APIVADS: A Novel Privacy-Preserving Pivot Attack Detection Scheme Based on Statistical Pattern Recognition

Marques, Rafael Salema; Al-Khateeb, Haider; Epiphaniou, Gregory; Maple, Carsten

doi:10.1109/tifs.2022.3146076

Cited by 7 publications

(5 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although no clear malicious event was detected, our analysis yielded valuable insights into the network traffic landscape, revealing a significant number of false positives and benign pivoting-like events. The scope of the experiment exceeds previous works [15] and complements results achieved in laboratory settings [7] and host-based methods [18].…”

Section: Discussionmentioning

confidence: 57%

“…Recent approaches to lateral movement detection do not rely solely on system logs but combine multiple data sources, including monitoring network traffic. APIVADS [18] is a privacy-preserving approach to pivoting detection that can be used in complex networks. The proposed approach relies on Net-Flow data collected on the pivot and, thus, it is a de-facto host-based method, even though network-based data are used.…”

Section: Related Work On Pivoting Detectionmentioning

confidence: 99%

“…Although pivoting or lateral movement detection, in general, has gained much attention in recent years [22], the state-of-the-art in the field is limited by several factors. First, the existing pivoting detection methods (e.g., [5,7,18]) are mostly host-based, meaning they can only detect the pivoting on (or with access to the data from) the machine that acts as a pivot. While such methods achieve high accuracy, their scope is limited to machines that have the necessary software equipment or those that can forward their logs elsewhere, which is often infeasible in large and heterogeneous networks.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

Husák,

Yang,

Khoury

et al. 2024

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Pivoting is a sophisticated strategy employed by modern malware and Advanced Persistent Threats (APT) to complicate attack tracing and attribution. Detecting pivoting activities is of utmost importance in order to counter these threats effectively. In this study, we examined the detection of pivoting by analyzing network traffic data collected over a period of 10 days in a campus network. Through NetFlow monitoring, we initially identified potential pivoting candidates, which are traces in the network traffic that match known patterns. Subsequently, we conducted an in-depth analysis of these candidates and uncovered a significant number of false positives and benign pivoting-like patterns. To enhance investigation and understanding, we introduced a novel graph representation called a pivoting graph, which provides comprehensive visualization capabilities. Unfortunately, investigating pivoting candidates is highly dependent on the specific context and necessitates a strong understanding of the local environment. To address this challenge, we applied principal component analysis and clustering techniques to a diverse range of features. This allowed us to identify the most meaningful features for automated pivoting detection, eliminating the need for prior knowledge of the local environment.

show abstract

Section: Discussionmentioning

confidence: 57%

Section: Related Work On Pivoting Detectionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

Husák,

Yang,

Khoury

et al. 2024

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

show abstract

“…Tang et al [21] and others extracted three decision features from the traffic data, namely the coefficient of variation of TCP traffic, the wavelet packet energy entropy of TCP (Transmission Control Protocol) traffic , and the Pearson correlation coefficient between TCP and total traffic, to distinguish normal traffic from traffic under LDoS attacks. Marques et al [22] converted the original traffic data into grayscale images used CNN to extract the spatial features of traffic from grayscale images. Meanwhile he used recurrent neural network (RNN) to extract the temporal features of traffic.…”

Section: Feature Extraction and Representation On Trafficmentioning

confidence: 99%

NFHP-RN: A Method of Few-Shot Network Attack Detection Based on the Network Flow Holographic Picture-ResNet

Yi,

Chen,

Yang

et al. 2024

CMES

View full text Add to dashboard Cite

Due to the rapid evolution of Advanced Persistent Threats (APTs) attacks, the emergence of new and rare attack samples, and even those never seen before, make it challenging for traditional rule-based detection methods to extract universal rules for effective detection. With the progress in techniques such as transfer learning and meta-learning, few-shot network attack detection has progressed. However, challenges in few-shot network attack detection arise from the inability of time sequence flow features to adapt to the fixed length input requirement of deep learning, difficulties in capturing rich information from original flow in the case of insufficient samples, and the challenge of high-level abstract representation. To address these challenges, a few-shot network attack detection based on NFHP (Network Flow Holographic Picture)-RN (ResNet) is proposed. Specifically, leveraging inherent properties of images such as translation invariance, rotation invariance, scale invariance, and illumination invariance, network attack traffic features and contextual relationships are intuitively represented in NFHP. In addition, an improved RN network model is employed for high-level abstract feature extraction, ensuring that the extracted high-level abstract features maintain the detailed characteristics of the original traffic behavior, regardless of changes in background traffic. Finally, a meta-learning model based on the self-attention mechanism is constructed, achieving the detection of novel APT few-shot network attacks through the empirical generalization of high-level abstract feature representations of known-class network attack behaviors. Experimental results demonstrate that the proposed method can learn high-level abstract features of network attacks across different traffic detail granularities. Compared with state-of-the-art methods, it achieves favorable accuracy, precision, recall, and F1 scores for the identification of unknown-class network attacks through cross-validation on multiple datasets.

show abstract

“…Other delivery methods include exploit kits, which take advantage of unpatched vulnerabilities in operating systems and browsers to spread malware or pivot through the network to hide the origin of the attack [14], and malvertising-when attackers create adverts containing malicious code, then serve from a legitimate ad network. Microsoft Office Macros-Visual Basic for Applications (VBA) is a comprehensive language containing commands that can be used maliciously or to download and execute other malware.…”

Section: Introductionmentioning

confidence: 99%

Reducing False Negatives in Ransomware Detection: A Critical Evaluation of Machine Learning Algorithms

2022

Self Cite

View full text Add to dashboard Cite

Technological achievement and cybercriminal methodology are two parallel growing paths; protocols such as Tor and i2p (designed to offer confidentiality and anonymity) are being utilised to run ransomware companies operating under a Ransomware as a Service (RaaS) model. RaaS enables criminals with a limited technical ability to launch ransomware attacks. Several recent high-profile cases, such as the Colonial Pipeline attack and JBS Foods, involved forcing companies to pay enormous amounts of ransom money, indicating the difficulty for organisations of recovering from these attacks using traditional means, such as restoring backup systems. Hence, this is the benefit of intelligent early ransomware detection and eradication. This study offers a critical review of the literature on how we can use state-of-the-art machine learning (ML) models to detect ransomware. However, the results uncovered a tendency of previous works to report precision while overlooking the importance of other values in the confusion matrices, such as false negatives. Therefore, we also contribute a critical evaluation of ML models using a dataset of 730 malware and 735 benign samples to evaluate their suitability to mitigate ransomware at different stages of a detection system architecture and what that means in terms of cost. For example, the results have shown that an Artificial Neural Network (ANN) model will be the most suitable as it achieves the highest precision of 98.65%, a Youden’s index of 0.94, and a net benefit of 76.27%, however, the Random Forest model (lower precision of 92.73%) offered the benefit of having the lowest false-negative rate (0.00%). The risk of a false negative in this type of system is comparable to the unpredictable but typically large cost of ransomware infection, in comparison with the more predictable cost of the resources needed to filter false positives.

show abstract

APIVADS: A Novel Privacy-Preserving Pivot Attack Detection Scheme Based on Statistical Pattern Recognition

Abstract: How to cite:Please refer to published version for the most recent bibliographic citation information.

Cited by 7 publications

References 30 publications

Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

NFHP-RN: A Method of Few-Shot Network Attack Detection Based on the Network Flow Holographic Picture-ResNet

Reducing False Negatives in Ransomware Detection: A Critical Evaluation of Machine Learning Algorithms

Contact Info

Product

Resources

About