Hao Yan,Qianzhen Zhang,Junjie Xie,Ziyue Lu,Sheng Chen,Deke Guo

DOI: https://doi.org/10.1109/ICPADS53394.2021.00062

2021-01-01

Abstract:The advanced persistent threat (APT) is a stealthy cyber attack perpetrated by a group that gains unauthorized access to a computer network and remains undiscovered to steal specific data and resources. Fast detection and defense of APT attacks are critical tasks in cyber security. Previous works use simple feature extraction and classification methods to distinguish APT information flow from the ...

Bo Zhang,Yansong Gao,Boyu Kuang,Changlong Yu,Anmin Fu,Willy Susilo

DOI: https://doi.org/10.1145/3700749

IF: 16.6

2024-01-01

ACM Computing Surveys

Abstract:In recent years, frequent Advanced Persistent Threat (APT) attacks have caused disastrous damage to critical facilities, leading to severe information leakages, economic losses, and even social disruptions. Via sophisticated, long-term, and stealthy network intrusions, APT attacks are often beyond the capabilities of traditional intrusion detection methods. Existing methods employ various techniques to enhance APT detection at different stages, but this makes it difficult to fairly and objectively evaluate the capability, value, and orthogonality of available techniques. Overly focusing on hardening specific APT detection stages cannot address some essential challenges from a global perspective, which would result in severe consequences. To holistically tackle this problem and explore effective solutions, we abstract a unified framework that covers the complete process of APT attack detection, with standardized summaries of state-of-the-art solutions and analysis of feasible techniques. Further, we provide an in-depth discussion of the challenges and countermeasures faced by each component of the detection framework. In addition, we comparatively analyze public datasets and outline the capability criteria to provide a reference for standardized evaluations. Finally, we discuss insights into potential areas for future research.

Yulu Qi,Rong Jiang,Aiping Li,Zhaoquan Gu,Yan Jia

DOI: https://doi.org/10.1007/978-3-030-71590-8_12

2021-01-01

Abstract:Information security is an important part of Internet security. As more and more industries rely on the Internet, it has become urgent to protect information security of these industries, spawned local area networks (LANs), intranets and so on. With the development of information sensor technology, the Internet of Things (IoT) that interconnects physical devices has emerged. As a unity of computing process and physical process, the Cyber-physical systems (CPS) is the next generation intelligent system which integrates computing, communication and controlling capabilities. CPS covers a wide range of applications and critical infrastructures, including intelligent transportation systems, telemedicine, smart grids, aerospace, and many other fields. The APT attacks are typically conducted directly against these critical infrastructures around the world, which would incur severe consequences. It is meaningful to protect these information by detecting the APT attacks timely and accurately, and effective defensive measures could be adopted. Although the APT attacks seem destructive, the attack process are complex and changeable. In essence, the attack process usually follows certain rules. In this chapter, we introduce a distributed framework for detecting the APT attacks. Cyber security knowledge graph stores existing knowledge and the attack rules, which plays an important role in analyzing the attacks. We first analyze potential attack events by the proposed distributed framework on Spark, then we mine the attack chains from massive data with the spatial and temporal characteristics. These steps could help identify complicated attacks. We also conduct extensive experiments, the results show that the analysis accuracy depends on the completeness of the cyber security knowledge graph and the precision of the detection results from security equipments. With the rational expectation about more exposure of attacks and faster upgrade of security equipments, it is sufficient and necessary to improve the cyber security knowledge graph constantly for better performance.KeywordsMDATAAPT attackCyberspace securityDistributed framework

Luoli Wang

DOI: https://doi.org/10.1088/1742-6596/2113/1/012037

2021-11-01

Journal of Physics: Conference Series

Abstract:Abstract Advanced Persistent Threats (APT) have caused severe damage to the core information infrastructure of many governments and organizations. APT attacks usually remain low and slow which makes them difficult to be detected. In this case, the way of correlatively analyzing massive logs generated by various security devices for effectively detecting the new type of cyber threat turns out to be more and more significant. In this paper, on the basis of analyzing the principles and characteristics of APT, we propose an intelligent threat detection method based on the expanded Cyber Attack Chain (CAC) model and the long short-term memory network (LSTM) autoencoder to extensively correlate malicious behaviors from spatial and temporal dimensions, which provides a brain new idea for the application and practice of complex network attack detection.

Yuqing Li,Wenkuan Dai,Jie Bai,Xiaoying Gan,Jingchao Wang,Xinbing Wang

DOI: https://doi.org/10.1109/TIFS.2018.2847671

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Combined with many different attack forms, advanced persistent threats (APTs) are becoming a major threat to cyber security. Existing security protection works typically either focus on one-shot case, or separate detection from response decisions. Such practices lead to tractable analysis, but miss key inherent APTs persistence and risk heterogeneity. To this end, we propose a Lyapunov-based secur...

BinHui Tang,JunFeng Wang,Zhongkun Yu,Bohan Chen,Wenhan Ge,Jian Yu,TingTing Lu

DOI: https://doi.org/10.1016/j.compeleceng.2022.108261

2022-10-01

Abstract:With the boom in Internet and information technology, cyber-attacks are becoming more frequent and sophisticated, especially Advanced Persistent Threat (APT) attacks. Unlike traditional attacks, APT attacks are more targeted, stealthy, and adversarial, rendering it challenging to manually analyze threat behaviors for APT detection, attribution, and response. Therefore, the research community has focused on intelligent defense methods. Intelligent threat profiling is dedicated to analyzing APT attacks and improving defense capability with Knowledge Graph and Deep Learning methods. With this insight, this paper provides the first systematic review of intelligent threat profiling techniques for APT attacks, covering three aspects: data, methods, and applications. The contents include data processing techniques, threat modeling, representation, reasoning methods, etc. Furthermore, this paper summarizes the latest research in applications, proposes the research framework and technical architecture, and provides insights into future research trends. This paper contributes to recognizing the advantages and challenges of intelligent threat profiling. It paves the way for integrating knowledge graphs and deep learning to achieve intelligent security.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Cho Do Xuan,Tung Thanh Nguyen

DOI: https://doi.org/10.1038/s41598-024-72957-0

IF: 4.6

2024-09-28

Scientific Reports

Abstract:To enhance the effectiveness of the Advanced Persistent Threat (APT) detection process, this research proposes a new approach to build and analyze the behavior profiles of APT attacks in network traffic. To achieve this goal, this study carries out two main objectives, including (i) building the behavior profile of APT IP in network traffic using a new intelligent computation method; (ii) analyzing and evaluating the behavior profile of APT IP based on a deep graph network. Specifically, to build the behavior profile of APT IP, this article describes using a combination of two different data mining methods: Bidirectional Long Short-Term Memory (Bi) and Attention (A). Based on the obtained behavior profile, the Dynamic Graph Convolutional Neural Network (DGCNN) is proposed to extract the characteristics of APT IP and classify them. With the flexible combination of different components in the model, the important information and behavior of APT attacks are demonstrated, not only enhancing the accuracy of detecting attack campaigns but also reducing false predictions. The experimental results in the paper show that the method proposed in this study has brought better results than other approaches on all measurements. In particular, the accuracy of APT attack prediction results (Precision) reached from 84 to 91%, higher than other studies of over 7%. These experimental results have proven that the proposed BiADG model for detecting APT attacks in this study is proper and reasonable. In addition, those experimental results have not only proven the effectiveness and superiority of the proposed method in detecting APT attacks but have also opened up a new approach for other cyber-attack detections such as distributed denial of service, botnets, malware, phishing, etc.

multidisciplinary sciences

CHEN Rui-dong,ZHANG Xiao-song,NIU Wei-na,LAN Hao-yue

DOI: https://doi.org/10.3969/j.issn.1001-0548.2019.06.011

2019-01-01

Abstract:Advanced persistent threat (APT) is a new kind of cyber-attack as a growth security events. This paper analysis more than 150 typical APT cases happened during last decade, and constructs the analytical model of APT attack, indicates 4 major problems of APT attack detection and countering: the fragile penetration protection problem, the low detection accuracy, the difficulty of determining the attack forensic, and the slow response to the unknown attack problem. In the meanwhile, this paper analyzes typical APT attacks in recent years, mines the association based on attacking tools. According to the experiments, there are similarity patterns between the tools used by the same organization. In summary, the integral APT defense scheme in this paper includes the latest achievements of four types of defense schemes, plays an academic supporting role in building a unified attack detection and traceability countermeasure platform.

Kai Xing,Aiping Li,Rong Jiang

DOI: https://doi.org/10.12783/dtetr/mcaee2020/35023

2020-01-01

DEStech Transactions on Engineering and Technology Research

Abstract:Cyberspace has been constantly threatened by attacks since its birth. With the development of high-tech and artificial intelligence, intelligent and efficient attack methods have emerged endlessly, and technological methods have been constantly renovated. In particular, Advanced Persistent Threat (APT) attacks are intensifying. How to effectively prevent this attack method has become the focus. With the advantages of machine learning, the thinking and technology of detection have made great progress. This article mainly discusses several innovative methods for detecting APT attacks based on machine learning, and looks forward to the future development direction.

Weixiang Chen,Xiaohan Helu,Chengjie Jin,Man Zhang,Hui Lu,Yanbin Sun,Zhihong Tian

DOI: https://doi.org/10.1002/ett.3884

IF: 3.6

2020-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:Since the concept of IoT (Internet of Things) was proposed, it has digitized the real world and has a wide range of applications. However, with tremendous evolution in data acquisition and transfer, a new type of attack represented by advanced persistent threat (APT) has attracted wide attention. APT organization identification for malware is a method to detect APT attacks. However, most of malware is tailored to the goal, it is complex and changeable, or can be updated very quickly. The traditional analysis method is difficult to obtain the source information of APT organization from the malware in the IoT. To this end, we propose a software genes method to solve this problem. Software gene is binary fragment of specific function or information in the software body. In this paper, different from traditional data flow and instruction flow, a new gene model is proposed which combine with knowledge graph of malware behavior. We fill the processed malware information into the gene model to obtain the APT organization gene pool. Of course, the gene pool should be optimized to include the genetic characteristics of APT. In theory, there genetic characteristics can help us identify malware and APT accurately in the IoT. However, biological genetic similarity algorithms cannot be used directly. A genetic similarity algorithm for APT organization identification of malware will be designed instead. Simulations on real‐world dataset corroborate theoretical analysis and reveal the possibility of using genes for malware traceability.

Aaron Zimba,Hongsong Chen,Zhaoshun Wang,Mumbi Chishimba

DOI: https://doi.org/10.1016/j.future.2020.01.032

IF: 7.307

2020-01-01

Future Generation Computer Systems

Abstract:Advanced Persistent Threats (APT) present the most sophisticated types of attacks to modern networks which have proved to be very challenging to address. Using sophisticated attack techniques, attackers remotely control infected machines and exfiltrate sensitive information from organizations and governments. Security products deployed by enterprise networks based on traditional defenses often fail at detecting APT infections because of the dynamic nature of the APT attack process. To overcome the current limitations of attack network dynamics faced in APT studies, an innovative APT attack detection model based on a semi-supervised learning approach and complex networks characteristics is proposed in this paper. The entire targeted network is modeled as a small-world network and the evolving APT-Attack Network (APT-AN) as a scale-free network. Finite state machines are employed to model the state transitions of the nodes in the time domain in order to characterize the state changes during the APT attack process. The effectiveness of the model is demonstrated by applying it to real-world data from a large-scale enterprise network consisting of 17,684 hosts from the Los Alamos security lab. The proposed approach analyzes efficiently the large-scale dataset to reveal APT attack characteristics between the command and control center and the victim hosts. The final result is a ranked list of suspicious hosts participating in APT attack activities. The average detection precision of three APT stage is 90.5% in our proposed APT detection framework. The results show that the model can effectively detect the suspicious hosts at different stages of the APT attack process.

Weiyong Yang,Peng Gao,Hao Huang,Xingshen Wei,Haotian Zhang,Zhihao Qu

DOI: https://doi.org/10.1109/globecom48099.2022.10001486

2022-01-01

Abstract:Advanced persistent threat (APT) attacks have caused severe damage to many core information infrastructures. To tackle this issue, the graph-based methods have been proposed due to their ability for learning complex interaction patterns of network entities with discrete graph snapshots. However, such methods are challenged by the computer networking model characterized by a natural continuous-time dynamic heterogeneous graph. In this paper, we propose a heterogeneous graph neural network based APT detection method in smart grid clouds. Our model is an encoder-decoder structure. The encoder uses heterogeneous temporal memory and attention embedding modules to capture contextual information of interactions of network entities from the time and spatial dimensions respectively. We implement a prototype and conduct extensive experiments on real-world cyber-security datasets with more than 10 million records. Experimental results show that our method can achieve superior detection performance than state-of-the-art methods.

Yuntao Wang,Han Liu,Zhendong Li,Zhou Su,Jiliang Li

DOI: https://doi.org/10.1109/MNET.2024.3389734

2024-04-12

Abstract:The rise of advanced persistent threats (APTs) has marked a significant cybersecurity challenge, characterized by sophisticated orchestration, stealthy execution, extended persistence, and targeting valuable assets across diverse sectors. Provenance graph-based kernel-level auditing has emerged as a promising approach to enhance visibility and traceability within intricate network environments. However, it still faces challenges including reconstructing complex lateral attack chains, detecting dynamic evasion behaviors, and defending smart adversarial subgraphs. To bridge the research gap, this paper proposes an efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach. Through prototype implementation and extensive experiments, we validate the effectiveness of our system. Lastly, crucial open research directions are outlined in this emerging field.

Cryptography and Security

Zhen DAI,Guang CHENG

DOI: https://doi.org/10.3778/j.issn.1002-8331.1703-0552

2017-01-01

Abstract:Advanced Persistent Threat(APT)is a serious threat to the world, APT detection has become the key point of network security protection. Due to the complexity of APT, the traditional detection technology cannot perform well. An APT detection method is proposed by using APT communication features extracted from international security company reports. In order to improve the detection effect of this method, an algorithm for double feature matching is put forward. The initial feature matching method uses bloom filter to filter out some messages quickly, and then the exact matching method is set up to determine whether it is APT malicious traffic. The experimental results show that the method has higher detection rate and fewer false positives.

Wang Xiaoqi,Li Qiang,Yan Guanghua,Xuan Guangzhe,Guo Dong

DOI: https://doi.org/10.7544/issn1000-1239.2017.20170403

2017-01-01

Journal of Computer Research and Development

Abstract:In recent years ,advanced persistent threats (APT ) jeopardize the safety of enterprises , organizations and even countries ,leading to heavy economic losses .An important feature of APT is that it can persist in attacking and can lurk in the target network for a long time .Unfortunately ,we cannot detect APT effectively by current security measures . Recent researches have found that analyzing DNS request of the target network will help detect APT attacks .We add a time feature in the DNS traffic which is combined with change vector analysis (CVA ) and reputation score to detect covert and suspicious DNS behavior .In this paper ,we propose a new framework called APDD to detect covert and suspicious DNS behavior in long-term APT by analyzing a mass of DNS request data .We execute the data reduction algorithm on DNS request data and then extract their features .By using the CVA and the sliding time window method ,we analyze the similarity between the access records of the domains to be detected and those of the related domains of current APT .We build a reputation scoring system to grade the domain access records of high similarity . The APDD framework will output a list of suspicious domain access records so that security experts are able to analyze the top-k records in the list , which will surely improve the detection efficiency of APT attacks .Finally ,we use 1584225274 pieces of DNS request records which come from a large campus network and then simulate the attack data to verify the effectiveness and correctness of APDD . Experiments show that the APDD framework can effectively detect covert and suspicious DNS behavior in APT .

Yue Li,Teng Zhang,Xue Li,Ting Li

DOI: https://doi.org/10.1007/978-981-13-6621-5_10

2019-01-01

Abstract:AbstractThe targets of Advanced Persistent Threat (APT) are mainly concentrate on national key information infrastructure, key research institutes, and large commercial companies, for the purpose of stealing sensitive information, trade secrets or destroying important infrastructure. Traditional protection system is difficult to detect the APT attack, due to the method of the APT attack is unknown and uncertain. And the persisted evolution ability destroyed the traditional protection methods based on feature detection. Therefore, this paper based on the theory of red-blue confrontation, to construct the game model of attack and defense. And then combined the APT offense and defense experience, presents a model based on cyber threat detection to deal with APT attacks.

Jiazhong Lu,Kai Chen,Zhongliu Zhuo,XiaoSong Zhang

DOI: https://doi.org/10.1007/s10586-017-1256-y

2017-01-01

Cluster Computing

Abstract:Advanced persist threat (APT for short) is an emerging attack on the Internet. Such attack patterns leave their footprints spatio-temporally dispersed across many different type traffics in victim machines. However, existing traffic analysis systems typically target only a single type of traffic to discover evidence of an attack and therefore fail to exploit fundamental inter-traffic connections. The output of such single-traffic analysis can hardly detect the complete APT attack story for complex, multi-stage attacks. Additionally, some existing approaches require heavyweight system instrumentation, which makes them impractical to deploy in real production environments. To address these problems, we present an automated temporal correlation traffic detection system (ATCTDS). Inspired by anomaly traffic analytics research in big data network analysis, we model multi-type traffic analysis as a detection problem. Our evaluation with 36 well-known APT attack dataset demonstrates that our system can detect attack behaviors from a spectrum of cyber attacks that involve multiple types with high accuracy and low false positive rates.

Zitong Li,Xiang Cheng,Lixiao Sun,Ji Zhang,Bing Chen

DOI: https://doi.org/10.1155/2021/9961342

IF: 1.968

2021-05-04

Security and Communication Networks

Abstract:Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.

computer science, information systems,telecommunications

陈剑锋,王强,伍淼

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.07.027

2012-01-01

Abstract:APT, as information security threat, aims at important enterprise and government assets and constitutes a serious challenge to information systems＇ usability and reliability. APT, being versatile, effective, and difficult to defend, gradually becomes the main evolution trend of network infiltration and system attack, thus receiving much attention from IA researchers. Current study on APT is done principally by security vendors, and these vendors focus on output of their security concept by threat assessment, while neglecting the thorough analysis on the constitution and developing background of APT. Starting from normal definition and feature of APT, the developing background and procedure of APT attack is described in detail, and some feasible measures for detecting, reacting on and preventing APT attack are also Riven.

Jiazhong Lu,Xiaosong Zhang,Wang Junfeng,Ying Lingyun

DOI: https://doi.org/10.1109/ICITBS.2016.87

2016-01-01

Abstract:APT(Advanced persist threat) is an emerging attack on the Internet. Attackers may combine phishing emails, malware, social engineering and botnets to create a series of attacks in one APT attack which makes it quite difficult for detection. In this way, attackers can remotely control the infected host, or steal sensitive information. In this paper, we proposed a time transform features approach for distinguishing APT attacks based on the observation that malicious payload must be transferred to the target hosts in an APT attack. By comparing the normal traffic with the traffic containing a malicious payload, we are able to catch the signal of malicious payload and further infer the existence of APT attacks. Then we use machine learning methods to detect APT attacks in big data. To verify this approach, we placed a device on the gateway of our university for catching the real Internet traffic of the university for one month. Then we mixed the APT traffic with these flows, and see whether our approach can identify the malicious payloads. We found our approach is not only accurate but also efficient for catching APT attacks.