Kai Xing,Aiping Li,Rong Jiang,Yan Jia

DOI: https://doi.org/10.1109/dsc50466.2020.00018

2020-01-01

Abstract:Cyberspace has been threatened by attacks ever since its birth. With the development of the Internet and artificial intelligence, forms of cyberattacks are emerging in endlessly, and technical means are constantly being renovated. In particular, advanced persistent threats are intensifying. How to effectively prevent this type of attack has become the focus, and attack detection and defense technology has made great progress. This article mainly discusses the research progress of APT attack detection and defense strategies at home and abroad, and focuses on the practice of using machine learning to perform attack detection while elaborating on traditional attack detection methods. Defense strategy is about how to use game theory to find the best defense strategy in limited resources, dynamic information flow tracking and cloud platform.

Bo Zhang,Yansong Gao,Boyu Kuang,Changlong Yu,Anmin Fu,Willy Susilo

DOI: https://doi.org/10.1145/3700749

IF: 16.6

2024-01-01

ACM Computing Surveys

Abstract:In recent years, frequent Advanced Persistent Threat (APT) attacks have caused disastrous damage to critical facilities, leading to severe information leakages, economic losses, and even social disruptions. Via sophisticated, long-term, and stealthy network intrusions, APT attacks are often beyond the capabilities of traditional intrusion detection methods. Existing methods employ various techniques to enhance APT detection at different stages, but this makes it difficult to fairly and objectively evaluate the capability, value, and orthogonality of available techniques. Overly focusing on hardening specific APT detection stages cannot address some essential challenges from a global perspective, which would result in severe consequences. To holistically tackle this problem and explore effective solutions, we abstract a unified framework that covers the complete process of APT attack detection, with standardized summaries of state-of-the-art solutions and analysis of feasible techniques. Further, we provide an in-depth discussion of the challenges and countermeasures faced by each component of the detection framework. In addition, we comparatively analyze public datasets and outline the capability criteria to provide a reference for standardized evaluations. Finally, we discuss insights into potential areas for future research.

Luoli Wang

DOI: https://doi.org/10.1088/1742-6596/2113/1/012037

2021-11-01

Journal of Physics: Conference Series

Abstract:Abstract Advanced Persistent Threats (APT) have caused severe damage to the core information infrastructure of many governments and organizations. APT attacks usually remain low and slow which makes them difficult to be detected. In this case, the way of correlatively analyzing massive logs generated by various security devices for effectively detecting the new type of cyber threat turns out to be more and more significant. In this paper, on the basis of analyzing the principles and characteristics of APT, we propose an intelligent threat detection method based on the expanded Cyber Attack Chain (CAC) model and the long short-term memory network (LSTM) autoencoder to extensively correlate malicious behaviors from spatial and temporal dimensions, which provides a brain new idea for the application and practice of complex network attack detection.

Wen-Lin Chu,Chih-Jer Lin,Ke-Neng Chang

DOI: https://doi.org/10.3390/app9214579

2019-10-28

Applied Sciences

Abstract:Traditional network attack and hacking models are constantly evolving to keep pace with the rapid development of network technology. Advanced persistent threat (APT), usually organized by a hacker group, is a complex and targeted attack method. A long period of strategic planning and information search usually precedes an attack on a specific goal. Focus is on a targeted object and customized specific methods are used to launch the attack and obtain confidential information. This study offers an attack detection system that enables early discovery of the APT attack. The system uses the NSL-KDD database for attack detection and verification. The main method uses principal component analysis (PCA) for feature sampling and the enhancement of detection efficiency. The advantages and disadvantages of using the classifiers are then compared to detect the dataset, the classifier supports the vector machine, naive Bayes classification, the decision tree and neural networks. Results of the experiments show the support vector machine (SVM) to have the highest recognition rate, reaching 97.22% (for the trained subdata A). The purpose of this study was to establish an APT early warning model mechanism, that could be used to reduce the impact and influence of APT attacks.

BinHui Tang,JunFeng Wang,Zhongkun Yu,Bohan Chen,Wenhan Ge,Jian Yu,TingTing Lu

DOI: https://doi.org/10.1016/j.compeleceng.2022.108261

2022-10-01

Abstract:With the boom in Internet and information technology, cyber-attacks are becoming more frequent and sophisticated, especially Advanced Persistent Threat (APT) attacks. Unlike traditional attacks, APT attacks are more targeted, stealthy, and adversarial, rendering it challenging to manually analyze threat behaviors for APT detection, attribution, and response. Therefore, the research community has focused on intelligent defense methods. Intelligent threat profiling is dedicated to analyzing APT attacks and improving defense capability with Knowledge Graph and Deep Learning methods. With this insight, this paper provides the first systematic review of intelligent threat profiling techniques for APT attacks, covering three aspects: data, methods, and applications. The contents include data processing techniques, threat modeling, representation, reasoning methods, etc. Furthermore, this paper summarizes the latest research in applications, proposes the research framework and technical architecture, and provides insights into future research trends. This paper contributes to recognizing the advantages and challenges of intelligent threat profiling. It paves the way for integrating knowledge graphs and deep learning to achieve intelligent security.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Yuqing Li,Wenkuan Dai,Jie Bai,Xiaoying Gan,Jingchao Wang,Xinbing Wang

DOI: https://doi.org/10.1109/TIFS.2018.2847671

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Combined with many different attack forms, advanced persistent threats (APTs) are becoming a major threat to cyber security. Existing security protection works typically either focus on one-shot case, or separate detection from response decisions. Such practices lead to tractable analysis, but miss key inherent APTs persistence and risk heterogeneity. To this end, we propose a Lyapunov-based secur...

Zitong Li,Jiale Chen,Jiale Zhang,Xiang Cheng,Bing Chen

DOI: https://doi.org/10.1007/978-981-15-9129-7_36

2020-01-01

Abstract:Advanced Persistent Threat (APT) is one of the most menacing and stealthy multiple-steps attacks in the context of information systems and IoT-related applications. Recently, with increasing losses to organizations caused by APT, its detection has attracted more attention in both academia and industry. However, conventional attack detection methods cannot be used to defense APT ideally for the following reasons: 1) misuse-based mechanisms require too much expert knowledge of APT attacks; 2) anomaly-based strategies lead to many false positives; 3) machine learning-based solutions lack training dataset that describes APT patterns. Thus, we propose a novel detection system in edge computing systems based on federated learning, named FLAPT, to detect APT attacks. The federated model can learn various APT attack patterns by maintaining a global model across multiple clients. The experimental results demonstrate that our proposed system can detect various attacks including real-life APT campaigns with high detection accuracy and low false alarm rate.

Abdullah Said AL-Aamri,Rawad Abdulghafor,Sherzod Turaev,Imad Al-Shaikhli,Akram Zeki,Shuhaili Talib

DOI: https://doi.org/10.3390/su151813820

IF: 3.9

2023-09-17

Sustainability

Abstract:Nowadays, countries face a multitude of electronic threats that have permeated almost all business sectors, be it private corporations or public institutions. Among these threats, advanced persistent threats (APTs) stand out as a well-known example. APTs are highly sophisticated and stealthy computer network attacks meticulously designed to gain unauthorized access and persist undetected threats within targeted networks for extended periods. They represent a formidable cybersecurity challenge for governments, corporations, and individuals alike. Recognizing the gravity of APTs as one of the most critical cybersecurity threats, this study aims to reach a deeper understanding of their nature and propose a multi-stage framework for automated APT detection leveraging time series data. Unlike previous models, the proposed approach has the capability to detect real-time attacks based on stored attack scenarios. This study conducts an extensive review of existing research, identifying its strengths, weaknesses, and opportunities for improvement. Furthermore, standardized techniques have been enhanced to enhance their effectiveness in detecting APT attacks. The learning process relies on datasets sourced from various channels, including journal logs, traceability audits, and systems monitoring statistics. Subsequently, an efficient APT detection and prevention system, known as the composition-based decision tree (CDT), has been developed to operate in complex environments. The obtained results demonstrate that the proposed approach consistently outperforms existing algorithms in terms of detection accuracy and effectiveess.

environmental sciences,environmental studies,green & sustainable science & technology

Hao Yan,Qianzhen Zhang,Junjie Xie,Ziyue Lu,Sheng Chen,Deke Guo

DOI: https://doi.org/10.1109/ICPADS53394.2021.00062

2021-01-01

Abstract:The advanced persistent threat (APT) is a stealthy cyber attack perpetrated by a group that gains unauthorized access to a computer network and remains undiscovered to steal specific data and resources. Fast detection and defense of APT attacks are critical tasks in cyber security. Previous works use simple feature extraction and classification methods to distinguish APT information flow from the ...

CHEN Rui-dong,ZHANG Xiao-song,NIU Wei-na,LAN Hao-yue

DOI: https://doi.org/10.3969/j.issn.1001-0548.2019.06.011

2019-01-01

Abstract:Advanced persistent threat (APT) is a new kind of cyber-attack as a growth security events. This paper analysis more than 150 typical APT cases happened during last decade, and constructs the analytical model of APT attack, indicates 4 major problems of APT attack detection and countering: the fragile penetration protection problem, the low detection accuracy, the difficulty of determining the attack forensic, and the slow response to the unknown attack problem. In the meanwhile, this paper analyzes typical APT attacks in recent years, mines the association based on attacking tools. According to the experiments, there are similarity patterns between the tools used by the same organization. In summary, the integral APT defense scheme in this paper includes the latest achievements of four types of defense schemes, plays an academic supporting role in building a unified attack detection and traceability countermeasure platform.

Yue Li,Teng Zhang,Xue Li,Ting Li

DOI: https://doi.org/10.1007/978-981-13-6621-5_10

2019-01-01

Abstract:AbstractThe targets of Advanced Persistent Threat (APT) are mainly concentrate on national key information infrastructure, key research institutes, and large commercial companies, for the purpose of stealing sensitive information, trade secrets or destroying important infrastructure. Traditional protection system is difficult to detect the APT attack, due to the method of the APT attack is unknown and uncertain. And the persisted evolution ability destroyed the traditional protection methods based on feature detection. Therefore, this paper based on the theory of red-blue confrontation, to construct the game model of attack and defense. And then combined the APT offense and defense experience, presents a model based on cyber threat detection to deal with APT attacks.

Wang Neng,Zhang Ya

DOI: https://doi.org/10.1007/978-981-19-3998-3_95

2022-01-01

Abstract:An advanced persistent threat (APT) is a stealthy cyber attack which can have the ability to illegally enter a system and remain undiscovered for a long time. Dynamic information flow tracking is one of the leading methods to detecting advanced persistent threats, which can taint suspicious information flows and generate security analysis for abnormal and questionable use of the information flow. In this paper, we develop a novel model to detect APTs. We build a zero-sum, two-player, asymmetric information Markov game. Because the DIFT cannot distinguish between normal and malicious information flow, the defender has less state information than the attacker. We analyzed the existence of the Nash equilibrium of our game. Finally, we used Neural Fictitious Self-play (NFSP), the leading algorithm for zero-sum games in Deep Reinforcement Learning, to solve the Nash equilibrium for this game.

WANG Zhiwei,HE Xijie,YI Xin,LI Ziyang,CAO Xudong,YIN Tao,LI Shuhao,FU Anmin,ZHANG Yuqing

DOI: https://doi.org/10.11959/j.issn.1000-436x.2024128

2024-01-01

Abstract:The advanced persistent threat (APT) attack was explored from two perspectives: attack methods and detection methods. First, the definitions and characteristics of APT attacks were reviewed and the development of related attack models was summarized. Based on this, a more general APT full lifecycle model was proposed, which was divided into four stages: information gathering, intrusion execution, internal network penetration, and data exfiltration. For each stage, recent research papers from the past five years were thoroughly reviewed, and the attack and detection techniques for each stage were analyzed. Finally, in light of the dynamic landscape of APT attack and defense technologies, the paper underscores the formidable challenges confronting both offense and defense and offers guidance for future research in this domain.

Zhiyan Chen,Jinxin Liu,Yu Shen,Murat Simsek,Burak Kantarci,Hussein T. Mouftah,Petar Djukic

DOI: https://doi.org/10.1145/3530812

2022-04-17

Abstract:Despite its technological benefits, Internet of Things (IoT) has cyber weaknesses due to the vulnerabilities in the wireless medium. Machine learning (ML)-based methods are widely used against cyber threats in IoT networks with promising performance. Advanced persistent threat (APT) is prominent for cybercriminals to compromise networks, and it is crucial to long-term and harmful characteristics. However, it is difficult to apply ML-based approaches to identify APT attacks to obtain a promising detection performance due to an extremely small percentage among normal traffic. There are limited surveys to fully investigate APT attacks in IoT networks due to the lack of public datasets with all types of APT attacks. It is worth to bridge the state-of-the-art in network attack detection with APT attack detection in a comprehensive review article. This survey article reviews the security challenges in IoT networks and presents the well-known attacks, APT attacks, and threat models in IoT systems. Meanwhile, signature-based, anomaly-based, and hybrid intrusion detection systems are summarized for IoT networks. The article highlights statistical insights regarding frequently applied ML-based methods against network intrusion alongside the number of attacks types detected. Finally, open issues and challenges for common network intrusion and APT attacks are presented for future research.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Qi Wu,Qiang Li,Dong Guo,Xiangyu Meng

DOI: https://doi.org/10.1177/15501329221080417

IF: 1.938

2022-01-01

International Journal of Distributed Sensor Networks

Abstract:In recent years, the Internet of Things has been widely used in modern life. Advanced persistent threats are long-term network attacks on specific targets with attackers using advanced attack methods. The Internet of Things targets have also been threatened by advanced persistent threats with the widespread application of Internet of Things. The Internet of Things device such as sensors is weaker than host in security. In the field of advanced persistent threat detection, most works used machine learning methods whether host-based detection or network-based detection. However, models using machine learning methods lack robustness because it can be attacked easily by adversarial examples. In this article, we summarize the characteristics of advanced persistent threats traffic and propose the algorithm to make adversarial examples for the advanced persistent threat detection model. We first train advanced persistent threat detection models using different machine learning methods, among which the highest F1-score is 0.9791. Then, we use the algorithm proposed to grey-box attack one of models and the detection success rate of the model drop from 98.52% to 1.47%. We prove that advanced persistent threats adversarial examples are transitive and we successfully black-box attack other models according to this. The detection success rate of the attacked model with the best attacked effect dropped from 98.66% to 0.13%.

Zhen DAI,Guang CHENG

DOI: https://doi.org/10.3778/j.issn.1002-8331.1703-0552

2017-01-01

Abstract:Advanced Persistent Threat(APT)is a serious threat to the world, APT detection has become the key point of network security protection. Due to the complexity of APT, the traditional detection technology cannot perform well. An APT detection method is proposed by using APT communication features extracted from international security company reports. In order to improve the detection effect of this method, an algorithm for double feature matching is put forward. The initial feature matching method uses bloom filter to filter out some messages quickly, and then the exact matching method is set up to determine whether it is APT malicious traffic. The experimental results show that the method has higher detection rate and fewer false positives.

Yuan Wang,Yongjun Wang,Jing Liu,Zhijian Huang

DOI: https://doi.org/10.1109/3PGCIC.2014.41

2014-01-01

Abstract:Advanced Persistent Threat (APT) poses a serious threat to cyber security, and its unique high unpredictability, deep concealment and grave harmfulness make the traditional network monitoring technology facing unprecedented challenges in the background of massive and complicated network traffic. This paper aimed for the urgent demand of APT network monitoring. Relying on the rapid development of big data analysis and cloud computing technology, to draw lessons from biology gene concept, we put forward a new connotation of the network gene to depict the semantic-rich behavior characteristics pattern of network applications. Through the organic combination of network protocol reverse analysis and the network data stream processing technology, we established a set of basic theories and technical architecture of network gene construction and calculation, forming a new detection framework for APTs to support the construction of intrusion-tolerant network ecological environment.

Aaron Zimba,Hongsong Chen,Zhaoshun Wang,Mumbi Chishimba

DOI: https://doi.org/10.1016/j.future.2020.01.032

IF: 7.307

2020-01-01

Future Generation Computer Systems

Abstract:Advanced Persistent Threats (APT) present the most sophisticated types of attacks to modern networks which have proved to be very challenging to address. Using sophisticated attack techniques, attackers remotely control infected machines and exfiltrate sensitive information from organizations and governments. Security products deployed by enterprise networks based on traditional defenses often fail at detecting APT infections because of the dynamic nature of the APT attack process. To overcome the current limitations of attack network dynamics faced in APT studies, an innovative APT attack detection model based on a semi-supervised learning approach and complex networks characteristics is proposed in this paper. The entire targeted network is modeled as a small-world network and the evolving APT-Attack Network (APT-AN) as a scale-free network. Finite state machines are employed to model the state transitions of the nodes in the time domain in order to characterize the state changes during the APT attack process. The effectiveness of the model is demonstrated by applying it to real-world data from a large-scale enterprise network consisting of 17,684 hosts from the Los Alamos security lab. The proposed approach analyzes efficiently the large-scale dataset to reveal APT attack characteristics between the command and control center and the victim hosts. The final result is a ranked list of suspicious hosts participating in APT attack activities. The average detection precision of three APT stage is 90.5% in our proposed APT detection framework. The results show that the model can effectively detect the suspicious hosts at different stages of the APT attack process.

Pengdeng Li,Xiaofan Yang,Qingyu Xiong,Junhao Wen,Yuan Yan Tang

DOI: https://doi.org/10.1155/2018/2975376

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:The new cyberattack pattern of advanced persistent threat (APT) has posed a serious threat to modern society. This paper addresses the APT defense problem, that is, the problem of how to effectively defend against an APT campaign. Based on a novel APT attack-defense model, the effectiveness of an APT defense strategy is quantified. Thereby, the APT defense problem is modeled as an optimal control problem, in which an optimal control stands for a most effective APT defense strategy. The existence of an optimal control is proved, and an optimality system is derived. Consequently, an optimal control can be figured out by solving the optimality system. Some examples of the optimal control are given. Finally, the influence of some factors on the effectiveness of an optimal control is examined through computer experiments. These findings help organizations to work out policies of defending against APTs.

Zitong Li,Xiang Cheng,Jiale Zhang,Bing Chen

DOI: https://doi.org/10.1007/978-3-030-68851-6_5

2020-01-01

Abstract:With the Internet of Things (IoT) experiencing an accelerating evolution, the IoT devices are widely implemented both in the industrial system and daily life. The IoT system has characteristics of lack of update, longer lifetimes, and delayed patching, making it suffer from diverse attacks especially the Advanced Persistent Threats (APTs). Various detection technologies that emerged, however, are far from satisfied the need for effective security defense for IoT systems against APT campaigns. Therefore, we propose an APT Prediction Method based on Federated Learning (APTPMFL) deployed on the edge computing infrastructure to predict the probability of subsequent APT attacks that occur in IoT scenarios. It is the first approach to apply a federated learning mechanism for aggregating suspicious activities in the IoT systems to train the APT prediction model without correlation rules. We present an edge computing-based framework to train and deploy the model which can alleviate the computing and communication overhead of the typical IoT systems. The sophisticated evolution processes of APT can be modeled by federated learning meanwhile the private data will not leakage to other organizations. Our evaluation results show that APTPMFL is capable of predicting subsequent APT behaviors in the IoT system accurately and efficiently.