Showing total 16 results

1. Defense for Advanced Persistent Threat with Inadvertent and Malicious Insider Threats.

Author

Chen, Ziqin, Chen, Guanpu, and Hong, Yiguang

Subjects

*SOCIAL engineering (Fraud), *RANSOMWARE, *NASH equilibrium, *DEEP learning

Abstract

The given text is a list of references and author information for a research paper on advanced persistent threats (APTs) and insider threats in cybersecurity. The paper explores strategies, models, and games to detect and defend against these threats. The authors' research interests include game theory, distributed optimization, cybersecurity, and control systems. [Extracted from the article]

Published

2024

2. A technical characterization of APTs by leveraging public resources.

Author

González-Manzano, Lorena, de Fuentes, José M., Lombardi, Flavio, and Ramos, Cristina

Subjects

*MALWARE

Abstract

Advanced persistent threats (APTs) have rocketed over the last years. Unfortunately, their technical characterization is incomplete—it is still unclear if they are advanced usages of regular malware or a different form of malware. This is key to develop an effective cyberdefense. To address this issue, in this paper we analyze the techniques and tactics at stake for both regular and APT-linked malware. To enable reproducibility, our approach leverages only publicly available datasets and analysis tools. Our study involves 11,651 regular malware and 4686 APT-linked ones. Results show that both sets are not only statistically different, but can be automatically classified with F1 > 0.8 in most cases. Indeed, 8 tactics reach F1 > 0.9. Beyond the differences in techniques and tactics, our analysis shows thats actors behind APTs exhibit higher technical competence than those from non-APT malwares. [ABSTRACT FROM AUTHOR]

Published

2023

3. Advanced Persistent Threats and Their Defense Methods in Industrial Internet of Things: A Survey.

Author

Gan, Chenquan, Lin, Jiabin, Huang, Da-Wen, Zhu, Qingyi, and Tian, Liang

Subjects

*INTERNET of things, *INTERNET surveys

Abstract

The industrial internet of things (IIoT) is a key pillar of the intelligent society, integrating traditional industry with modern information technology to improve production efficiency and quality. However, the IIoT also faces serious challenges from advanced persistent threats (APTs), a stealthy and persistent method of attack that can cause enormous losses and damages. In this paper, we give the definition and development of APTs. Furthermore, we examine the types of APT attacks that each layer of the four-layer IIoT reference architecture may face and review existing defense techniques. Next, we use several models to model and analyze APT activities in IIoT to identify their inherent characteristics and patterns. Finally, based on a thorough discussion of IIoT security issues, we propose some open research topics and directions. [ABSTRACT FROM AUTHOR]

Published

2023

4. A multi-layer approach for advanced persistent threat detection using machine learning based on network traffic.

Author

Xuan, Cho Do, Duong, Duc, and Dau, Hoang Xuan

Subjects

*MACHINE learning, *BEHAVIORAL assessment, *INFORMATION technology security, *SECURITY systems, *GOAL (Psychology)

Abstract

Advanced Persistent Threat (APT) is a dangerous network attack method that is widely used by attackers nowadays. During the APT attack process, attackers often use advanced techniques and tools, thus, causing many difficulties for information security systems. In fact, to detect the APT attacks, intrusion detection systems cannot rely on one technique or method but often combine multiple techniques and methods. In addition, the approach for APT attack detection using behavior analysis and evaluation techniques is facing many difficulties due to the lack of characteristic data of attack campaigns. For the above reasons, in this paper, we propose a method for APT attack detection based on a multi-layer analysis. The multi-layer analysis technique in our proposal computes and analyzes various events in Network Traffic to detect and synthesize abnormal signs and behaviors in order to make conclusions about the existence of APT in the system. Specifically, in our proposal, we will use serial 3 main layers for the APT attack detection process including i) Detecting APT attacks based on analyzing abnormal connection; ii) Detecting APT attacks based on analyzing and evaluating Suricata log; iii) Detecting APT attacks based on analyzing behavior profiles that are compiled from layers (i) and (ii). To achieve these goals, the multi-layer analysis technique for APT attack detection will perform 2 main tasks: i) Analyzing and evaluating components of Network Traffic based on abnormal signs and behaviors. ii) building and classifying behavior profile based on each component of network traffic. In the experimental section, we will compare and evaluate the effectiveness of the APT attack detection process of each layer in the multi-layer analysis model using machine learning. Experimental results have shown that the APT attack detection method based on analyzing behavior profile has yielded better results than individual detection methods on all metrics. The research results shown in the paper not only demonstrate the effectiveness of the multilayer analysis model for APT attack detection but also provide a novel approach for detecting several other cyber-attack techniques. [ABSTRACT FROM AUTHOR]

Published

2021

5. Memory Visualization-Based Malware Detection Technique.

Author

Shah, Syed Shakir Hameed, Jamil, Norziana, and Khan, Atta ur Rehman

Subjects

*MEMORY, *MACHINE learning, *IMAGE denoising, *COMPUTER vision, *IMAGE compression, *MALWARE

Abstract

Advanced Persistent Threat is an attack campaign in which an intruder or team of intruders establishes a long-term presence on a network to mine sensitive data, which becomes more dangerous when combined with polymorphic malware. This type of malware is not only undetectable, but it also generates multiple variants of the same type of malware in the network and remains in the system's main memory to avoid detection. Few researchers employ a visualization approach based on a computer's memory to detect and classify various classes of malware. However, a preprocessing step of denoising the malware images was not considered, which results in an overfitting problem and prevents us from perfectly generalizing a model. In this paper, we introduce a new data engineering approach comprising two main stages: Denoising and Re-Dimensioning. The first aims at reducing or ideally removing the noise in the malware's memory-based dump files' transformed images. The latter further processes the cleaned image by compressing them to reduce their dimensionality. This is to avoid the overfitting issue and lower the variance, computing cost, and memory utilization. We then built our machine learning model that implements the new data engineering approach and the result shows that the performance metrics of 97.82% for accuracy, 97.66% for precision, 97.25% for recall, and 97.57% for f1-score are obtained. Our new data engineering approach and machine learning model outperform existing solutions by 0.83% accuracy, 0.30% precision, 1.67% recall, and 1.25% f1-score. In addition to that, the computational time and memory usage have also reduced significantly. [ABSTRACT FROM AUTHOR]

Published

2022

6. APT-Dt-KC: advanced persistent threat detection based on kill-chain model.

Author

Panahnejad, Maryam and Mirabi, Meghdad

Subjects

*ANALYTIC hierarchy process, *PEARSON correlation (Statistics), *CLASSIFICATION algorithms, *FUZZY algorithms, *INTEREST rates, *BALLISTIC missile defenses

Abstract

Advanced persistent threat attacks are considered as a serious risk to almost any infrastructure since attackers are constantly changing and evolving their advanced techniques and methods. It is difficult to use traditional defense for detecting the advanced persistent threat attacks and protect network information. The detection of advanced persistent threat attack is usually mixed with many other attacks. Therefore, it is necessary to have a solution that is safe from error and failure in detecting them. In this paper, an intelligent approach is proposed called "APT-Dt-KC" to analyze, identify, and prevent cyber-attacks using the cyber-kill chain model and matching its fuzzy characteristics with the advanced persistent threat attack. In APT-Dt-KC, Pearson correlation test is used to reduce the amount of processing data, and then, a hybrid intrusion detection method is proposed using Bayesian classification algorithm and fuzzy analytical hierarchy process. The experimental results show that APT-Dt-KC has a false positive rate and false negative rate 1.9% and 3.6% less than the existing approach, respectively. The accuracy and detection rate of APT-Dt-KC has reached 98% with an average improvement of 5% over the existing approach. [ABSTRACT FROM AUTHOR]

Published

2022

7. Machine Learning for Detecting Data Exfiltration: A Review.

Author

SABIR, BUSHRA, ULLAH, FAHEEM, BABAR, M. ALI, and GAIRE, RAJ

Subjects

*MACHINE learning, *SOFTWARE engineers, *KEY performance indicators (Management), *SOFTWARE engineering

Abstract

Context: Research at the intersection of cybersecurity, Machine Learning (ML), and Software Engineering (SE) has recently taken significant steps in proposing countermeasures for detecting sophisticated data exfiltration attacks. It is important to systematically reviewand synthesize the ML-based data exfiltration countermeasures for building a body of knowledge on this important topic. Objective: This article aims at systematically reviewing ML-based data exfiltration countermeasures to identify and classify ML approaches, feature engineering techniques, evaluation datasets, and performance metrics used for these countermeasures. This review also aims at identifying gaps in research on ML-based data exfiltration countermeasures. Method: We used Systematic Literature Review (SLR) method to select and review 92 papers. Results: The review has enabled us to: (a) classify the ML approaches used in the countermeasures into data-driven, and behaviordriven approaches; (b) categorize features into six types: behavioral, content-based, statistical, syntactical, spatial, and temporal; (c) classify the evaluation datasets into simulated, synthesized, and real datasets; and (d) identify 11 performance measures used by these studies. Conclusion: We conclude that: (i) The integration of data-driven and behavior-driven approaches should be explored; (ii) There is a need of developing high quality and large size evaluation datasets; (iii) Incremental ML model training should be incorporated in countermeasures; (iv) Resilience to adversarial learning should be considered and explored during the development of countermeasures to avoid poisoning attacks; and (v) The use of automated feature engineering should be encouraged for efficiently detecting data exfiltration attacks. [ABSTRACT FROM AUTHOR]

Published

2022

8. Equipment classification based differential game method for advanced persistent threats in Industrial Internet of Things.

Author

Gan, Chenquan, Lin, Jiabin, Huang, Da-Wen, Zhu, Qingyi, Tian, Liang, and Jain, Deepak Kumar

Subjects

*DIFFERENTIAL games, *INTERNET of things, *NASH equilibrium, *CLASSIFICATION, *EVOLUTIONARY models, *FEMTOCELLS

Abstract

This paper is dedicated to solving the problem of Advanced Persistent Threat (APT) attack and defense in the Industrial Internet of Things (IIoT). Due to the diversity of IIoT equipment and the inconsistency of protection capabilities, it is difficult for the existing uniform defense strategy and the random defense strategy to achieve ideal results. Considering that both attackers and defenders aim to achieve maximum benefits by paying the minimum cost, as well as the differences between devices, this paper proposes an equipment classification based differential game method for APT in IIoT. Firstly, all equipment is divided into two categories according to their protective capabilities. Secondly, the APT attack and defense process is mathematically described, and the corresponding differential game problem is formulated and analyzed theoretically. Finally, the theoretical results of this method are verified by various experiments, including the comparisons with the uniform defense strategy, the random defense strategy, and the latest model. • A new equipment-based evolutionary dynamics model is proposed. • A necessity system is established to narrow the scope of searching for Nash equilibrium. • An algorithm is designed to generate the Nash equilibrium. [ABSTRACT FROM AUTHOR]

Published

2024

9. A novel approach for APT attack detection based on combined deep learning model.

Author

Do Xuan, Cho and Dao, Mai Hoang

Subjects

*DEEP learning, *CONVOLUTIONAL neural networks, *MACHINE learning, *BEHAVIORAL assessment, *INTERNET protocol address, *IP networks

Abstract

Advanced persistent threat (APT) attack is a malicious attack type which has intentional and clear targets. This attack technique has become a challenge for information security systems of organizations, governments, and businesses. The approaches of using machine learning or deep learning algorithms to analyze signs and abnormal behaviors of network traffic for detecting and preventing APT attacks have become popular in recent years. However, the APT attack detection approach that uses behavior analysis and evaluation techniques is facing many difficulties due to the lack of typical data of attack campaigns. To handle this situation, recent studies have selected and extracted the APT attack behaviors which based on datasets are built from experimental tools. Consequently, these properties are few and difficult to obtain in practical monitoring systems. Therefore, although the experimental results show good detection, it does not bring high efficiency in practice. For above reasons, in this paper, a new method based on network traffic analysis using a combined deep learning model to detect APT attacks will be proposed. Specifically, individual deep learning networks such as multilayer perceptron (MLP), convolutional neural network (CNN), and long short-term memory (LSTM) will also be sought, built and linked into combined deep learning networks to analyze and detect signs of APT attacks in network traffic. To detect APT attack signals, the combined deep learning models are performed in two main stages including (i) extracting IP features based on flow: In this phase, we will analyze network traffic into networking flows by IP address and then use the combined deep learning models to extract IP features by network flow; (ii) classifying APT attack IPs: Based on IP features extracted in a task (i), the APT attack IPs and normal IPs will be identified and classified. The proposal of a combined deep learning model to detect APT attacks based on network traffic is a new approach, and there is no research proposed and applied yet. In the experimental section, combined deep learning models proved their superior abilities to ensure accuracy on all measurements from 93 to 98%. This is a very good result for APT attack detection based on network traffic. [ABSTRACT FROM AUTHOR]

Published

2021

10. APT attack detection based on flow network analysis techniques using deep learning.

Author

Do Xuan, Cho, Dao, Mai Hoang, and Nguyen, Hoa Dinh

Subjects

*INTERNET traffic, *MACHINE learning, *SHORT-term memory, *DEEP learning, *LONG-term memory, *TRAFFIC flow

Abstract

Advanced Persistent Threat (APT) attacks are a form of malicious, intentionally and clearly targeted attack. This attack technique is growing in both the number of recorded attacks and the extent of its dangers to organizations, businesses and governments. Therefore, the task of detecting and warning APT attacks in the real system is very necessary today. One of the most effective approaches to APT attack detection is to apply machine learning or deep learning to analyze network traffic. There have been a number of studies and recommendations to analyze network traffic into network flows and then combine with some classification or clustering methods to look for signs of APT attacks. In particular, recent studies often apply machine learning algorithms to spot the present of APT attacks based on network flow. In this paper, a new method based on deep learning to detect APT attacks using network flow is proposed. Accordingly, in our research, network traffic is analyzed into IP-based network flows, then the IP information is reconstructed from flow, and finally deep learning models are used to extract features for detecting APT attack IPs from other IPs. Additionally, a combined deep learning model using Bidirectional Long Short-Term Memory (BiLSTM) and Graph Convolutional Networks (GCN) is introduced. The new detection model is evaluated and compared with some traditional machine learning models, i.e. Multi-layer perceptron (MLP) and single GCN models, in the experiments. Experimental results show that BiLSTM-GCN model has the best performance in all evaluation scores. This not only shows that deep learning application on flow network analysis to detect APT attacks is a good decision but also suggests a new direction for network intrusion detection techniques based on deep learning. [ABSTRACT FROM AUTHOR]

Published

2020

11. A Method for Feature Selection of APT Samples Based on Entropy.

Author

Zhenyu Du, Yihong Li, and Jinsong Hu

Subjects

*FEATURE selection, *MALWARE, *ENTROPY (Information theory), *ALGORITHMS, *LOGIC

Abstract

By studying the known APT attack events deeply, this paper propose a feature selection method of APT sample and a logic expression generation algorithm IOCG (Indicator of Compromise Generate). The algorithm can automatically generate machine readable IOCs (Indicator of Compromise), to solve the existing IOCs logical relationship is fixed, the number of logical items unchanged, large scale and cannot generate a sample of the limitations of the expression. At the same time, it can reduce the redundancy and useless APT sample processing time consumption, and improve the sharing rate of information analysis, and actively respond to complex and volatile APT attack situation. The samples were divided into experimental set and training set, and then the algorithm was used to generate the logical expression of the training set with the IOC_ Aware plug-in. The contrast expression itself was different from the detection result. The experimental results show that the algorithm is effective and can improve the detection effect. [ABSTRACT FROM AUTHOR]

Published

2018

12. Tracking APTs in industrial ecosystems: A proof of concept.

Author

Rubio, Juan E., Roman, Rodrigo, Alcaraz, Cristina, and Zhang, Yan

Subjects

*INDUSTRIAL ecology, *PROOF of concept

Abstract

In recent years, Advanced Persistent Threats (APTs) have become a major issue for critical infrastructures that are increasingly integrating modern IT technologies. This requires the development of advanced cyber-security services that can holistically detect and trace these attacks, beyond traditional solutions. In this sense, Opinion Dynamics has been proven as an effective solution, as they can locate the most affected areas within the industrial network. With this information, it is possible to put in place accurate response techniques to limit the impact of attacks on the infrastructure. In this paper, we analyze the applicability of Opinion Dynamics to trace an APT throughout its entire life cycle, by correlating different anomalies over time and accounting for the persistence of threats and the criticality of resources. Moreover, we run various experiments with this novel technique over a testbed that models a real control system, thereby assessing its effectiveness in an actual industrial scenario. [ABSTRACT FROM AUTHOR]

Published

2019

13. Dynamic defense strategy against advanced persistent threat under heterogeneous networks.

Author

Lv, Kun, Chen, Yun, and Hu, Changzhen

Subjects

*DATA fusion (Statistics), *GAME theory, *WIRELESS sensor networks, *NASH equilibrium

Abstract

Highlights • A mixed strategy game-based malicious nodes detection is proposed. • A data fusion method NetF is proposed to fuse data obtained from different networks. • An excellent performance is shown by NetF in experiments. • Our algorithm can plan the best defense strategy to nodes at different times. Abstract Advanced persistent threats (APTs) pose a grave threat in cyberspace because of their long latency and concealment. In this paper, we propose a hybrid strategy game-based dynamic defense model to optimally allocate constrained secure resources for the target network. In addition, values of profits of players in this game are computed by a novel data-fusion method called NetF. Based on network protocols and log documents, the NetF deciphers data packets collected from different networks to natural language to make them comparable. Using this algorithm, data observed from the Internet and wireless sensor networks (WSNs) can be fused to calculate the comprehensive payoff of every node precisely. The Nash equilibrium can be computed using the value to detect the possibility of a node being a malicious node. Using this method, the dynamic optimal defense strategy can be allocated to every node at different times, which enhances the security of the target network obviously. In experiments, we illustrate the obtained results via case studies of a cluster of heterogeneous networks. The results guide planning of optimal defense strategies for different kinds of nodes at different times. [ABSTRACT FROM AUTHOR]

Published

2019

14. Advanced Persistent Threat intelligent profiling technique: A survey.

Author

Tang, BinHui, Wang, JunFeng, Yu, Zhongkun, Chen, Bohan, Ge, Wenhan, Yu, Jian, and Lu, TingTing

Subjects

*KNOWLEDGE graphs, *ELECTRONIC data processing, *INFORMATION technology, *SCIENTIFIC community, *DEEP learning

Abstract

With the boom in Internet and information technology, cyber-attacks are becoming more frequent and sophisticated, especially Advanced Persistent Threat (APT) attacks. Unlike traditional attacks, APT attacks are more targeted, stealthy, and adversarial, rendering it challenging to manually analyze threat behaviors for APT detection, attribution, and response. Therefore, the research community has focused on intelligent defense methods. Intelligent threat profiling is dedicated to analyzing APT attacks and improving defense capability with Knowledge Graph and Deep Learning methods. With this insight, this paper provides the first systematic review of intelligent threat profiling techniques for APT attacks, covering three aspects: data, methods, and applications. The contents include data processing techniques, threat modeling, representation, reasoning methods, etc. Furthermore, this paper summarizes the latest research in applications, proposes the research framework and technical architecture, and provides insights into future research trends. This paper contributes to recognizing the advantages and challenges of intelligent threat profiling. It paves the way for integrating knowledge graphs and deep learning to achieve intelligent security. [Display omitted] • The first review paper on intelligent threat profiling of Advanced Persistent Threat. • Summarizes the research findings on three aspects: data, methods and applications. • Proposes the research framework and technical architecture of intelligent threat profiling. • Analyzes the challenges and provides insights into future research trends. [ABSTRACT FROM AUTHOR]

Published

2022

15. A Flow Based Approach to Detect Advanced Persistent Threats in Communication Systems.

Author

BAHTİYAR, Şerif

Abstract

The expansive usage of the Internet has set the stage for advanced persistent threats that has increased costs considerably in cyber space. Most of the time, entities exchange information and they are controlled remotely via many communication systems with a rich connectivity options on the Internet. Intruders accomplish advanced persistent threats by using such a rich connectivity options. These threats are extremely complex and they have unique features. Detecting such threats and corresponding attacks are therefore very difficult that circumstance makes classical intrusion detection systems impossible to deal with them. In this paper, a flow-based approach to detect advanced persistent threats is presented with a new model, namely FD-APT. The approach considers advanced persistent threats based attacks that are carried out with advanced malware. Moreover, FD-APT model distinguishes properties of malware types. The new approach is also analyzed with two case studies to highlight capabilities of FD-APT. The analyses results show that FD-APT helps to detect advanced persistent threats that are based on advanced malware. [ABSTRACT FROM AUTHOR]

Published

2018

16. Flow-Data Gathering Using NetFlow Sensors for Fitting Malicious-Traffic Detection Models.

Author

Campazas-Vega, Adrián, Crespo-Martínez, Ignacio Samuel, Guerrero-Higueras, Ángel Manuel, and Fernández-Llamas, Camino

Subjects

*DETECTORS, *MACHINE learning, *GOVERNMENT report writing, *MACHINE tools, *GOVERNMENT corporations, *INTERNET traffic, *WIRELESS sensor networks

Abstract

Advanced persistent threats (APTs) are a growing concern in cybersecurity. Many companies and governments have reported incidents related to these threats. Throughout the life cycle of an APT, one of the most commonly used techniques for gaining access is network attacks. Tools based on machine learning are effective in detecting these attacks. However, researchers usually have problems with finding suitable datasets for fitting their models. The problem is even harder when flow data are required. In this paper, we describe a framework to gather flow datasets using a NetFlow sensor. We also present the Docker-based framework for gathering netflow data (DOROTHEA), a Docker-based solution implementing the above framework. This tool aims to easily generate taggable network traffic to build suitable datasets for fitting classification models. In order to demonstrate that datasets gathered with DOROTHEA can be used for fitting classification models for malicious-traffic detection, several models were built using the model evaluator (MoEv), a general-purpose tool for training machine-learning algorithms. After carrying out the experiments, four models obtained detection rates higher than 93%, thus demonstrating the validity of the datasets gathered with the tool. [ABSTRACT FROM AUTHOR]

Published

2020