DAPT 2020 - Constructing a Benchmark Dataset for Advanced Persistent Threats

Myneni, Sowmya; Chowdhary, Ankur; Sabur, Abdulhakim; Sengupta, Sailik; Agrawal, Garima; Huang, Dijiang; Kang, Min Woo

doi:10.1007/978-3-030-59621-7_8

Cited by 43 publications

(19 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…However, APT attacks occur in internal networks as well. In addition, due to their artificial nature, the generic datasets do not exactly reflect a real-world environment [20]. In general, it is very difficult to distinguish between the behaviour of a benign user and an attacker.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

APT-Attack Detection Based on Multi-Stage Autoencoders

et al. 2022

View full text Add to dashboard Cite

In the face of emerging technological achievements, cyber security remains a significant issue. Despite the new possibilities that arise with such development, these do not come without a drawback. Attackers make use of the new possibilities to take advantage of possible security defects in new systems. Advanced-persistent-threat (APT) attacks represent sophisticated attacks that are executed in multiple steps. In particular, network systems represent a common target for APT attacks where known or yet undiscovered vulnerabilities are exploited. For this reason, intrusion detection systems (IDS) are applied to identify malicious behavioural patterns in existing network datasets. In recent times, machine-learning (ML) algorithms are used to distinguish between benign and anomalous activity in such datasets. The application of such methods, especially autoencoders, has received attention for achieving good detection results for APT attacks. This paper builds on this fact and applies several autoencoder-based methods for the detection of such attack patterns in two datasets created by combining two publicly available benchmark datasets. In addition to that, statistical analysis is used to determine features to supplement the anomaly detection process. An anomaly detector is implemented and evaluated on a combination of both datasets, including two experiment instances–APT-attack detection in an independent test dataset and in a zero-day-attack test dataset. The conducted experiments provide promising results on the plausibility of features and the performance of applied algorithms. Finally, a discussion is provided with suggestions of improvements in the anomaly detector.

show abstract

Section: Related Workmentioning

confidence: 99%

“…This method represents a multi-stage approach that relies on the observed network traffic. In addition, the authors of [20] propose a new dataset and benchmark existing anomalydetection models on that dataset. According to the performance, they claim that the reliable detection of APT attacks proved to be very difficult.…”

Section: Related Workmentioning

confidence: 99%

APT-Attack Detection Based on Multi-Stage Autoencoders

et al. 2022

View full text Add to dashboard Cite

show abstract

“…In [20], Myneni et al proposed a dataset to study APT and for the development of machine learning technologies suitable for APT attack detection. During the period of the logs' capture, an internal Red Team has been engaged.…”

Section: Apt-like Actors Observation On Dedicated Platformmentioning

confidence: 99%

PWNJUTSU: A Dataset and a Semantics-Driven Approach to Retrace Attack Campaigns

Berady

Jaume²,

Tông

et al. 2022

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Identifying patterns in the modus operandi of attackers is an essential requirement in the study of Advanced Persistent Threats. Previous studies have been hampered by the lack of accurate, relevant, and representative datasets of current threats. System logs and network traffic captured during attacks on real companies' information systems are the best data sources to build such datasets. Unfortunately, for apparent reasons of companies' reputation, privacy, and security, such data is seldom available. This article proposes an alternative approach to such issues involved with collecting data. It first presents a formal model of an attacker's tactical progression during their network propagation phase. Such a progression is expressed according to the attacker's state, called muSE, which specifies their propagation area, collected secrets, and knowledge of the environment. The new model wields the operational semantics of attack techniques proposed in this article. The semantics formally define a transition relation between attackers' states. Hence, it can be used to describe an entire attack scenario. This formalization allows the ability to describe the PWNJUTSU experiment unequivocally. In this experiment, 22 Red Teamers attacked the vulnerable infrastructure to compromise machines and steal secret flags. Each Red Teamer operated on a dedicated instance. Sensors captured system logs and network traffic on each of these instances. This article's second contribution is the public release of the PWNJUTSU dataset.

show abstract

“…(3) Superiority of the attention mechanism: we compare the detection performance of our attention mechanism for the different low-order correlations with the directly spliced method for the correlations [32] and the wired network intrusion datasets of NSL-KDD [33], UNSW-NB15 [34], CICIDS 2017 [35], CICIDS 2018 [36], and DAPT 2020 for APT [37] to evaluate the model.…”

Section: Model Evaluationmentioning

confidence: 99%

LCHI: Low‐Order Correlation and High‐Order Interaction Integrated Model Oriented to Network Intrusion Detection

Lei

Xia

Wang

2021

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

Network intrusion poses a severe threat to the Internet of Things (IoT). Thus, it is essential to study information security protection technology in IoT. Learning sophisticated feature interactions is critical in improving detection accuracy for network intrusion. Despite significant progress, existing methods seem to have a strong bias towards single low- or high-order feature interaction. Moreover, they always extract all possible low-order interactions indiscriminately, introducing too much noise. To address the above problems, we propose a low-order correlation and high-order interaction (LCHI) integrated feature extraction model. First, we selectively extract the beneficial low-order correlation between the same-type features by the multivariate correlation analysis (MCA) model and attention mechanism. Second, we extract the complicated high-order feature interaction by the deep neural network (DNN) model. Finally, we emphasize both the low- and high-order feature interactions and incorporate them. Our LCHI model seamlessly combines the linearity of MCA in modeling lower-order feature correlation and the nonlinearity of DNN in modeling higher-order feature interaction. Conceptually, our LCHI is more expressive than the previous models. We carry on a series of experiments on the public wireless and wired network intrusion detection datasets. The experimental results show that LCHI improves 1.06%, 2.46%, 3.74%, 0.25%, 1.17%, and 0.64% on the AWID, NSL-KDD, UNSW-NB15, CICIDS 2017, CICIDS 2018, and DAPT 2020 datasets, respectively.

show abstract

DAPT 2020 - Constructing a Benchmark Dataset for Advanced Persistent Threats

Cited by 43 publications

References 30 publications

APT-Attack Detection Based on Multi-Stage Autoencoders

APT-Attack Detection Based on Multi-Stage Autoencoders

PWNJUTSU: A Dataset and a Semantics-Driven Approach to Retrace Attack Campaigns

LCHI: Low‐Order Correlation and High‐Order Interaction Integrated Model Oriented to Network Intrusion Detection

Contact Info

Product

Resources

About