Countering Advanced Persistent Threats through security intelligence and big data analytics

Marchetti, Mirco; Guido, Alessandro; Pierazzi, Fabio; Colajanni, Michele

doi:10.1109/cycon.2016.7529438

Cited by 35 publications

(25 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Mirco Marchetti [13] designed and evaluated a novel framework that is tailored to support security analysts in detecting APTs. The proposed framework uses multifactor approaches where big data analytics methods are applied to internal and external information to support human specialists so that those specialists can focus their security and intelligence analyses on the subset of hosts that are most likely to have been compromised.…”

Section: (Ii)mentioning

confidence: 99%

HeteMSD: A Big Data Analytics Framework for Targeted Cyber-Attacks Detection Using Heterogeneous Multisource Data

Guo

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

In the current enterprise network environment, multistep targeted cyber-attacks with concealment and advanced characteristics have become the main threat. Multisource security data are the prerequisite of targeted cyber-attacks detection. However, these data have characters of heterogeneity and semantic diversity, and existing attack detection methods do not take comprehensive data sources into account. Identifying and predicting attack intention from heterogeneous noisy data can be meaningful work. In this paper, we first review different data fusion mechanisms of correlating heterogeneous multisource data. On this basis, we propose a big data analytics framework for targeted cyber-attacks detection and give the basic idea of correlation analysis. Our approach will offer the ability to correlate multisource heterogeneous security data and analyze attack intention effectively.

show abstract

Section: (Ii)mentioning

confidence: 99%

HeteMSD: A Big Data Analytics Framework for Targeted Cyber-Attacks Detection Using Heterogeneous Multisource Data

Guo

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…The literature also contains papers on desktop banking trojans. The methods used in these papers do not necessarily apply to Android trojans as the the Android OS presents very different characteristics and environment for which new tools are required [38], [26]. Criscione et al present Zarathustra [12], a tool to detect web-inject based trojans that leverages the fact that web pages are rendered differently on clean machines and on infected machines.…”

Section: Literature On Desktop Banking Trojansmentioning

confidence: 99%

DBank: Predictive Behavioral Analysis of Recent Android Banking Trojans

Bai

Han

Mezzour

et al. 2019

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

Using a novel dataset of Android banking trojans (ABTs), other Android malware, and goodware, we develop the DBank system to predict whether a given Android APK is a banking trojan or not. We introduce the novel concept of a Triadic Suspicion Graph (TSG for short) which contains three kinds of nodes: goodware, banking trojans, and API packages. We develop a novel feature space based on two classes of scores derived from TSGs: suspicion scores (SUS) and suspicion ranks (SR)-the latter yields a family of features that generalize PageRank. While TSG features (based on SUS/SR scores) provide very high predictive accuracy on their own in predicting recent (2016-2017) ABTs, we show that the combination of TSG features with previously studied lightweight static and dynamic features in the literature yields the highest accuracy in distinguishing ABTs from goodware, while preserving the same accuracy of prior feature combinations in distinguishing ABTs from other Android malware. In particular, DBank's overall accuracy in predicting whether an APK is a banking trojan or not is up to 99.9% AUC with 0.3% false positive rate. Moreover, we have already reported two unlabeled APKs from VirusTotal (which DBank has detected as ABTs) to the Google Android Security Team-in one case, we discovered it before any of the 63 anti-virus products on VirusTotal did, and in the other case, we beat 62 of 63 anti-viruses on VirusTotal. This suggests that DBank is capable of making new discoveries in the wild before other established vendors. We also show that our novel TSG features have some interesting defensive properties as they are robust to knowledge of the training set by an adversary: even if the adversary uses 90% of our training set and uses the exact TSG features that we use, it is difficult for him to infer DBank's predictions on APKs. We additionally identify the features that best separate and characterize ABTs from goodware as well as from other Android malware. Finally, we develop a detailed data-driven analysis of five major recent ABT families: FakeToken, Svpeng, Asacub, BankBot, and Marcher, and identify the features that best separate them from goodware and other malware.

show abstract

“…Network traffic and client data analysis, form multiple network locations, using both signature and anomaly detection methods derived from the intelligent data analysis field, has been proposed by De Vries et al (2012). An intrusion detection system with the ability to detect the possibility of initial intrusions, as well as using security intelligence and big data analytics was proposed by (Marchetti et al, 2016). An automatic training system that generates simulated training emails using an email client has been proposed by (Iwata et al, 2017).…”

Section: Research On Apt Countermeasuresmentioning

confidence: 99%

“…As a highly sophisticated, well-resourced threats aimed primarily towards the government sector (Thakar and Parekh, 2016), the goal of an APT attack is not to just gather a target entity's data, but to accomplish it undetected (Alshamrani et al, 2019). While the majority of cyber-attacks rely on automated scanning and exploitation of known vulnerabilities over large sets of targets (Marchetti et al, 2016), APT attacks are highly targeted attacks, with a clear goal typically targeting governments or business targets with substantial intellectual property value (Chen et al, 2014, Vert et al, 2014. Reports of APT attacks targeting high-profile organizations, ranging from large-scale enterprises and financial institutions to government sectors continue to occur unabated (Yang et al, 2018).…”

Section: Introductionmentioning

confidence: 99%

Modelling Technical Countermeasures of Advanced Persistent Threats

Nicho¹,

McDermott²

2019

Proceedings of the 16th International Conference on Applied Computing 2019

View full text Add to dashboard Cite

An advanced persistent threat (APT) is a highly targeted and sophisticated attack directed at the internetworked computer user at the workplace. They typically employ zero-day malware, stealth, and multiple advanced techniques to gain entry and maintain presence undetected inside the network. As a result, preventing their ingress at the network perimeter and detection once infiltration occurs, continues to be a challenge. In this respect, the major objective of this research is to propose a classification schema for the APT technical countermeasures. We interviewed senior managers working in government and private organizations in the United Arab Emirates over a period of four years (2014 to 2017) to gain their perspective of the threat and elicit technical countermeasures. We anticipate the proposed methods and practices can assist organizations, not only in the UAE but also in the wider global context, to implement an appropriate mix of countermeasures for APT threats from a multi-dimensional perspective.

show abstract

Countering Advanced Persistent Threats through security intelligence and big data analytics

Cited by 35 publications

References 25 publications

HeteMSD: A Big Data Analytics Framework for Targeted Cyber-Attacks Detection Using Heterogeneous Multisource Data

HeteMSD: A Big Data Analytics Framework for Targeted Cyber-Attacks Detection Using Heterogeneous Multisource Data

DBank: Predictive Behavioral Analysis of Recent Android Banking Trojans

Modelling Technical Countermeasures of Advanced Persistent Threats

Contact Info

Product

Resources

About