Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

Abdulellah Alsaheel,Yuhong Nan,Shiqing Ma,Le Yu,Gregory Walkup,Z. Berkay Celik,Xiangyu Zhang,Dongyan Xu

2021-01-01

Abstract:Advanced Persistent Threats (APT) involve multiple attack steps over a long period, and their investigation requires analysis of myriad logs to identify their attack steps, which are a set of activities undertaken to run an APT attack. However, on a daily basis in an enterprise, intrusion detection systems generate many threat alerts of suspicious events (attack symptoms). Cyber analysts must investigate such events to determine whether an event is a part of an attack. With many alerts to investigate, cyber analysts often end up with alert fatigue, causing them to ignore a large number of alerts and miss true attack events. In this paper, we present ATLAS, a framework that constructs an end-to-end attack story from off-the-shelf audit logs. Our key observation is that different attacks may share similar abstract attack strategies, regardless of the vulnerabilities exploited and payloads executed. ATLAS leverages a novel combination of causality analysis, natural language processing, and machine learning techniques to build a sequence-based model, which establishes key patterns of attack and non-attack behaviors from a causal graph. At inference time, given a threat alert event, an attack symptom node in a causal graph is identified. ATLAS then constructs a set of candidate sequences associated with the symptom node, uses the sequence-based model to identify nodes in a sequence that contribute to the attack, and unifies the identified attack nodes to construct an attack story. We evaluated ATLAS with ten real-world APT attacks executed in a realistic virtual environment. ATLAS recovers attack steps and construct attack stories with an average of 91.06% precision, 97.29% recall, and 93.76% F1-score. Through this effort, we provide security investigators with a new means of identifying the attack events that make up the attack story.

Hao Yue,Tong Li,Di Wu,Runzi Zhang,Zhen Yang

DOI: https://doi.org/10.1016/j.cose.2024.103748

IF: 5.105

2024-05-01

Computers & Security

Abstract:Advanced persistent threats (APTs) are a significant threat to network security as they can disintegrate the security fortress of enterprises. Recent studies have focused on detecting APT attacks by matching typical tactics, techniques, and procedures (TTPs) associated with APT attacks. However, the lack of positive APT samples affects the performance of existing approaches. To address this challenge, we propose a novel attack intent-driven and sequence-based learning approach (AISL) for APT detection. AISL integrates heterogeneous audit data and creates corresponding security tags based on attack intent. Specifically, we investigate various data sources of attack detection and establish a dedicated network event ontology. Based on this ontology, we construct a provenance graph that integrates audit data from heterogeneous sources. During the construction of the provenance graph, we identify and tag potential attack behaviors based on attack intent to increase the number of positive samples in the dataset. Finally, we train a tag-sequence-based semantic model for APT detection. We evaluated AISL through ten realistic APT attacks and achieved an average precision of 93.05%, recall of 98.12%, and F1-score of 95.36%, outperforming state-of-the-art approaches.

computer science, information systems

Yue Li,Teng Zhang,Xue Li,Ting Li

DOI: https://doi.org/10.1007/978-981-13-6621-5_10

2019-01-01

Abstract:AbstractThe targets of Advanced Persistent Threat (APT) are mainly concentrate on national key information infrastructure, key research institutes, and large commercial companies, for the purpose of stealing sensitive information, trade secrets or destroying important infrastructure. Traditional protection system is difficult to detect the APT attack, due to the method of the APT attack is unknown and uncertain. And the persisted evolution ability destroyed the traditional protection methods based on feature detection. Therefore, this paper based on the theory of red-blue confrontation, to construct the game model of attack and defense. And then combined the APT offense and defense experience, presents a model based on cyber threat detection to deal with APT attacks.

LI Hui,ZHENG Qing-hua,HAN Chong-zhao,GUAN Xiao-hong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2005.04.013

2005-01-01

Abstract:A fuzzy multiple hypothesis intrusion scenarios building algorithm was proposed based on multiple hypothesis tracking(MHT)theory which originated from information fusion. The algorithm could automatically analyze and organize alarms produced by intrusion detection systems to form credible attack segments and finally generate intrusion scenarios. The whole process can be divided into three steps, which were hypothesis generation, fuzzy hypothesis assessment and hypothesis management. Experiments on the DARPA2000 IDS test dataset show that the algorithm is effective and efficient.

Yi-Ting Huang,Ying-Ren Guo,Guo-Wei Wong,Meng Chang Chen

2024-10-30

Abstract:As Advanced Persistent Threats (APTs) grow increasingly sophisticated, the demand for effective detection methods has intensified. This study addresses the challenge of identifying APT campaign attacks through system event logs. A cascading approach, name SFM, combines Technique hunting and APT campaign attribution. Our approach assumes that real-world system event logs contain a vast majority of normal events interspersed with few suspiciously malicious ones and that these logs are annotated with Techniques of MITRE ATT&CK framework for attack pattern recognition. Then, we attribute APT campaign attacks by aligning detected Techniques with known attack sequences to determine the most likely APT campaign. Evaluations on five real-world APT campaigns indicate that the proposed approach demonstrates reliable performance.

Cryptography and Security

Ruozhou LIANG,Yue GAO,Xibin ZHAO

DOI: https://doi.org/10.1360/ssi-2021-0252

2021-01-01

Scientia Sinica Informationis

Abstract:Advanced persistent threat (APT) in real scenes, especially in industrial scenes, is complex and long term, but the current methods cannot effectively extract the long term relationship in the attack. An attack detection method with provenance graphs, called SeqNet, is proposed. SeqNet uses sequence feature extraction to detect APT attacks. In SeqNet, the provenance graph sequence describing the running state of the system is transformed into the feature sequence first, and then the gate recurrent unit (GRU) model is used to extract the feature of the system. The encoder-decoder model with the local attention mechanism is used to train the GRU model. Finally, the K-means clustering method is used to model the normal behavior of the system. In this study, experiments are carried out on five public datasets, such as StreamSpot, wget, shellshock, ClearScope, and CADETS, compared with the state-of-the-art methods. The method used here achieves similar or improved results on all five datasets. Experimental results show that the proposed method can detect real-life APT scenarios.

Cho Do Xuan,Tung Thanh Nguyen

DOI: https://doi.org/10.1038/s41598-024-72957-0

IF: 4.6

2024-09-28

Scientific Reports

Abstract:To enhance the effectiveness of the Advanced Persistent Threat (APT) detection process, this research proposes a new approach to build and analyze the behavior profiles of APT attacks in network traffic. To achieve this goal, this study carries out two main objectives, including (i) building the behavior profile of APT IP in network traffic using a new intelligent computation method; (ii) analyzing and evaluating the behavior profile of APT IP based on a deep graph network. Specifically, to build the behavior profile of APT IP, this article describes using a combination of two different data mining methods: Bidirectional Long Short-Term Memory (Bi) and Attention (A). Based on the obtained behavior profile, the Dynamic Graph Convolutional Neural Network (DGCNN) is proposed to extract the characteristics of APT IP and classify them. With the flexible combination of different components in the model, the important information and behavior of APT attacks are demonstrated, not only enhancing the accuracy of detecting attack campaigns but also reducing false predictions. The experimental results in the paper show that the method proposed in this study has brought better results than other approaches on all measurements. In particular, the accuracy of APT attack prediction results (Precision) reached from 84 to 91%, higher than other studies of over 7%. These experimental results have proven that the proposed BiADG model for detecting APT attacks in this study is proper and reasonable. In addition, those experimental results have not only proven the effectiveness and superiority of the proposed method in detecting APT attacks but have also opened up a new approach for other cyber-attack detections such as distributed denial of service, botnets, malware, phishing, etc.

multidisciplinary sciences

Bin Luo,Liangguo Chen,Shuhua Ruan,Yonggang Luo

DOI: https://doi.org/10.32604/cmc.2023.045739

2024-01-01

Abstract:Considering the stealthiness and persistence of Advanced Persistent Threats (APTs), system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host. Rule-based provenance graph APT detection approaches require elaborate rules and cannot detect unknown attacks, and existing learning-based approaches are limited by the lack of available APT attack samples or generally only perform graph-level anomaly detection, which requires lots of manual efforts to locate attack entities. This paper proposes an APT-exploited process detection approach called ThreatSniffer, which constructs the benign provenance graph from attack-free audit logs, fits normal system entity interactions and then detects APT-exploited processes by predicting the rationality of entity interactions. Firstly, ThreatSniffer understands system entities in terms of their file paths, interaction sequences, and the number distribution of interaction types and uses the multi-head self-attention mechanism to fuse these semantics. Then, based on the insight that APT-exploited processes interact with system entities they should not invoke, ThreatSniffer performs negative sampling on the benign provenance graph to generate non-existent edges, thus characterizing irrational entity interactions without requiring APT attack samples. At last, it employs a heterogeneous graph neural network as the interaction prediction model to aggregate the contextual information of entity interactions, and locate processes exploited by attackers, thereby achieving fine-grained APT detection. Evaluation results demonstrate that anomaly-based detection enables ThreatSniffer to identify all attack activities. Compared to the node-level APT detection method APT-KGL, ThreatSniffer achieves a 6.1% precision improvement because of its comprehensive understanding of entity semantics.

computer science, information systems,materials science, multidisciplinary

Jingwen Li,Jianyi Liu,Ru Zhang

DOI: https://doi.org/10.3390/electronics13061106

IF: 2.9

2024-03-18

Electronics

Abstract:In recent years, advanced persistent threat (APT) attacks have become a significant network security threat due to their concealment and persistence. Correlation analysis of APT groups is vital for understanding the global network security landscape and accurately attributing threats. Current studies on threat attribution rely on experts or advanced technology to identify evidence linking attack incidents to known APT groups. However, there is a lack of research focused on automatically discovering potential correlations between APT groups. This paper proposes a method using attack behavior patterns and rough set theory to quantify APT group relevance. It extracts two types of features from threat intelligence: APT attack objects and behavior features. To address the issues of inconsistency and limitations in threat intelligence, this method uses rough set theory to model APT group behavior and designs a link prediction method to infer correlations among APT groups. Experimental results on publicly available APT analysis reports show a correlation precision of 90.90%. The similarity coefficient accurately reflects the correlation strength, validating the method's efficacy and accuracy.

engineering, electrical & electronic,computer science, information systems,physics, applied

Maryam Panahnejad,Meghdad Mirabi

DOI: https://doi.org/10.1007/s11227-021-04201-9

IF: 3.3

2022-01-12

The Journal of Supercomputing

Abstract:Advanced persistent threat attacks are considered as a serious risk to almost any infrastructure since attackers are constantly changing and evolving their advanced techniques and methods. It is difficult to use traditional defense for detecting the advanced persistent threat attacks and protect network information. The detection of advanced persistent threat attack is usually mixed with many other attacks. Therefore, it is necessary to have a solution that is safe from error and failure in detecting them. In this paper, an intelligent approach is proposed called “APT-Dt-KC” to analyze, identify, and prevent cyber-attacks using the cyber-kill chain model and matching its fuzzy characteristics with the advanced persistent threat attack. In APT-Dt-KC, Pearson correlation test is used to reduce the amount of processing data, and then, a hybrid intrusion detection method is proposed using Bayesian classification algorithm and fuzzy analytical hierarchy process. The experimental results show that APT-Dt-KC has a false positive rate and false negative rate 1.9% and 3.6% less than the existing approach, respectively. The accuracy and detection rate of APT-Dt-KC has reached 98% with an average improvement of 5% over the existing approach.

Xiang Cheng,Jiale Zhang,Bing Chen

DOI: https://doi.org/10.3390/s19184045

IF: 3.9

2019-01-01

Sensors

Abstract:With the emergence of the Advanced Persistent Threat (APT) attacks, many Internet of Things (IoT) systems have faced large numbers of potential threats with the characteristics of concealment, permeability, and pertinence. However, existing methods and technologies cannot provide comprehensive and prompt recognition of latent APT attack activities in the IoT systems. To address this problem, we propose an APT Alerts and Logs Correlation Method, named APTALCM and a framework of deploying APTALCM on the IoT system, where an edge computing architecture was used to achieve cyber situation comprehension without too much data transmission cost. Specifically, we firstly present a cyber situation ontology for modeling the concepts and properties to formalize APT attack activities in the IoT systems. Then, we introduce a cyber situation instance similarity measurement method based on the SimRank mechanism for APT alerts and logs Correlation. Combining with instance similarity, we further propose an APT alert instances correlation method to reconstruct APT attack scenarios and an APT log instances correlation method to detect log instance communities. Through the coalescence of these methods, APTALCM can accomplish the cyber situation comprehension effectively by recognizing the APT attack intentions in the IoT systems. The exhaustive experimental results demonstrate that the two kernel modules, i.e., Alert Instance Correlation Module (AICM) and Log Instance Correlation Module (LICM) in our APTALCM, can achieve both high true-positive rate and low false-positive rate.

Jichao Bi,Shibo He,Fengji Luo,Wenchao Meng,Luyue Ji,Da-Wen Huang

DOI: https://doi.org/10.1109/TII.2022.3231406

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial Internet of Things (IIoT) is vulnerable to advanced persistent threat (APT). In this article, we study a scenario in which APT is launched to attack IIoT devices. Considering the APTs lateral movement, a node-level state evolution model is established to calculate the probability of every device in an IIoT system to be compromised by APT. Based on this, a Stackelberg game model is proposed for the APT attacker and defender, which can accurately describe the gaming process. An effective computational approach is developed to obtain the potential Stackelberg equilibrium strategy pair of the game. Extensive case studies and comparison studies are conducted to validate the effectiveness of the proposed method.

Jian Yang,Qi Zhang,Xiaofeng Jiang,Shuangwu Chen,Feng Yang

DOI: https://doi.org/10.1109/TDSC.2021.3101649

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The volatile, covert and slow multistage attack patterns of Advanced Persistent Threat (APT) present a tricky challenge of APT detection, which are vital for organisations to protect their critical assets. In this article, we aim to develop system that aggregates and uses existing systems’ alerts to detect APTs. In order to achieve this, we propose a causal correlation aided semantic analysis system, called <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Poirot</small> , for detecting the multi-stage threats over a long-time span from existing systems’ alerts. <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Poirot</small> is capable of autonomously mining causality between anomalous events, which instructs us in reorganizing the original alerts and in constructing alert-chains. The system further exploits the Latent Dirichlet Allocation (LDA) to model the semantic context of the alert-chains. This LDA model facilitates us to carry out the semantic analysis for capturing the latent attack intent as well as for reconstructing the APT scenario. We use an alert dataset provided by a cyber security company to verify the proposed <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Poirot</small> in terms of the detection accuracy and the capability of attack scenario reconstruction. The experiment results are presented to show the achievable performance of the proposed semantic analysis based APT detection.

Yuntao Wang,Han Liu,Zhendong Li,Zhou Su,Jiliang Li

DOI: https://doi.org/10.1109/MNET.2024.3389734

2024-04-12

Abstract:The rise of advanced persistent threats (APTs) has marked a significant cybersecurity challenge, characterized by sophisticated orchestration, stealthy execution, extended persistence, and targeting valuable assets across diverse sectors. Provenance graph-based kernel-level auditing has emerged as a promising approach to enhance visibility and traceability within intricate network environments. However, it still faces challenges including reconstructing complex lateral attack chains, detecting dynamic evasion behaviors, and defending smart adversarial subgraphs. To bridge the research gap, this paper proposes an efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach. Through prototype implementation and extensive experiments, we validate the effectiveness of our system. Lastly, crucial open research directions are outlined in this emerging field.

Cryptography and Security

Lixiao Sun,Zitong Li,Lei Xie,Mai Ye,Bing Chen

DOI: https://doi.org/10.1109/dsit55514.2022.9943933

2022-01-01

Abstract:Advanced persistent threats (APTs) pose a serious threat to the security of cyberspace. Recently, more and more security organizations and vendors have been focusing on cyber threat intelligence (CTI) to tackle APTs. Particularly, some researchers have introduced knowledge graphs to aggregate CTIs and explore the potential intelligence value. This paper presents APTKG, a framework for automatically extracting CTI triples from open-source APT reports and constructing APT group- focused knowledge graphs. Specially, first, we model the STIX- based ontology, APTOnt, which aggregates malicious information from hierarchical levels and can be applied to threat hunting, group profiling, APT tracing and other tasks. Then, we propose a Multi-Feature based CTI recognition method to improve the accuracy of various CTIs extraction. Finally, we apply a BiGRU based Inter-Sentence method to extract document-level CTI relationships. The experimental results confirm that the proposed CTI entity recognition model and relationship extraction method exhibit excellent performance, and the joint model of the two is also effective for CTI triples extraction. In addition, APTKG has stimulated exploration and research on CTI-based APT attack defense and analysis.

Tao Yi,Xingshu Chen,Qindong Li,Yi Zhu

DOI: https://doi.org/10.1016/j.cose.2024.103809

IF: 5.105

2024-03-29

Computers & Security

Abstract:APT attacks have the characteristics of low frequency, stealth, and persistence. Achieving attack objectives and preventing trace-back often involve diverse tactics, various tools, and changing processes and patterns. Additionally, the goals of APT attacks are diverse. Apart from service disruptions or network outages, the main goals include remotely penetrating target hosts through the network to steal information, unauthorized encryption, and destructive wiping. Existing methods for characterizing attack features lack sufficient research on the communication methods and data transmission patterns used in attacks. In particular, due to the non-associated addresses, low frequency, fragmentation, and silent requirements of attacks, the features exhibited in a single session are increasingly minimal. Traditional approaches are no longer sufficient to address these challenges that relying solely on single-sample statistical features and "packet-sniffing" windowed traffic grouping detection methods. To tackle these issues, we propose a innovative approach to characterize network attack traffic based on Spatial Pyramid Pooling (SPP) by analyzing the attack communication methods and data transmission patters in the network session traffic of APT attacks with the remote information theft. Specifically, it employs derived feature attributes that integrate mean, total, and concentration characteristics to longitudinally extract multi-level spatiotemporal correlated behavioral features from aggregated multi-session sets. These features are then fused with single-session characteristics, ensuring that each session sample possesses both current traffic features and correlated properties of contextual session traffic. Additionally, this approach meets the requirements of fixed-length input for heterogeneous data in deep learning. Extensive experiments have been conducted to demonstrate that this method enhances the effective detection of APT attacks by deep learning models. Experiments results show that this approach exhibits superior timeliness, precision, and specificity when compared to Principal Component Analysis (PCA) artificial feature engineering methods and other methods based on fixed-length deep learning for raw data.

computer science, information systems

Jingci Zhang,Jun Zheng,Zheng Zhang,Tian Chen,Yu-an Tan,Quanxin Zhang,Yuanzhang Li,Yuan Tan

DOI: https://doi.org/10.1016/j.comnet.2024.110376

IF: 5.493

2024-03-01

Computer Networks

Abstract:In recent years, the growing frequency and intensity of Advanced Persistent Threats (APTs) have significantly undermined the legitimacy and financial stability of government agencies, enterprises, and other entities. Moreover, these attacks have shown the inherent vulnerabilities in conventional border defense strategies. The emergence of the zero trust network architecture can be attributed to the increasing complexity of the cyber threat landscape. With the application of risk assessment, this paper effectively tackles the challenges posed by conventional network defense limitations and enhances the efficiency of the access control decision-making process. Nevertheless, the existing risk assessment approaches primarily focus on conventional security assessment objectives, which exhibits a deficiency in the ability to dynamically assess APT attacks. The Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK) Framework introduced in this paper is a novel approach to mitigating APT attacks. This paper aims to mine and analyze the frequent item set and correlation of cyber threat penetration attack techniques. The paper also intends to construct an attack technique relationship diagram and develop a tactical prediction model for cyber threat penetration attacks using the Markov chain model. Finally, our study aims to establish a risk propagation model for APT threats based on the aforementioned model. The approach presented in this paper significantly enhances the capacity of zero trust networks in addressing sophisticated cyber threats.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lixin Wang,Jianhua Yang,Xiaohua Xu,Peng-Jun Wan

DOI: https://doi.org/10.1155/2021/6632671

2021-03-03

Wireless Communications and Mobile Computing

Abstract:Intruders on the Internet usually launch network attacks through compromised hosts, called stepping stones, in order to reduce the chance of being detected. With stepping-stone intrusions, an attacker uses tools such as SSH to log in several compromised hosts remotely and create an interactive connection chain and then sends attacking packets to a target system. An effective method to detect such an intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping-stone intrusion by mining network traffic using the k -means clustering. Existing approaches for connection-chain-based stepping-stone intrusion detection either are not effective or require a large number of TCP packets to be captured and processed and, thus, are not efficient. Our proposed detection algorithm can accurately determine the length of a connection chain without requiring a large number of TCP packets being captured and processed, so it is more efficient. Our proposed detection algorithm is also easier to implement than all existing approaches for stepping-stone intrusion detection. The effectiveness, correctness, and efficiency of our proposed detection algorithm are verified through well-designed network experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tieming Chen,Chengyu Dong,Mingqi Lv,Qijie Song,Haiwen Liu,Tiantian Zhu,Kang Xu,Ling Chen,Shouling Ji,Yuan Fan

DOI: https://doi.org/10.1109/tdsc.2022.3229472

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:APTs (Advanced Persistent Threats) have caused serious security threats worldwide. Most existing APT detection systems are implemented based on sophisticated forensic analysis rules. However, the design of these rules requires in-depth domain knowledge and the rules lack generalization ability. On the other hand, deep learning technique could automatically create detection model from training samples with little domain knowledge. However, due to the persistence, stealth, and diversity of APT attacks, deep learning technique suffers from a series of problems including difficulties of capturing contextual information, low scalability, dynamic evolving of training samples, and scarcity of training samples. Aiming at these problems, this paper proposes APT-KGL, an intelligent APT detection system based on provenance data and graph neural networks. First, APT-KGL models the system entities and their contextual information in the provenance data by a HPG (Heterogeneous Provenance Graph), and learns a semantic vector representation for each system entity in the HPG in an offline way. Then, APT-KGL performs online APT detection by sampling a small local graph from the HPG and classifying the key system entities as malicious or benign. In addition, to conquer the difficulty of collecting training samples of APT attacks, APT-KGL creates virtual APT training samples from open threat knowledge in a semi-automatic way. We conducted a series of experiments on two provenance datasets with simulated APT attacks. The experiment results show that APT-KGL outperforms other current deep learning based models, and has competitive performance against state-of-the-art rule-based APT detection systems.