respectively. Other criterions such as sensitivity, specificity, accuracy, false-negative rate, and F-measure are also investigated for the models, and the experimental results show that the deep learning model with automatic multi-layered extraction of features has the best performance for timely detection of an APT-attack comparing to other classification models.

show abstract

A graph analytic metric for mitigating advanced persistent threat

Cited by 25 publications

References 11 publications

Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Detection and Threat Prioritization of Pivoting Attacks in Large Networks

Discovering Suspicious APT Behaviors by Analyzing DNS Activities

Early Detection of the Advanced Persistent Threat Attack Using Performance Analysis of Deep Learning

Contact Info

Product

Resources

About