APT attack detection algorithm based on spatio-temporal association analysis in industrial network

Wang, Xiaoying; Liu, Qingjie; Pan, Zhian; Pang, Guoli

doi:10.1007/s12652-020-01840-3

Cited by 16 publications

(24 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This means that there is a lack of contribution to defending against mobile APTs. This study identified 60 primary studies of which 40 primary studies focused on APT detection [1,3,[5][6][7]28,76,86,97,98,100,106,111,115,[124][125][126][127][128][129]134,[136][137][138][139]142,172,173,176], six primary studies focused on APT protection [4,91,92,118,121,125], four primary studies focused on APT mitigation [142][143][144][145], three primary studies focused on APT identification [98,107,146], and [116] focused on the detection and response to APTs as shown in Table 5.…”

Section: Rq2: What Are the Proposed Defensive Mechanisms Available To...mentioning

confidence: 99%

Exploration of Mobile Device Behavior for Mitigating Advanced Persistent Threats (APT): A Systematic Literature Review and Conceptual Framework

Jabar

Singh

2022

Sensors

View full text Add to dashboard Cite

During the last several years, the Internet of Things (IoT), fog computing, computer security, and cyber-attacks have all grown rapidly on a large scale. Examples of IoT include mobile devices such as tablets and smartphones. Attacks can take place that impact the confidentiality, integrity, and availability (CIA) of the information. One attack that occurs is Advanced Persistent Threat (APT). Attackers can manipulate a device’s behavior, applications, and services. Such manipulations lead to signification of a deviation from a known behavioral baseline for smartphones. In this study, the authors present a Systematic Literature Review (SLR) to provide a survey of the existing literature on APT defense mechanisms, find research gaps, and recommend future directions. The scope of this SLR covers a detailed analysis of most cybersecurity defense mechanisms and cutting-edge solutions. In this research, 112 papers published from 2011 until 2022 were analyzed. This review has explored different approaches used in cybersecurity and their effectiveness in defending against APT attacks. In a conclusion, we recommended a Situational Awareness (SA) model known as Observe–Orient–Decide–Act (OODA) to provide a comprehensive solution to monitor the device’s behavior for APT mitigation.

show abstract

Section: Rq2: What Are the Proposed Defensive Mechanisms Available To...mentioning

confidence: 99%

Exploration of Mobile Device Behavior for Mitigating Advanced Persistent Threats (APT): A Systematic Literature Review and Conceptual Framework

Jabar

Singh

2022

Sensors

View full text Add to dashboard Cite

show abstract

“…Another detection method in an ICS, [26], used a spatiotemporal association analysis method to detect intrusions in industrial networks. It focused on feature mining and retrieval methods of historical attacks between the features of APT attacks.…”

Section: Related Workmentioning

confidence: 99%

Design and Development of Automated Threat Hunting in Industrial Control Systems

Arafune¹,

Sidharth²,

Luigi³

et al. 2022

Preprint

View full text Add to dashboard Cite

Traditional industrial systems, e.g., power plants, water treatment plants, etc., were built to operate highly isolated and controlled capacity. Recently, Industrial Control Systems (ICSs) have been exposed to the Internet for ease of access and adaptation to advanced technologies. However, it creates security vulnerabilities. Attackers often exploit these vulnerabilities to launch an attack on ICSs. Towards this, threat hunting is performed to proactively monitor the security of ICS networks and protect them against threats that could make the systems malfunction. A threat hunter manually identifies threats and provides a hypothesis based on the available threat intelligence. In this paper, we motivate the gap in lacking research in the automation of threat hunting in ICS networks. We propose an automated extraction of threat intelligence and the generation and validation of a hypothesis. We present an automated threat hunting framework based on threat intelligence provided by the ICS MITRE ATT&CK framework to automate the tasks. Unlike the existing hunting solutions which are cloud-based, costly and prone to human errors, our solution is a central and opensource implemented using different open-source technologies, e.g., Elasticsearch, Conpot, Metasploit, Web Single Page Application (SPA), and a machine learning analyser. Our results demonstrate that the proposed threat hunting solution can identify the network's attacks and alert a threat hunter with a hypothesis generated based on the techniques, tactics, and procedures (TTPs) from ICS MITRE ATT&CK. Then, a machine learning classifier automatically predicts the future actions of the attack.

show abstract

“…The ability of SBI model to detect APT attacks at the first potential victim is evaluated using accuracy detection measurements which are typically used in the other studies to clarify experiments [45]. This measurement depends on a true positive (TP, the number of malicious behaviour correctly classified as malicious), true negative (TN, the number of normal behaviour correctly classified as normal), false positive (FP, the number of normal behaviour wrongly classified as a malicious), false negative (FN, the number of malicious behaviour wrongly classified as a normal.…”

Section: Evaluation Metricsmentioning

confidence: 99%

SBI Model for the Detection of Advanced Persistent Threat Based on Strange Behavior of Using Credential Dumping Technique

Mohamed

Belaton

2021

IEEE Access

View full text Add to dashboard Cite

This study investigated the shift from the manual approach of processing data to the digitized method making organizational data prone to attack by cybercriminals. The latest threat Advanced Persistent Threats (APT) was originated by the United States Air Force in 2006 by Colonel Greg Rattray. APT is constantly ravaging industries and governments, which causes severe damages including data loss, espionage, sabotage, leak, or forceful pay of ransom money to the attackers. This study introduces a new model built on Adversarial Tactics Techniques and Common Knowledge (ATT&CK) matrix for detecting APT attack. This is to identify the APT on the first potential victim when the attackers use credential dumping technique. Strange Behavior Inspection Model incorporating several models investigates and monitors APT behavioral features in the CPU, RAM, windows registry, and file systems proposed to detect APT Attack at the first potential victim machine. The Strange Behavior Inspection (SBI) Model proposed in this paper is designed to detect the attack before being developed to more advanced phases. The results of this study are presented at four levels:1-random access memory, 2-central processing unit, 3-windows registry, and 4-file systems. This study proposes a unique model as evidence to detect APT attacks before any other techniques are used. The proposed model reduces the detection time from nine-months to 2.7 minutes.

show abstract

APT attack detection algorithm based on spatio-temporal association analysis in industrial network

Cited by 16 publications

References 26 publications

Exploration of Mobile Device Behavior for Mitigating Advanced Persistent Threats (APT): A Systematic Literature Review and Conceptual Framework

Exploration of Mobile Device Behavior for Mitigating Advanced Persistent Threats (APT): A Systematic Literature Review and Conceptual Framework

Design and Development of Automated Threat Hunting in Industrial Control Systems

SBI Model for the Detection of Advanced Persistent Threat Based on Strange Behavior of Using Credential Dumping Technique

Contact Info

Product

Resources

About