CHEN Rui-dong,ZHANG Xiao-song,NIU Wei-na,LAN Hao-yue

DOI: https://doi.org/10.3969/j.issn.1001-0548.2019.06.011

2019-01-01

Abstract:Advanced persistent threat (APT) is a new kind of cyber-attack as a growth security events. This paper analysis more than 150 typical APT cases happened during last decade, and constructs the analytical model of APT attack, indicates 4 major problems of APT attack detection and countering: the fragile penetration protection problem, the low detection accuracy, the difficulty of determining the attack forensic, and the slow response to the unknown attack problem. In the meanwhile, this paper analyzes typical APT attacks in recent years, mines the association based on attacking tools. According to the experiments, there are similarity patterns between the tools used by the same organization. In summary, the integral APT defense scheme in this paper includes the latest achievements of four types of defense schemes, plays an academic supporting role in building a unified attack detection and traceability countermeasure platform.

Bibhu Dash,Meraj Farheen Ansari,Pawankumar Sharma,Azad Ali

DOI: https://doi.org/10.5121/ijsea.2022.13502

2022-09-30

International Journal of Software Engineering & Applications

Abstract:Internet usage has increased quickly, particularly in the previous decade. With the widespread use of the internet, cybercrime is growing at an alarming rate in our daily lives. However, with the growth of artificial intelligence (AI), businesses are concentrating more on preventing cybercrime. AI is becoming an essential component of every business, affecting individuals worldwide. Cybercrime is one of the most prominent domains where AI has begun demonstrating valuable inputs. As a result, AI is being deployed as the first line of defense in most firms' systems. Because AI can detect new assaults faster than humans, it is the best alternative for constructing better protection against cybercrime. AI technologies also offer more significant potential in the development of such technology. This paper discusses recent cyber intrusions and how the AI-enabled industry is preparing to defend itself in the long run.

Yue Li,Teng Zhang,Xue Li,Ting Li

DOI: https://doi.org/10.1007/978-981-13-6621-5_10

2019-01-01

Abstract:AbstractThe targets of Advanced Persistent Threat (APT) are mainly concentrate on national key information infrastructure, key research institutes, and large commercial companies, for the purpose of stealing sensitive information, trade secrets or destroying important infrastructure. Traditional protection system is difficult to detect the APT attack, due to the method of the APT attack is unknown and uncertain. And the persisted evolution ability destroyed the traditional protection methods based on feature detection. Therefore, this paper based on the theory of red-blue confrontation, to construct the game model of attack and defense. And then combined the APT offense and defense experience, presents a model based on cyber threat detection to deal with APT attacks.

BinHui Tang,JunFeng Wang,Zhongkun Yu,Bohan Chen,Wenhan Ge,Jian Yu,TingTing Lu

DOI: https://doi.org/10.1016/j.compeleceng.2022.108261

2022-10-01

Abstract:With the boom in Internet and information technology, cyber-attacks are becoming more frequent and sophisticated, especially Advanced Persistent Threat (APT) attacks. Unlike traditional attacks, APT attacks are more targeted, stealthy, and adversarial, rendering it challenging to manually analyze threat behaviors for APT detection, attribution, and response. Therefore, the research community has focused on intelligent defense methods. Intelligent threat profiling is dedicated to analyzing APT attacks and improving defense capability with Knowledge Graph and Deep Learning methods. With this insight, this paper provides the first systematic review of intelligent threat profiling techniques for APT attacks, covering three aspects: data, methods, and applications. The contents include data processing techniques, threat modeling, representation, reasoning methods, etc. Furthermore, this paper summarizes the latest research in applications, proposes the research framework and technical architecture, and provides insights into future research trends. This paper contributes to recognizing the advantages and challenges of intelligent threat profiling. It paves the way for integrating knowledge graphs and deep learning to achieve intelligent security.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

Yuqing Li,Wenkuan Dai,Jie Bai,Xiaoying Gan,Jingchao Wang,Xinbing Wang

DOI: https://doi.org/10.1109/TIFS.2018.2847671

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Combined with many different attack forms, advanced persistent threats (APTs) are becoming a major threat to cyber security. Existing security protection works typically either focus on one-shot case, or separate detection from response decisions. Such practices lead to tractable analysis, but miss key inherent APTs persistence and risk heterogeneity. To this end, we propose a Lyapunov-based secur...

Jichao Bi,Shibo He,Fengji Luo,Wenchao Meng,Luyue Ji,Da-Wen Huang

DOI: https://doi.org/10.1109/TII.2022.3231406

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial Internet of Things (IIoT) is vulnerable to advanced persistent threat (APT). In this article, we study a scenario in which APT is launched to attack IIoT devices. Considering the APTs lateral movement, a node-level state evolution model is established to calculate the probability of every device in an IIoT system to be compromised by APT. Based on this, a Stackelberg game model is proposed for the APT attacker and defender, which can accurately describe the gaming process. An effective computational approach is developed to obtain the potential Stackelberg equilibrium strategy pair of the game. Extensive case studies and comparison studies are conducted to validate the effectiveness of the proposed method.

Chenquan Gan,Jiabin Lin,Da-Wen Huang,Qingyi Zhu,Liang Tian

DOI: https://doi.org/10.3390/math11143115

IF: 2.4

2023-07-15

Mathematics

Abstract:The industrial internet of things (IIoT) is a key pillar of the intelligent society, integrating traditional industry with modern information technology to improve production efficiency and quality. However, the IIoT also faces serious challenges from advanced persistent threats (APTs), a stealthy and persistent method of attack that can cause enormous losses and damages. In this paper, we give the definition and development of APTs. Furthermore, we examine the types of APT attacks that each layer of the four-layer IIoT reference architecture may face and review existing defense techniques. Next, we use several models to model and analyze APT activities in IIoT to identify their inherent characteristics and patterns. Finally, based on a thorough discussion of IIoT security issues, we propose some open research topics and directions.

mathematics

Jie Chen,Dandan Wu,Ruiyun Xie,Wu, Dandan

DOI: https://doi.org/10.1631/FITEE.2200314

2023-08-30

Abstract:Three technical problems should be solved urgently in cyberspace security: the timeliness and accuracy of network attack detection, the credibility assessment and prediction of the security situation, and the effectiveness of security defense strategy optimization. Artificial intelligence (AI) algorithms have become the core means to increase the chance of security and improve the network attack and defense ability in the application of cyberspace security. Recently, the breakthrough and application of AI technology have provided a series of advanced approaches for further enhancing network defense ability. This work presents a comprehensive review of AI technology articles for cyberspace security applications, mainly from 2017 to 2022. The papers are selected from a variety of journals and conferences: 52.68% are from Elsevier, Springer, and IEEE journals and 25% are from international conferences. With a specific focus on the latest approaches in machine learning (ML), deep learning (DL), and some popular optimization algorithms, the characteristics of the algorithmic models, performance results, datasets, potential benefits, and limitations are analyzed, and some of the existing challenges are highlighted. This work is intended to provide technical guidance for researchers who would like to obtain the potential of AI technical methods for cyberspace security and to provide tips for the later resolution of specific cyberspace security issues, and a mastery of the current development trends of technology and application and hot issues in the field of network security. It also indicates certain existing challenges and gives directions for addressing them effectively.

engineering, electrical & electronic,computer science, information systems, software engineering

Cheng Lei,Hong-Qi Zhang,Jing-Lei Tan,Yu-Chen Zhang,Xiao-Hu Liu

DOI: https://doi.org/10.1155/2018/3759626

IF: 1.968

2018-07-22

Security and Communication Networks

Abstract:As an active defense technique to change asymmetry in cyberattack-defense confrontation, moving target defense research has become one of the hot spots. In order to gain better understanding of moving target defense, background knowledge and inspiration are expounded at first. Based on it, the concept of moving target defense is analyzed. Secondly, literature analysis method is adopted to explain the design principles and system architecture of moving target defense. In addition, some relevant key techniques are introduced from the aspects of strategy generation, shuffling implementation, and performance evaluation. After that, the applications of moving target defense in different network architectures are illustrated. Finally, existing problems and future trend in this field are elaborated so as to provide a basis for further study.

computer science, information systems,telecommunications

Tiantian Zhu,Jinkai Yu,Tieming Chen,Jiayu Wang,Jie Ying,Ye Tian,Mingqi Lv,Yan Chen,Yuan Fan,Ting Wang

DOI: https://doi.org/10.48550/arXiv.2112.09008

2021-12-17

Abstract:Advanced Persistent Threat (APT) attack usually refers to the form of long-term, covert and sustained attack on specific targets, with an adversary using advanced attack techniques to destroy the key facilities of an organization. APT attacks have caused serious security threats and massive financial loss worldwide. Academics and industry thereby have proposed a series of solutions to detect APT attacks, such as dynamic/static code analysis, traffic detection, sandbox technology, endpoint detection and response (EDR), etc. However, existing defenses are failed to accurately and effectively defend against the current APT attacks that exhibit strong persistent, stealthy, diverse and dynamic characteristics due to the weak data source integrity, large data processing overhead and poor real-time performance in the process of real-world scenarios. To overcome these difficulties, in this paper we propose APTSHIELD, a stable, efficient and real-time APT detection system for Linux hosts. In the aspect of data collection, audit is selected to stably collect kernel data of the operating system so as to carry out a complete portrait of the attack based on comprehensive analysis and comparison of existing logging tools; In the aspect of data processing, redundant semantics skipping and non-viable node pruning are adopted to reduce the amount of data, so as to reduce the overhead of the detection system; In the aspect of attack detection, an APT attack detection framework based on ATT\&CK model is designed to carry out real-time attack response and alarm through the transfer and aggregation of labels. Experimental results on both laboratory and Darpa Engagement show that our system can effectively detect web vulnerability attacks, file-less attacks and remote access trojan attacks, and has a low false positive rate, which adds far more value than the existing frontier work.

Cryptography and Security

Yu Zheng,Zheng Li,Xiaolong Xu,Qingzhan Zhao

DOI: https://doi.org/10.1016/j.dcan.2021.07.006

IF: 6.348

2021-07-01

Digital Communications and Networks

Abstract:Driven by the rapid development of the Internet of Things, cloud computing and other emerging technologies, the connotation of cyber space is constantly expanding and becoming the fifth dimension of human activities. However, security problems in cyber space are becoming serious, and traditional defense measures (e.g., firewall, intrusion detection systems and security audit) often fall into a passive situation of being prone to attacks and difficult to take effect when responding to new types of network attacks with higher and higher degree of coordination and intelligence. By constructing and implementing the diverse strategy of dynamic transformation, the configuration characteristics of systems are constantly changing and the probability of vulnerability exposure is increasing. Therefore, the difficulty and cost of attack are increasing, which provides new ideas for reversing the asymmetric situation of defense and attack in cyber space. Nonetheless, there are few related works that systematically introduce dynamic defense mechanisms for cyber security. The related concepts and development strategies of dynamic defense are rarely analyzed and summarized. To bridge this gap, we conduct a comprehensive and concrete survey of recent research efforts on dynamic defense in cyber security. Specifically, we firstly introduce basic concepts and define dynamic defense in cyber security. Next, we review the architectures, enabling techniques and methods for moving target defense and mimic defense. This is followed with taxonomically summarizing the implementation and evaluation of dynamic defense. Finally, we discuss some open challenges and opportunities on dynamic defense in cyber security.

Thulfiqar Jabar,Manmeet Mahinderjit Singh

DOI: https://doi.org/10.3390/s22134662

2022-06-21

Abstract:During the last several years, the Internet of Things (IoT), fog computing, computer security, and cyber-attacks have all grown rapidly on a large scale. Examples of IoT include mobile devices such as tablets and smartphones. Attacks can take place that impact the confidentiality, integrity, and availability (CIA) of the information. One attack that occurs is Advanced Persistent Threat (APT). Attackers can manipulate a device's behavior, applications, and services. Such manipulations lead to signification of a deviation from a known behavioral baseline for smartphones. In this study, the authors present a Systematic Literature Review (SLR) to provide a survey of the existing literature on APT defense mechanisms, find research gaps, and recommend future directions. The scope of this SLR covers a detailed analysis of most cybersecurity defense mechanisms and cutting-edge solutions. In this research, 112 papers published from 2011 until 2022 were analyzed. This review has explored different approaches used in cybersecurity and their effectiveness in defending against APT attacks. In a conclusion, we recommended a Situational Awareness (SA) model known as Observe-Orient-Decide-Act (OODA) to provide a comprehensive solution to monitor the device's behavior for APT mitigation.

Zhiyan Chen,Jinxin Liu,Yu Shen,Murat Simsek,Burak Kantarci,Hussein T. Mouftah,Petar Djukic

DOI: https://doi.org/10.1145/3530812

2022-04-17

Abstract:Despite its technological benefits, Internet of Things (IoT) has cyber weaknesses due to the vulnerabilities in the wireless medium. Machine learning (ML)-based methods are widely used against cyber threats in IoT networks with promising performance. Advanced persistent threat (APT) is prominent for cybercriminals to compromise networks, and it is crucial to long-term and harmful characteristics. However, it is difficult to apply ML-based approaches to identify APT attacks to obtain a promising detection performance due to an extremely small percentage among normal traffic. There are limited surveys to fully investigate APT attacks in IoT networks due to the lack of public datasets with all types of APT attacks. It is worth to bridge the state-of-the-art in network attack detection with APT attack detection in a comprehensive review article. This survey article reviews the security challenges in IoT networks and presents the well-known attacks, APT attacks, and threat models in IoT systems. Meanwhile, signature-based, anomaly-based, and hybrid intrusion detection systems are summarized for IoT networks. The article highlights statistical insights regarding frequently applied ML-based methods against network intrusion alongside the number of attacks types detected. Finally, open issues and challenges for common network intrusion and APT attacks are presented for future research.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Yuchong Li,Qinghui Liu

DOI: https://doi.org/10.1016/j.egyr.2021.08.126

IF: 5.2

2021-11-01

Energy Reports

Abstract:At present, most of the economic, commercial, cultural, social and governmental activities and interactions of countries, at all levels, including individuals, non-governmental organizations and government and governmental institutions, are carried out in cyberspace. Recently, many private companies and government organizations around the world are facing the problem of cyber-attacks and the danger of wireless communication technologies. Today’s world is highly dependent on electronic technology, and protecting this data from cyber-attacks is a challenging issue. The purpose of cyber-attacks is to harm companies financially. In some other cases, cyber-attacks can have military or political purposes. Some of these damages are: PC viruses, knowledge breaks, data distribution service (DDS) and other assault vectors. To this end, various organizations use various solutions to prevent damage caused by cyber-attacks. Cyber security follows real-time information on the latest IT data. So far, various methods had been proposed by researchers around the world to prevent cyber-attacks or reduce the damage caused by them. Some of the methods are in the operational phase and others are in the study phase. The aim of this study is to survey and comprehensively review the standard advances presented in the field of cyber security and to investigate the challenges, weaknesses and strengths of the proposed methods. Different types of new descendant attacks are considered in details. Standard security frameworks are discussed with the history and early-generation cyber-security methods. In addition, emerging trends and recent developments of cyber security and security threats and challenges are presented. It is expected that the comprehensive review study presented for IT and cyber security researchers will be useful.

energy & fuels

Shilin Qiu,Qihe Liu,Shijie Zhou,Chunjiang Wu

DOI: https://doi.org/10.3390/app9050909

2019-03-04

Applied Sciences

Abstract:In recent years, artificial intelligence technologies have been widely used in computer vision, natural language processing, automatic driving, and other fields. However, artificial intelligence systems are vulnerable to adversarial attacks, which limit the applications of artificial intelligence (AI) technologies in key security fields. Therefore, improving the robustness of AI systems against adversarial attacks has played an increasingly important role in the further development of AI. This paper aims to comprehensively summarize the latest research progress on adversarial attack and defense technologies in deep learning. According to the target model’s different stages where the adversarial attack occurred, this paper expounds the adversarial attack methods in the training stage and testing stage respectively. Then, we sort out the applications of adversarial attack technologies in computer vision, natural language processing, cyberspace security, and the physical world. Finally, we describe the existing adversarial defense methods respectively in three main categories, i.e., modifying data, modifying models and using auxiliary tools.

English Else

Duraid Thamer Salim,Manmeet Mahinderjit Singh,Pantea Keikhosrokiani

DOI: https://doi.org/10.1016/j.heliyon.2023.e17156

IF: 3.776

2023-06-16

Heliyon

Abstract:Advancements in computing technology and the growing number of devices (e.g., computers, mobile) connected to networks have contributed to an increase in the amount of data transmitted between devices. These data are exposed to various types of cyberattacks, one of which is advanced persistent threats (APTs). APTs are stealthy and focus on sophisticated, specific targets. One reason for the detection failure of APTs is the nature of the attack pattern, which changes rapidly based on advancements in hacking. The need for future researchers to understand the gap in the literature regarding APT detection and to explore improved detection techniques has become crucial. Thus, this systematic literature review (SLR) examines the different approaches used to detect APT attacks directed at the network system in terms of approach and assessment metrics. The SLR includes papers on computer, mobile, and internet of things (IoT) technologies. We performed an SLR by searching six leading scientific databases to identify 75 studies that were published from 2012 to 2022. The findings from the SLR are discussed in terms of the literature's research gaps, and the study provides essential recommendations for designing a model for early APT detection. We propose a conceptual model known as the Effective Cyber Situational Awareness Model to Detect and Predict Mobile APTs (ECSA-tDP-MAPT), designed to effectively detect and predict APT attacks on mobile network traffic.

Lu-Xing Yang,Kaifan Huang,Xiaofan Yang,Yushu Zhang,Yong Xiang,Yuan Yan Tang

DOI: https://doi.org/10.1109/tnse.2020.3040247

IF: 6.6

2021-07-01

IEEE Transactions on Network Science and Engineering

Abstract:Advanced persistent threat (APT) as a generic highly sophisticated cyber attack poses a severe threat to organizational data security. Since the conventional detection and repair (DAR)-based APT defense mechanism has several conspicuous drawbacks, it is imperative to develop a more effective and efficient APT defense mechanism. Based on the data backup and recovery (DBAR) techniques developed in the field of disaster recovery, we propose a novel APT defense mechanism referred to as DBAR-based APT defense mechanism, which can overcome the main drawbacks of the DAR-based APT defense mechanism and is expected to be implementable efficiently in the software-defined networking (SDN) paradigm. Under the new mechanism, we study the problem of finding a cost-effective DBAR strategy. Based on a novel dynamic model characterizing the evolution of the expected security status of the organizational network, we reduce the problem to a differential game-theoretic problem, which is aimed to seek a cost-effective DBAR strategy in terms of the Nash equilibrium solution concept. Next, we derive the optimality system of the problem. Extensive comparative experiments show that the DBAR strategy obtained from the optimality system is cost-effective in the sense of Nash equilibrium solution concept.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Xiang Cheng,Jiale Zhang,Bing Chen

DOI: https://doi.org/10.3390/s19184045

IF: 3.9

2019-01-01

Sensors

Abstract:With the emergence of the Advanced Persistent Threat (APT) attacks, many Internet of Things (IoT) systems have faced large numbers of potential threats with the characteristics of concealment, permeability, and pertinence. However, existing methods and technologies cannot provide comprehensive and prompt recognition of latent APT attack activities in the IoT systems. To address this problem, we propose an APT Alerts and Logs Correlation Method, named APTALCM and a framework of deploying APTALCM on the IoT system, where an edge computing architecture was used to achieve cyber situation comprehension without too much data transmission cost. Specifically, we firstly present a cyber situation ontology for modeling the concepts and properties to formalize APT attack activities in the IoT systems. Then, we introduce a cyber situation instance similarity measurement method based on the SimRank mechanism for APT alerts and logs Correlation. Combining with instance similarity, we further propose an APT alert instances correlation method to reconstruct APT attack scenarios and an APT log instances correlation method to detect log instance communities. Through the coalescence of these methods, APTALCM can accomplish the cyber situation comprehension effectively by recognizing the APT attack intentions in the IoT systems. The exhaustive experimental results demonstrate that the two kernel modules, i.e., Alert Instance Correlation Module (AICM) and Log Instance Correlation Module (LICM) in our APTALCM, can achieve both high true-positive rate and low false-positive rate.

Jiangxing Wu

DOI: https://doi.org/10.1007/978-3-030-29844-9_3

2020-01-01

Abstract:From the perspective of technology, the current cyberspace defense methods fall into three categories: the first category focuses on the protection of information by strengthening the system with such technologies as firewall, encryption and decryption, data authentication, and access control. They offer basic protection for normal network access, legitimate user identification and rights management, and the security of confidential data. The second category includes mainly intrusion detection and other technologies, such as vulnerability detection, data authentication, traffic analysis, and log auditing. They aim to perceive attacks in real time and initiate immediate defenses according to the known features of an attack. This category relies on dynamic monitoring and alarm system enabled by feature scanning, pattern matching, data comprehensive analysis, and other methods to block or eliminate threats. The third category is network spoofing, represented by honeypot and honeynet. Their basic approach is, before any attack is performed, to actively construct special preset monitoring and sensing environments, serving as “traps,” to lure potential attackers to enter for the purpose of carrying out analysis of possible attack moves and gathering information necessary for cracking down on, tracing back, or countering the attacks.