A Novel Method for Detecting APT Attacks by Using OODA Loop and Black Swan Theory

Bodström, Tero; Hämäläinen, Timo

doi:10.1007/978-3-030-04648-4_42

Cited by 12 publications

(14 citation statements)

References 21 publications

(50 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bodström and Hämäläinen have utilized Observe-Orient-Decide-Act (OODA) loop and Black Swan Theory for detection and identification of APT attacks [33]. In this paper, without manipulating and reducing the features, the network data stream is transferred to the detection process.…”

Section: Literature Reviewmentioning

confidence: 99%

Early Detection of the Advanced Persistent Threat Attack Using Performance Analysis of Deep Learning

et al. 2020

View full text Add to dashboard Cite

One of the most common and critical destructive attacks on the victim system is the advanced persistent threat (APT)-attack. An APT attacker can achieve its hostile goal through obtaining information and gaining financial benefits from the infrastructure of a network. One of the solutions to detect a unanimous APT attack is using network traffic. Due to the nature of the APT attack in terms of being on the network for a long time and the fact that the system may crash due to the high traffic, it is difficult to detect this type of attack. Hence, in this study, machine learning methods of C5.0 decision tree, Bayesian network, and deep learning are used for the timely detection and classification of APT-attacks on the NSL-KDD dataset. Moreover, a 10-fold cross-validation method is used to experiment with these models. As a result, the accuracy (ACC) of the C5.0 decision tree, Bayesian network, and 6-layer deep learning models is obtained as 95.64%, 88.37%, and 98.85%, respectively. Also, in terms of the critical criterion of the false positive rate (FPR), the FPR value for the C5.0 decision tree, Bayesian network, and 6-layer deep learning models is obtained as 2.56, 10.47, and 1.13, respectively. Other criterions such as sensitivity, specificity, accuracy, false-negative rate, and F-measure are also investigated for the models, and the experimental results show that the deep learning model with automatic multi-layered extraction of features has the best performance for timely detection of an APT-attack comparing to other classification models.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Early Detection of the Advanced Persistent Threat Attack Using Performance Analysis of Deep Learning

et al. 2020

View full text Add to dashboard Cite

show abstract

“…In our previous paper [1], we proposed a novel method for detecting (APT) attacks by using OODA loop and Black Swan theory. The purpose of the method is to take into account current detection problems and improve detection rate for earlier unknown attacks, which is currently quite low.…”

Section: Current Detection Problemsmentioning

confidence: 99%

“…For example, TCP/IP packet header and data fields have a maximum length of 1500 bytes in Ethernet network and spread over 27 dimensions. As was stated in our earlier paper [1], we implemented the DL stack in a way that it takes the data input in binary form. Dimensionality is high, as 1500 bytes represent 12,000 dimensions in binary, however each dimension has the value of 0 or 1, thus data standardisation is not needed in input layer.…”

Section: Data Dimensionsmentioning

confidence: 99%

“…Previously unknown attacks are a common problem for traditional detectors, such as intrusion detection systems (IDS), which are based on attack signatures [11]. In the case of an APT, the problem is even worse, as the attack uses sophisticated stealth methods and mimics normal traffic and thus can hide undetected for a long periods of time [1,9].…”

Section: Previously Unknown Attacksmentioning

confidence: 99%

“…It has multiple functionalities, which are developed to avoid detection for as long as possible. Some of those functionalities include multiple simultaneous attack vectors with different phases, masquerading as communication data, random changes in execution time intervals, horizontal and vertical connections and mimicking legitimate traffic [1]. A common way to execute APT is via spear-fishing email spoofing attack but, if there exists an insider threat, it can be executed even inside the target network [2,3].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Novel Deep Learning Stack for APT Detection

Bodström

Hämäläinen

2019

Applied Sciences

Self Cite

View full text Add to dashboard Cite

We present a novel Deep Learning (DL) stack for detecting Advanced Persistent threat (APT) attacks. This model is based on a theoretical approach where an APT is observed as a multi-vector multi-stage attack with a continuous strategic campaign. To capture these attacks, the entire network flow and particularly raw data must be used as an input for the detection process. By combining different types of tailored DL-methods, it is possible to capture certain types of anomalies and behaviour. Our method essentially breaks down a bigger problem into smaller tasks, tries to solve these sequentially and finally returns a conclusive result. This concept paper outlines, for example, the problems and possible solutions for the tasks. Additionally, we describe how we will be developing, implementing and testing the method in the near future.

show abstract

Detection and Defense Methods of Cyber Attacks

Xing

Jiang

et al. 2021

MDATA: A New Knowledge Representation Model

View full text Add to dashboard Cite

A Novel Method for Detecting APT Attacks by Using OODA Loop and Black Swan Theory

Cited by 12 publications

References 21 publications

Early Detection of the Advanced Persistent Threat Attack Using Performance Analysis of Deep Learning

Early Detection of the Advanced Persistent Threat Attack Using Performance Analysis of Deep Learning

A Novel Deep Learning Stack for APT Detection

Detection and Defense Methods of Cyber Attacks

Contact Info

Product

Resources

About