Framework for Detecting APTs Based on Steps Analysis and Correlation

Eke, Hope Nkiruka; Petrovski, Andrei; Ahriz, Hatem; Al-Kadri, M. Omar

doi:10.1007/978-3-030-97166-3_6

Cited by 2 publications

(3 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The researchers in [14] used Naïve Bayes theorem to detect spam emails containing links that redirect the victim to malicious websites, which could help APT attacker establish backdoors inside the victim's system. The study [15] proposes an ensemble RNN-based model to detect different APT steps by analyzing network traffic data. Host-level system logs are analyzed in [16] to identify different APT phases.…”

Section: Related Workmentioning

confidence: 99%

Strategic Monitoring for Efficient Detection of Simultaneous APT Attacks with Limited Resources

Fan¹,

Liu²,

Perigo³

2023

IJACSA

View full text Add to dashboard Cite

Advanced Persistent Threats (APT) are a type of sophisticated multistage cyber attack, and the defense against APT is challenging. Existing studies apply signature-based or behavior-based methods to analyze monitoring data to detect APT, but little research has been dedicated to the important problem of addressing APT detection with limited resources. In order to maintain the primary functionality of a system, the resources allocated for security purposes, for example logging and examining the behavior of a system, are usually constrained. Therefore, when facing multiple simultaneous powerful cyber attacks like APT, the allocation of limited security resources becomes critical. The research in this paper focuses on the threat model where multiple simultaneous APT attacks exist in the defender's system, but the defender does not have sufficient monitoring resources to check every running process. To capture the footprint of multistage activities including APT attacks and benign activities, this work leverages the provenance graph which is constructed based on dependencies of processes. Furthermore, this work studies the monitoring strategy to efficiently detect APT attacks from incomplete information of paths on the provenance graph, by considering both the "exploitation" effect and the "exploration" effect. The contributions of this work are two-fold. First, it extends the classic UCB algorithm in the domain of the multi-armed bandit problem to solve cyber security problems, and proposes to use the malevolence value of a path, which is generated by a novel LSTM neural network as the exploitation term. Second, the consideration of "exploration" is innovative in the detection of APT attacks with limited monitoring resources. The experimental results show that the use of the LSTM neural network is beneficial to enforce the exploitation effect as it satisfies the same property as the exploitation term in the classic UCB algorithm and that by using the proposed monitoring strategy, multiple simultaneous APT attacks are detected more efficiently than using the random strategy and the greedy strategy, regarding the time needed to detect same number of APT attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

Strategic Monitoring for Efficient Detection of Simultaneous APT Attacks with Limited Resources

Fan¹,

Liu²,

Perigo³

2023

IJACSA

View full text Add to dashboard Cite

show abstract

“…■ Threat -The threat actors also have the capability of gaining access to electronically stored sensitive information [5]. Other than the purpose of collecting of national secrets or political espionage, based on the functions discovered, it is believed that this threat can also apply to the cases in business or industrial espionage, spying acts or even un-ethical detective investigations [6]- [8].…”

Section: A Apts Traitsmentioning

confidence: 99%

“…The implemented approach achieved competitive attack detection capability with 0% FAR and TPR of 96.50%. This was investigated further in [6], where stacked ensemble-LSTM variants for APT DASAC framework were applied to optimize attack detection rate and achieved overall average mean detection accuracy of 85%. ■ Case Study Two: Application to KDDCup'99 Dataset:…”

Section: Application Domainsmentioning

confidence: 99%

Advanced Persistent Threats Detection based on Deep Learning Approach

Eke

Petrovski²

2023

2023 IEEE 6th International Conference on Industrial Cyber-Physical Systems (ICPS)

Self Cite

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) have been a major challenge in securing both Information Technology (IT) and Operational Technology (OT) systems. APT is a sophisticated attack that masquerade their actions to navigates around defenses, breach networks, often, over multiple network hosts and evades detection. It also uses "low-and-slow" approach over a long period of time. Resource availability, integrity, and confidentiality of the operational cyber-physical systems (CPS) state and control is highly impacted by the safety and security measures in place. A framework multi-stage detection approach termed "APTDASAC" to detect different tactics, techniques, and procedures (TTPs) used during various APT steps is proposed. Implementation was carried out in three stages: (i) Data input and probing layer -this involves data gathering and preprocessing, (ii) Data analysis layer; applies the core process of "APTDASAC" to learn the behaviour of attack steps from the sequence data, correlate and link the related output and, (iii) Decision layer; the ensemble probability approach is utilized to integrate the output and make attack prediction. The framework was validated with three different datasets and three case studies. The proposed approach achieved a significant attacks detection capability of 86.36% with loss as 0.32%, demonstrating that attack detection techniques applied that performed well in one domain may not yield the same good result in another domain. This suggests that robustness and resilience of operational systems state to withstand attack and maintain system performance are regulated by the safety and security measures in place, which is specific to the system in question.

show abstract

Framework for Detecting APTs Based on Steps Analysis and Correlation

Cited by 2 publications

References 41 publications

Strategic Monitoring for Efficient Detection of Simultaneous APT Attacks with Limited Resources

Strategic Monitoring for Efficient Detection of Simultaneous APT Attacks with Limited Resources

Advanced Persistent Threats Detection based on Deep Learning Approach

Contact Info

Product

Resources

About