Advanced Persistent Threat Detection: A Survey

Adam, Khalid; Zainal, Anazida; Maarof, Mohd Aizaini; Ghaleb, Fuad A.

doi:10.1109/crc50527.2021.9392626

Cited by 18 publications

(8 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…When considering attackers, understanding the approach of common Advanced Persistent Threats (APTs) is highly beneficial to security [32]. The authors of [33] determined that each APT has a defined target and the campaigns are typically launched by an established organization. They emphasized that security professionals need to understand how these intrusion methods are executed and how to detect them [33].…”

Section: Surveys On Threat Managementmentioning

confidence: 99%

“…The authors of [33] determined that each APT has a defined target and the campaigns are typically launched by an established organization. They emphasized that security professionals need to understand how these intrusion methods are executed and how to detect them [33]. These sophisticated threats require more than normal IDSs as the attackers are highly knowledgeable [33].…”

Section: Surveys On Threat Managementmentioning

confidence: 99%

“…They emphasized that security professionals need to understand how these intrusion methods are executed and how to detect them [33]. These sophisticated threats require more than normal IDSs as the attackers are highly knowledgeable [33]. The authors concluded that organizations need to understand the stages and aspects of APT to prepare for the attack and ensure that they can identify the threat in the early stages [33].…”

Section: Surveys On Threat Managementmentioning

confidence: 99%

See 2 more Smart Citations

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Hillier¹,

Karroubi²

2022

Preprint

View full text Add to dashboard Cite

The threat hunting lifecycle is a complex atmosphere that requires special attention from professionals to maintain security. This paper is a collection of recent work that gives a holistic view of the threat hunting ecosystem, identifies challenges, and discusses the future with the integration of artificial intelligence (AI). We specifically establish a life cycle and ecosystem for privacy-threat hunting in addition to identifying the related challenges. We also discovered how critical the use of AI is in threat hunting. This work paves the way for future work in this area as it provides the foundational knowledge to make meaningful advancements for threat hunting.

show abstract

Section: Surveys On Threat Managementmentioning

confidence: 99%

Section: Surveys On Threat Managementmentioning

confidence: 99%

Section: Surveys On Threat Managementmentioning

confidence: 99%

See 1 more Smart Citation

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Hillier¹,

Karroubi²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…When compared to signature-based detection, anomaly-based detection could be proposed to detect any divergent patterns from normal events in the network (a baseline profile). However, attackers often circumvent the detector by treating network events and system calls as temporal sequences, resulting in underperforming APT detection [6].…”

Section: Introductionmentioning

confidence: 99%

Advanced Persistent Threat Detection and Mitigation Using Machine Learning Model

Sakthivelu¹,

Kumar²

2023

Intelligent Automation &Amp; Soft Computing

View full text Add to dashboard Cite

The detection of cyber threats has recently been a crucial research domain as the internet and data drive people's livelihood. Several cyberattacks lead to the compromise of data security. The proposed system offers complete data protection from Advanced Persistent Threat (APT) attacks with attack detection and defence mechanisms. The modified lateral movement detection algorithm detects the APT attacks, while the defence is achieved by the Dynamic Deception system that makes use of the belief update algorithm. Before termination, every cyber-attack undergoes multiple stages, with the most prominent stage being Lateral Movement (LM). The LM uses a Remote Desktop protocol (RDP) technique to authenticate the unauthorised host leaving footprints on the network and host logs. An anomaly-based approach leveraging the RDP event logs on Windows is used for detecting the evidence of LM. After extracting various feature sets from the logs, the RDP sessions are classified using machine-learning techniques with high recall and precision. It is found that the AdaBoost classifier offers better accuracy, precision, F1 score and recall recording 99.9%, 99.9%, 0.99 and 0.98%. Further, a dynamic deception process is used as a defence mechanism to mitigate APT attacks. A hybrid encryption communication, dynamic (Internet Protocol) IP address generation, timing selection and policy allocation are established based on mathematical models. A belief update algorithm controls the defender's action. The performance of the proposed system is compared with the state-of-the-art models.

show abstract

“…According to Croom [30], to defend against Advanced Persistent Threats (APTs), defenders first need to understand how attackers operate. APTs have been classified as sophisticated and targeted attacks [71]. APTs emerged as one of the most dangerous attack types and targeted various organisations from the domains of IT, corporate and government organisations [61].…”

Section: Perception Layer Security Challengesmentioning

confidence: 99%

Deception-Based Security Framework for IoT: An Empirical Study

Haseeb¹

View full text Add to dashboard Cite

A large number of Internet of Things (IoT) devices in use has provided a vast attack surface. The security in IoT devices is a significant challenge considering constrained resources, designed with poor security measures and their associated configuration and maintenance flaws. Vulnerable IoT devices are used to perform different attacks such as Distributed Denial of Service (DDoS) caused by malware infection and propagation. In the literature, attacks on IoT devices have been captured and analysed using deception systems such as honeypots to discover patterns of target selection, login credentials used, commands executed by the attackers in the attack process and study behaviours of IoT malware and botnets. However, previous studies are limited in presenting an in-depth analysis of complete attack structures, grouping attacks without the subjective bias of experts' domain knowledge and proposing empirically-proven methods to detect human attackers. These studies also do not use the existing knowledge of attacks to design or improve deception-based defences. The overall goal of this thesis is understanding IoT attacks, threat actors and their behaviours and uses probabilistic modelling and prior knowledge to propose a deception-based security framework. A key feature of this thesis is the experimental data collection and empirical analysis using categorisation and clustering techniques. To achieve the overall goal, this research conducts an experimental study in which a honeypot is deployed to capture IoT attacks. Using the Cyber Kill Chain (CKC) model, more than 30,000 captured attacks are empirically analysed and an IoT Kill Chain (IoTKC) model is designed. The IoTKC model presents attack process followed for the exploitation of IoT devices and each phase is an abstraction of attackers' activities, tools, techniques and tactics used. The knowledge gained about IoT attacks is used to propose a deception-based security framework. A pre-planning phase is introduced on top of other traditional phases, i.e., creating deception-based defence, performing defence, evaluating, monitoring and updating defence. The knowledge of prior attacks helps predict attack actions based on the probabilities of following a sequence and subsequently choosing defensive measures. The framework also discusses attackers' behaviour in the process and various quantification measures for evaluating the performance of attack and defence actions. This research also proposes a feature set extracted from captured IoT attacks based on manually mapping commands with IoTKC steps, behaviour of attackers and utilisation of resources. Various clustering algorithms are applied to the data set prepared by identified features and random tree models are designed to highlight the distribution of attacks and classification features. Further extending the analysis, this thesis proposes a new approach comprised of feature construction using Autoencoder (AE) and clustering IoT attacks to understand the attacks distribution based on changes in commands and the links between captured attacks. The proposed approach also handles domain knowledge and subjective bias limitations by removing the process of manually correlating commands. Overall the findings related to understanding and clustering IoT attacks show that most of the attacks captured are automated and active attack campaigns on the Internet. A larger experimental study is therefore required to acquire larger data set and further study other types of attacks and attackers behind them. Before conducting the new experiment, this research performs a risk assessment study using Failure Modes and Effects Analysis (FMEA) for a honeypot-based cyber security experiment. The analysis identifies the factors affecting a cyber security experiment regarding deceptive capabilities, increasing exposure, avoiding detection, deploying and monitoring honeypots. Moreover, for the relevant configurations, components and deceptive capabilities in the experiment; the analysis provides details on possible failure modes, their effects on experimental results, the possible causes of failures and available controls to detect and mitigate potential failures. This research then conducts a large experimental study by deploying 15 server honeypots in various geographical locations around the world and collecting attack data for a period of two months. A representative feature set is proposed to identify the behavioural characteristics of human attackers when interacting with the target system. Our analysis also discusses various case studies of human attackers and reports observations on their interaction behaviours with the target systems and intentions to perform attacks. We also discuss the advantages of increasing deception by comparing attacks received on honeypots with various deceptive capabilities. Changing configurations and increasing deception at various levels help make the honeypot more appealing to lure IoT-specific attacks and convince attackers to maintain longer engagements.

show abstract

Advanced Persistent Threat Detection: A Survey

Cited by 18 publications

References 20 publications

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Advanced Persistent Threat Detection and Mitigation Using Machine Learning Model

Deception-Based Security Framework for IoT: An Empirical Study

Contact Info

Product

Resources

About