Florian Nelles,Abbas Yazdinejad,Ali Dehghantanha,Reza M. Parizi,Gautam Srivastava

2024-06-19

Abstract:Multi-stage threats like advanced persistent threats (APT) pose severe risks by stealing data and destroying infrastructure, with detection being challenging. APTs use novel attack vectors and evade signature-based detection by obfuscating their network presence, often going unnoticed due to their novelty. Although machine learning models offer high accuracy, they still struggle to identify true APT behavior, overwhelming analysts with excessive data. Effective detection requires training on multiple datasets from various clients, which introduces privacy issues under regulations like GDPR. To address these challenges, this paper proposes a novel 3-phase unsupervised federated learning (FL) framework to detect APTs. It identifies unique log event types, extracts suspicious patterns from related log events, and orders them by complexity and frequency. The framework ensures privacy through a federated approach and enhances security using Paillier's partial homomorphic encryption. Tested on the SoTM 34 dataset, our framework compares favorably against traditional methods, demonstrating efficient pattern extraction and analysis from log files, reducing analyst workload, and maintaining stringent data privacy. This approach addresses significant gaps in current methodologies, offering a robust solution to APT detection in compliance with privacy laws.

Cryptography and Security

Huynh Thai Thi,Ngo Duc Hoang Son,Phan The Duy,Nghi Hoang Khoa,Khoa Ngo-Khanh,Van-Hau Pham

DOI: https://doi.org/10.48550/arXiv.2309.08485

2023-09-15

Abstract:Advanced Persistent Threat (APT) attacks are highly sophisticated and employ a multitude of advanced methods and techniques to target organizations and steal sensitive and confidential information. APT attacks consist of multiple stages and have a defined strategy, utilizing new and innovative techniques and technologies developed by hackers to evade security software monitoring. To effectively protect against APTs, detecting and predicting APT indicators with an explanation from Machine Learning (ML) prediction is crucial to reveal the characteristics of attackers lurking in the network system. Meanwhile, Federated Learning (FL) has emerged as a promising approach for building intelligent applications without compromising privacy. This is particularly important in cybersecurity, where sensitive data and high-quality labeling play a critical role in constructing effective machine learning models for detecting cyber threats. Therefore, this work proposes XFedHunter, an explainable federated learning framework for APT detection in Software-Defined Networking (SDN) leveraging local cyber threat knowledge from many training collaborators. In XFedHunter, Graph Neural Network (GNN) and Deep Learning model are utilized to reveal the malicious events effectively in the large number of normal ones in the network system. The experimental results on NF-ToN-IoT and DARPA TCE3 datasets indicate that our framework can enhance the trust and accountability of ML-based systems utilized for cybersecurity purposes without privacy leakage.

Cryptography and Security,Artificial Intelligence

Xiang Cheng,Qian Luo,Ye Pan,Zitong Li,Jiale Zhang,Bing Chen

DOI: https://doi.org/10.1155/2021/8814068

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Driven by the advancements in 5G-enabled Internet of Things (IoT) technologies, the IoT devices have shown an explosive growth trend with massive data generated at the edge of the network. However, IoT systems exhibit inherent vulnerability for diverse attacks, and Advanced Persistent Threat (APT) is one of the most powerful attack models that could lead to a significant privacy leakage of systems. Moreover, recent detection technologies can hardly meet the demands of effective security defense against APTs. To address the above problems, we propose an APT Prediction Method based on Differentially Private Federated Learning (APTPMFL) to predict the probability of subsequent APT attacks occurring in IoT systems. It is the first time to apply a federated learning mechanism for aggregating suspicious activities in the IoT systems, where the APT prediction phase does not need any correlation rules. Moreover, to achieve privacy-preserving property, we further adopt a differentially private data perturbation mechanism to add the Laplacian random noises to the IoT device training data features, so as to achieve the maximum protection of privacy data. We also present a 5G-enabled edge computing-based framework to train and deploy the model, which can alleviate the computing and communication overhead of the typical IoT systems. Our evaluation results show that APTPMFL can efficiently predict subsequent APT behaviors in the IoT system accurately and efficiently.

Yilun Hu,Jun Wu,Gaolei Li,Jianhua Li,Jinke Cheng

DOI: https://doi.org/10.1109/tnse.2023.3304556

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Advanced Persistent Threats (APT) utilizes multiple zero-day vulnerabilities to threaten critical industrial infrastructure, having the characteristics of burst, unknown and cross-domain. To resist APT attacks, existing wisdom usually establish a security monitoring platform that remotely links to the cloud-based threat intelligence center. However, the real scenario where few victim users are willing to share raw attack samples considering privacy-preservation, such mentality is hysteretic and cannot identify APT attacks quickly without sacrificing additional incentives. To address this issue, a novel privacy-preserving few-shot traffic detection (PFTD) method based on federated meta learning (FML) is proposed. The PFTD treats the APT detection task as a model generalization optimization process, that transfers the learned knowledge to identify local unknown samples. Client-side models in FML achieve knowledge transferring by two-phase updating over both support dataset and query dataset, while the server-side model obtains global knowledge with model aggregation. These processes compile useful knowledge against APT attacks. With a novel wisdom, we obtained three advantages: 1) High accuracy with a few attack samples; 2) Low latency detection for removing rules matching process; 3) High personalizing to cross-domain APT attacks. Extensive experiments based on multiple benchmark datasets like CICIDS2017 and DAPT 2020 prove the superiority of proposed PFTD.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Xiaoxiao Liu,Fan Xu,Nan Wang,Qinxin Zhao,Dalin Zhang,Xibin Zhao,Jiqiang Liu

2024-04-04

Abstract:Advanced Persistent Threat (APT) is challenging to detect due to prolonged duration, infrequent occurrence, and adept concealment techniques. Existing approaches primarily concentrate on the observable traits of attack behaviors, neglecting the intricate relationships formed throughout the persistent attack lifecycle. Thus, we present an innovative APT detection framework named LTRDetector, implementing an end-to-end holistic operation. LTRDetector employs an innovative graph embedding technique to retain comprehensive contextual information, then derives long-term features from these embedded provenance graphs. During the process, we compress the data of the system provenance graph for effective feature learning. Furthermore, in order to detect attacks conducted by using zero-day exploits, we captured the system's regular behavior and detects abnormal activities without relying on predefined attack signatures. We also conducted extensive evaluations using five prominent datasets, the efficacy evaluation of which underscores the superiority of LTRDetector compared to existing state-of-the-art techniques.

Cryptography and Security

Jiyuan Shen,Wenzhuo Yang,Zhaowei Chu,Jiani Fan,Dusit Niyato,Kwok-Yan Lam

2024-01-22

Abstract:With the rapid development of low-cost consumer electronics and cloud computing, Internet-of-Things (IoT) devices are widely adopted for supporting next-generation distributed systems such as smart cities and industrial control systems. IoT devices are often susceptible to cyber attacks due to their open deployment environment and limited computing capabilities for stringent security controls. Hence, Intrusion Detection Systems (IDS) have emerged as one of the effective ways of securing IoT networks by monitoring and detecting abnormal activities. However, existing IDS approaches rely on centralized servers to generate behaviour profiles and detect anomalies, causing high response time and large operational costs due to communication overhead. Besides, sharing of behaviour data in an open and distributed IoT network environment may violate on-device privacy requirements. Additionally, various IoT devices tend to capture heterogeneous data, which complicates the training of behaviour models. In this paper, we introduce Federated Learning (FL) to collaboratively train a decentralized shared model of IDS, without exposing training data to others. Furthermore, we propose an effective method called Federated Learning Ensemble Knowledge Distillation (FLEKD) to mitigate the heterogeneity problems across various clients. FLEKD enables a more flexible aggregation method than conventional model fusion techniques. Experiment results on the public dataset CICIDS2019 demonstrate that the proposed approach outperforms local training and traditional FL in terms of both speed and performance and significantly improves the system's ability to detect unknown attacks. Finally, we evaluate our proposed framework's performance in three potential real-world scenarios and show FLEKD has a clear advantage in experimental results.

Cryptography and Security

Jie Yang,Jun Zheng,Haochen Wang,Jiaxing Li,Haipeng Sun,Weifeng Han,Nan Jiang,Yu-An Tan

DOI: https://doi.org/10.3390/s23031052

2023-01-17

Abstract:Federated learning has a distributed collaborative training mode, widely used in IoT scenarios of edge computing intelligent services. However, federated learning is vulnerable to malicious attacks, mainly backdoor attacks. Once an edge node implements a backdoor attack, the embedded backdoor mode will rapidly expand to all relevant edge nodes, which poses a considerable challenge to security-sensitive edge computing intelligent services. In the traditional edge collaborative backdoor defense method, only the cloud server is trusted by default. However, edge computing intelligent services have limited bandwidth and unstable network connections, which make it impossible for edge devices to retrain their models or update the global model. Therefore, it is crucial to detect whether the data of edge nodes are polluted in time. This paper proposes a layered defense framework for edge-computing intelligent services. At the edge, we combine the gradient rising strategy and attention self-distillation mechanism to maximize the correlation between edge device data and edge object categories and train a clean model as much as possible. On the server side, we first implement a two-layer backdoor detection mechanism to eliminate backdoor updates and use the attention self-distillation mechanism to restore the model performance. Our results show that the two-stage defense mode is more suitable for the security protection of edge computing intelligent services. It can not only weaken the effectiveness of the backdoor at the edge end but also conduct this defense at the server end, making the model more secure. The precision of our model on the main task is almost the same as that of the clean model.

Xiedong Song,Qinmin Ma

DOI: https://doi.org/10.1007/s10723-023-09725-3

2024-01-21

Journal of Grid Computing

Abstract:Edge nodes, which are expected to grow into a multi-billion-dollar market, are essential for detection against a variety of cyber threats on Internet-of-Things endpoints. Adopting the current network intrusion detection system with deep learning models (DLM) based on FedACNN is constrained by the resource limitations of this network equipment layer. We solve this issue by creating a unique, lightweight, quick, and accurate edge detection model to identify DLM-based distributed denial service attacks on edge nodes. Our approach can generate real results at a relevant pace even with limited resources, such as low power, memory, and processing capabilities. The Federated Convolution Neural Network (FedACNN) deep learning method uses attention mechanisms to minimise communication delay. The developed model uses a recent cybersecurity dataset deployed on an edge node simulated by a Raspberry Pi (UNSW 2015). Our findings show that, compared to traditional DLM methodologies, our model retains a high accuracy rate of about 99%, even with decreased CPU and memory resource use. Also, it is about three times smaller in volume than the most advanced model while requiring a lot less testing time.

computer science, information systems, theory & methods

Weiyong Yang,Peng Gao,Hao Huang,Xingshen Wei,Haotian Zhang,Zhihao Qu

DOI: https://doi.org/10.1109/globecom48099.2022.10001486

2022-01-01

Abstract:Advanced persistent threat (APT) attacks have caused severe damage to many core information infrastructures. To tackle this issue, the graph-based methods have been proposed due to their ability for learning complex interaction patterns of network entities with discrete graph snapshots. However, such methods are challenged by the computer networking model characterized by a natural continuous-time dynamic heterogeneous graph. In this paper, we propose a heterogeneous graph neural network based APT detection method in smart grid clouds. Our model is an encoder-decoder structure. The encoder uses heterogeneous temporal memory and attention embedding modules to capture contextual information of interactions of network entities from the time and spatial dimensions respectively. We implement a prototype and conduct extensive experiments on real-world cyber-security datasets with more than 10 million records. Experimental results show that our method can achieve superior detection performance than state-of-the-art methods.

Cho Do Xuan,Nguyen Hoa Cuong

DOI: https://doi.org/10.1371/journal.pone.0305618

IF: 3.7

2024-06-25

PLoS ONE

Abstract:Advanced Persistent Threat (APT) attacks are causing a lot of damage to critical organizations and institutions. Therefore, early detection and warning of APT attack campaigns are very necessary today. In this paper, we propose a new approach for APT attack detection based on the combination of Feature Intelligent Extraction (FIE) and Representation Learning (RL) techniques. In particular, the proposed FIE technique is a combination of the Bidirectional Long Short-Term Memory (BiLSTM) deep learning network and the Attention network. The FIE combined model has the function of aggregating and extracting unusual behaviors of APT IPs in network traffic. The RL method proposed in this study aims to optimize classifying APT IPs and normal IPs based on two main techniques: rebalancing data and contrastive learning. Specifically, the rebalancing data method supports the training process by rebalancing the experimental dataset. And the contrastive learning method learns APT IP's important features based on finding and pulling similar features together as well as pushing contrasting data points away. The combination of FIE and RL (abbreviated as the FIERL model) is a novel proposal and innovation and has not been proposed and published by any research. The experimental results in the paper have proved that the proposed method in the paper is correct and reasonable when it has shown superior efficiency compared to some other studies and approaches over 5% on all measurements.

multidisciplinary sciences

Beibei Li,Yuhao Wu,Jiarui Song,Rongxing Lu,Tao Li,Liang Zhao

DOI: https://doi.org/10.1109/tii.2020.3023430

IF: 12.3

2021-08-01

IEEE Transactions on Industrial Informatics

Abstract:The rapid convergence of legacy industrial infrastructures with intelligent networking and computing technologies (e.g., 5G, software-defined networking, and artificial intelligence), have dramatically increased the attack surface of industrial cyber–physical systems (CPSs). However, withstanding cyber threats to such large-scale, complex, and heterogeneous industrial CPSs has been extremely challenging, due to the insufficiency of high-quality attack examples. In this article, we propose a novel federated deep learning scheme, named DeepFed, to detect cyber threats against industrial CPSs. Specifically, we first design a new deep learning-based intrusion detection model for industrial CPSs, by making use of a convolutional neural network and a gated recurrent unit. Second, we develop a federated learning framework, allowing multiple industrial CPSs to collectively build a comprehensive intrusion detection model in a privacy-preserving way. Further, a Paillier cryptosystem-based secure communication protocol is crafted to preserve the security and privacy of model parameters through the training process. Extensive experiments on a real industrial CPS dataset demonstrate the high effectiveness of the proposed DeepFed scheme in detecting various types of cyber threats to industrial CPSs and the superiorities over state-of-the-art schemes.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Syeda Aunanya Mahmud,Nazmul Islam,Zahidul Islam,Ziaur Rahman,Sk. Tanzir Mehedi

DOI: https://doi.org/10.3390/math12203194

IF: 2.4

2024-10-13

Mathematics

Abstract:The Internet of Things (IoT) has revolutionized various industries, but the increased dependence on all kinds of IoT devices and the sensitive nature of the data accumulated by them pose a formidable threat to privacy and security. While traditional IDSs have been effective in securing critical infrastructures, the centralized nature of these systems raises serious data privacy concerns as sensitive information is sent to a central server for analysis. This research paper introduces a Federated Learning (FL) approach designed for detecting intrusions in diverse IoT networks to address the issue of data privacy by ensuring that sensitive information is kept in the individual IoT devices during model training. Our framework utilizes the Federated Averaging (FedAvg) algorithm, which aggregates model weights from distributed devices to refine the global model iteratively. The proposed model manages to achieve above 90% accuracies across various metrics, including precision, recall, and F1 score, while maintaining low computational demands. The results show that the proposed system successfully identifies various types of cyberattacks, including Denial-of-Service (DoS), Distributed Denial-of-Service (DDoS), data injection, ransomware, and several others, showcasing its robustness. This research makes a great advancement to the IDSs by providing an efficient and reliable solution that is more scalable and privacy friendly than any of the existing models.

mathematics

Yue Li,Teng Zhang,Xue Li,Ting Li

DOI: https://doi.org/10.1007/978-981-13-6621-5_10

2019-01-01

Abstract:AbstractThe targets of Advanced Persistent Threat (APT) are mainly concentrate on national key information infrastructure, key research institutes, and large commercial companies, for the purpose of stealing sensitive information, trade secrets or destroying important infrastructure. Traditional protection system is difficult to detect the APT attack, due to the method of the APT attack is unknown and uncertain. And the persisted evolution ability destroyed the traditional protection methods based on feature detection. Therefore, this paper based on the theory of red-blue confrontation, to construct the game model of attack and defense. And then combined the APT offense and defense experience, presents a model based on cyber threat detection to deal with APT attacks.

Tran Duc Luong,Vuong Minh Tien,Nguyen Huu Quyen,Do Thi Thu Hien,Phan The Duy,Van-Hau Pham

2023-09-20

Abstract:The significant rise of security concerns in conventional centralized learning has promoted federated learning (FL) adoption in building intelligent applications without privacy breaches. In cybersecurity, the sensitive data along with the contextual information and high-quality labeling in each enterprise organization play an essential role in constructing high-performance machine learning (ML) models for detecting cyber threats. Nonetheless, the risks coming from poisoning internal adversaries against FL systems have raised discussions about designing robust anti-poisoning frameworks. Whereas defensive mechanisms in the past were based on outlier detection, recent approaches tend to be more concerned with latent space representation. In this paper, we investigate a novel robust aggregation method for FL, namely Fed-LSAE, which takes advantage of latent space representation via the penultimate layer and Autoencoder to exclude malicious clients from the training process. The experimental results on the CIC-ToN-IoT and N-BaIoT datasets confirm the feasibility of our defensive mechanism against cutting-edge poisoning attacks for developing a robust FL-based threat detector in the context of IoT. More specifically, the FL evaluation witnesses an upward trend of approximately 98% across all metrics when integrating with our Fed-LSAE defense.

Cryptography and Security

Tiantian Zhu,Jinkai Yu,Tieming Chen,Jiayu Wang,Jie Ying,Ye Tian,Mingqi Lv,Yan Chen,Yuan Fan,Ting Wang

DOI: https://doi.org/10.48550/arXiv.2112.09008

2021-12-17

Abstract:Advanced Persistent Threat (APT) attack usually refers to the form of long-term, covert and sustained attack on specific targets, with an adversary using advanced attack techniques to destroy the key facilities of an organization. APT attacks have caused serious security threats and massive financial loss worldwide. Academics and industry thereby have proposed a series of solutions to detect APT attacks, such as dynamic/static code analysis, traffic detection, sandbox technology, endpoint detection and response (EDR), etc. However, existing defenses are failed to accurately and effectively defend against the current APT attacks that exhibit strong persistent, stealthy, diverse and dynamic characteristics due to the weak data source integrity, large data processing overhead and poor real-time performance in the process of real-world scenarios. To overcome these difficulties, in this paper we propose APTSHIELD, a stable, efficient and real-time APT detection system for Linux hosts. In the aspect of data collection, audit is selected to stably collect kernel data of the operating system so as to carry out a complete portrait of the attack based on comprehensive analysis and comparison of existing logging tools; In the aspect of data processing, redundant semantics skipping and non-viable node pruning are adopted to reduce the amount of data, so as to reduce the overhead of the detection system; In the aspect of attack detection, an APT attack detection framework based on ATT\&CK model is designed to carry out real-time attack response and alarm through the transfer and aggregation of labels. Experimental results on both laboratory and Darpa Engagement show that our system can effectively detect web vulnerability attacks, file-less attacks and remote access trojan attacks, and has a low false positive rate, which adds far more value than the existing frontier work.

Cryptography and Security

Afnan A. Alharbi

DOI: https://doi.org/10.1007/s10207-023-00805-9

2024-01-10

International Journal of Information Security

Abstract:In the healthcare sector, cyberattack detection systems are crucial for ensuring the privacy of patient data and building trust in the increasingly connected world of medical devices and patient monitoring systems. In light of the increasing prevalence of Internet of Medical Things (IoMT) technologies, it is essential to establish an efficient intrusion detection system (IDS). IDSs are crucial for protecting patient data and ensuring medical device reliability. Federated learning (FL) has emerged as an effective technique for enhancing distributed cyberattack detection systems. By distributing the learning process across multiple IoMT gateways, FL-based IDS offers several benefits, such as improved detection accuracy, reduced network latency, and minimized data leakage. However, as client data may not exhibit a uniform independent and identically distributed (IID) pattern, the heterogeneity of data distribution poses a significant challenge in implementing FL-based IDS for IoMT applications. In this paper, we propose a collaborative learning framework for IDS in IoMT applications. Specifically, we introduce a Federated Transfer Learning (FTL) IDS that enables clients to obtain their personalized FL model while benefiting from the knowledge of other clients. Our methodology enables clients to obtain a personalized model that addresses the challenges posed by the heterogeneity of data distribution. The experimental results show that the proposed model achieves superior detection performance with 95–99% accuracy. Moreover, our model exhibits strong performance in identifying zero-day attacks.

computer science, information systems, theory & methods, software engineering

Feng Dong,Liu Wang,Xu Nie,Fei Shao,Haoyu Wang,Ding Li,Xiapu Luo,Xusheng Xiao

2023-01-01

Abstract:Building provenance graph that considers causal relationships among software behaviors can better provide contextual information of cyber attacks, especially for advanced attacks such as Advanced Persistent Threat (APT) attacks. Despite its promises in assisting attack investigation, existing approaches that use provenance graphs to perform attack detection suffer from two fundamental limitations. First, existing approaches adopt a centralized detection architecture that sends all system auditing logs to the server for processing, incurring intolerable costs of data transmission, data storage, and computation. Second, they adopt either rule-based techniques that cannot detect unknown threats, or anomaly-detection techniques that produce numerous false alarms, failing to achieve a balance of precision and recall in APT detection. To address these fundamental challenges, we propose DISTDET, a distributed detection system that detects APT attacks by (1) performing light weight detection based on the host model built in the client side, (2) filtering false alarms based on the semantics of the alarm proprieties, and (3) deriving global models to complement the local bias of the host models. Our experiments on a large-scale industrial environment (1,130 hosts, 14 days, similar to 1.6 billion events) and the DARPA TC dataset show that DISTDET is as effective as sate-of-the-art techniques in detecting attacks, while dramatically reducing network bandwidth from 11.28Mb/s to 17.08Kb/S (676.5x reduction), memory usages from 364MB to 5.523MB (66x reduction), and storage from 1.47GB to 130.34MB (11.6x reduction). By the time of this writing, DISTDET has been deployed to 50+ industry customers with 22,000+ hosts for more than 6 months, and identified over 900 real-world attacks.

Maryam Panahnejad,Meghdad Mirabi

DOI: https://doi.org/10.1007/s11227-021-04201-9

IF: 3.3

2022-01-12

The Journal of Supercomputing

Abstract:Advanced persistent threat attacks are considered as a serious risk to almost any infrastructure since attackers are constantly changing and evolving their advanced techniques and methods. It is difficult to use traditional defense for detecting the advanced persistent threat attacks and protect network information. The detection of advanced persistent threat attack is usually mixed with many other attacks. Therefore, it is necessary to have a solution that is safe from error and failure in detecting them. In this paper, an intelligent approach is proposed called “APT-Dt-KC” to analyze, identify, and prevent cyber-attacks using the cyber-kill chain model and matching its fuzzy characteristics with the advanced persistent threat attack. In APT-Dt-KC, Pearson correlation test is used to reduce the amount of processing data, and then, a hybrid intrusion detection method is proposed using Bayesian classification algorithm and fuzzy analytical hierarchy process. The experimental results show that APT-Dt-KC has a false positive rate and false negative rate 1.9% and 3.6% less than the existing approach, respectively. The accuracy and detection rate of APT-Dt-KC has reached 98% with an average improvement of 5% over the existing approach.

Yangyang Mei,Weihong Han,Shudong Li,Kaihan Lin,Zhihong Tian,Shumei Li

DOI: https://doi.org/10.1109/tits.2024.3360260

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The Internet now plays a pivotal role in the social and economic landspace, providing individuals and businesses with access to essential daily services and tasks. However, it has also become a breeding ground for conflicts. Advanced Persistent Threats (APTs) pose a formidable chanllenge when directed at organizations and governments, exposing the entire network to substantial security risks. Employing network fornesics for attributing cyber-attacks and acquiring timely, credible forensic results is a fundamental challenge in maintaining cyber security. This paper introduces a Deep Learning-based network forensics framework for digitally identifying and tracking network attacks, providing a comprehensive overview of the network forensics process. Specifically, we extract network traffic and employ encryption to ensure the integrity and security of data. Subsequently, we apply feature filtering techniques to retain essential traceability information, and Deep Learning model parameters are automatically optimized using hyperparameter optimization techniques. Lastly, we develop a Multi-Layer Perceptual Deep Neural Network (MLP DNN) model with perceptual capabilities for detecting anomalous events within the network. We evaluated the framework’s effectiveness using the UNSW-NB15 dataset. The experiments demonstrate that the proposed framework is applicable to APT attack forensics scenarios. In comparison to other AI methods, our framework excels in discovering and tracking network attack events with high performance.

engineering, electrical & electronic,transportation science & technology, civil

Huiling Li,Jun Wu,Hansong Xu,Gaolei Li,Mohsen Guizani

DOI: https://doi.org/10.1109/tdsc.2021.3130944

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Advanced persistent threats (APT) have novel features such as long-term latency, precision strikes and uncertain strategies. APT poses severe threats to the resource-limited edge devices in advanced networks. Cyber threat intelligence (CTI) conducts data analysis on attack strategies by artificial intelligence (AI) and generates threat intelligence to optimize the detection model and guide defense strategies. However, AI lacks explanations for the decisions and thus reduces the transparency and performance of the detection model. Besides, the tradeoff between the detection accuracy and the computational resource limitation of edge devices needs an optimal and rapid dynamic resource allocation method, which edge game and AI can help. In this article, we propose an explainable intelligence-driven APT edge defense mechanism. The proposed mechanism provides guidelines and explanations for designing the defense strategy and resource allocation scheme of the edge defender to detect APT. The edge defense strategy model is based on edge Bayesian Stackelberg game and CTI. Meanwhile, we implement a DRL-based resource allocation scheme to meet rapid response requirements at the edges. We demonstrate that the proposed mechanism can improve the protection level of edges and defense capability against APT through extensive experiments.

computer science, information systems, software engineering, hardware & architecture