Hao Yue,Tong Li,Di Wu,Runzi Zhang,Zhen Yang

DOI: https://doi.org/10.1016/j.cose.2024.103748

IF: 5.105

2024-05-01

Computers & Security

Abstract:Advanced persistent threats (APTs) are a significant threat to network security as they can disintegrate the security fortress of enterprises. Recent studies have focused on detecting APT attacks by matching typical tactics, techniques, and procedures (TTPs) associated with APT attacks. However, the lack of positive APT samples affects the performance of existing approaches. To address this challenge, we propose a novel attack intent-driven and sequence-based learning approach (AISL) for APT detection. AISL integrates heterogeneous audit data and creates corresponding security tags based on attack intent. Specifically, we investigate various data sources of attack detection and establish a dedicated network event ontology. Based on this ontology, we construct a provenance graph that integrates audit data from heterogeneous sources. During the construction of the provenance graph, we identify and tag potential attack behaviors based on attack intent to increase the number of positive samples in the dataset. Finally, we train a tag-sequence-based semantic model for APT detection. We evaluated AISL through ten realistic APT attacks and achieved an average precision of 93.05%, recall of 98.12%, and F1-score of 95.36%, outperforming state-of-the-art approaches.

computer science, information systems

Abdulellah Alsaheel,Yuhong Nan,Shiqing Ma,Le Yu,Gregory Walkup,Z. Berkay Celik,Xiangyu Zhang,Dongyan Xu

2021-01-01

Abstract:Advanced Persistent Threats (APT) involve multiple attack steps over a long period, and their investigation requires analysis of myriad logs to identify their attack steps, which are a set of activities undertaken to run an APT attack. However, on a daily basis in an enterprise, intrusion detection systems generate many threat alerts of suspicious events (attack symptoms). Cyber analysts must investigate such events to determine whether an event is a part of an attack. With many alerts to investigate, cyber analysts often end up with alert fatigue, causing them to ignore a large number of alerts and miss true attack events. In this paper, we present ATLAS, a framework that constructs an end-to-end attack story from off-the-shelf audit logs. Our key observation is that different attacks may share similar abstract attack strategies, regardless of the vulnerabilities exploited and payloads executed. ATLAS leverages a novel combination of causality analysis, natural language processing, and machine learning techniques to build a sequence-based model, which establishes key patterns of attack and non-attack behaviors from a causal graph. At inference time, given a threat alert event, an attack symptom node in a causal graph is identified. ATLAS then constructs a set of candidate sequences associated with the symptom node, uses the sequence-based model to identify nodes in a sequence that contribute to the attack, and unifies the identified attack nodes to construct an attack story. We evaluated ATLAS with ten real-world APT attacks executed in a realistic virtual environment. ATLAS recovers attack steps and construct attack stories with an average of 91.06% precision, 97.29% recall, and 93.76% F1-score. Through this effort, we provide security investigators with a new means of identifying the attack events that make up the attack story.

Wang Li,Li Zhi-tang,Fan Jun

DOI: https://doi.org/10.1109/icct.2006.341980

2006-01-01

Abstract:Since security audit data increased so dramatically, management and analysis of these security data become a challenge issue. In our system SATA (security alerts and threat analysis), we proposed a new method of learning multi-stage attack strategies through attack sequence mining method to recognize attacker's high-level strategies and predicting upcoming attack intentions. We first apply an attack sequence mining algorithm to mine attack behavior sequence patterns from alarm database. We then correlate the attack behaviors matched with certain attack sequence pattern to identify potential attack intentions. Our technique is easy to implement and it can be used to detect novel multi-stage attack strategies. The primary experiments show that our approach is effective and practical.

Abdullah Said AL-Aamri,Rawad Abdulghafor,Sherzod Turaev,Imad Al-Shaikhli,Akram Zeki,Shuhaili Talib

DOI: https://doi.org/10.3390/su151813820

IF: 3.9

2023-09-17

Sustainability

Abstract:Nowadays, countries face a multitude of electronic threats that have permeated almost all business sectors, be it private corporations or public institutions. Among these threats, advanced persistent threats (APTs) stand out as a well-known example. APTs are highly sophisticated and stealthy computer network attacks meticulously designed to gain unauthorized access and persist undetected threats within targeted networks for extended periods. They represent a formidable cybersecurity challenge for governments, corporations, and individuals alike. Recognizing the gravity of APTs as one of the most critical cybersecurity threats, this study aims to reach a deeper understanding of their nature and propose a multi-stage framework for automated APT detection leveraging time series data. Unlike previous models, the proposed approach has the capability to detect real-time attacks based on stored attack scenarios. This study conducts an extensive review of existing research, identifying its strengths, weaknesses, and opportunities for improvement. Furthermore, standardized techniques have been enhanced to enhance their effectiveness in detecting APT attacks. The learning process relies on datasets sourced from various channels, including journal logs, traceability audits, and systems monitoring statistics. Subsequently, an efficient APT detection and prevention system, known as the composition-based decision tree (CDT), has been developed to operate in complex environments. The obtained results demonstrate that the proposed approach consistently outperforms existing algorithms in terms of detection accuracy and effectiveess.

environmental sciences,environmental studies,green & sustainable science & technology

Ruozhou LIANG,Yue GAO,Xibin ZHAO

DOI: https://doi.org/10.1360/ssi-2021-0252

2021-01-01

Scientia Sinica Informationis

Abstract:Advanced persistent threat (APT) in real scenes, especially in industrial scenes, is complex and long term, but the current methods cannot effectively extract the long term relationship in the attack. An attack detection method with provenance graphs, called SeqNet, is proposed. SeqNet uses sequence feature extraction to detect APT attacks. In SeqNet, the provenance graph sequence describing the running state of the system is transformed into the feature sequence first, and then the gate recurrent unit (GRU) model is used to extract the feature of the system. The encoder-decoder model with the local attention mechanism is used to train the GRU model. Finally, the K-means clustering method is used to model the normal behavior of the system. In this study, experiments are carried out on five public datasets, such as StreamSpot, wget, shellshock, ClearScope, and CADETS, compared with the state-of-the-art methods. The method used here achieves similar or improved results on all five datasets. Experimental results show that the proposed method can detect real-life APT scenarios.

Zitong Li,Jiale Chen,Jiale Zhang,Xiang Cheng,Bing Chen

DOI: https://doi.org/10.1007/978-981-15-9129-7_36

2020-01-01

Abstract:Advanced Persistent Threat (APT) is one of the most menacing and stealthy multiple-steps attacks in the context of information systems and IoT-related applications. Recently, with increasing losses to organizations caused by APT, its detection has attracted more attention in both academia and industry. However, conventional attack detection methods cannot be used to defense APT ideally for the following reasons: 1) misuse-based mechanisms require too much expert knowledge of APT attacks; 2) anomaly-based strategies lead to many false positives; 3) machine learning-based solutions lack training dataset that describes APT patterns. Thus, we propose a novel detection system in edge computing systems based on federated learning, named FLAPT, to detect APT attacks. The federated model can learn various APT attack patterns by maintaining a global model across multiple clients. The experimental results demonstrate that our proposed system can detect various attacks including real-life APT campaigns with high detection accuracy and low false alarm rate.

Wang Li,Li Zhi-tang,Lei Jie

DOI: https://doi.org/10.1109/INM.2007.374834

2007-01-01

Abstract:Huge volume of security data from different security devices can overwhelm security managers and keep them from performing effective analysis and initiating timely response. Therefore, it is important to develop an advanced alert correlation system that can reduce alert redundancy, intelligently correlate security alerts and detect attack strategies. In this paper, we proposed a new method of mining multi-stage attack behaviors pattern in order to recognize attacker's high-level strategies and predict upcoming attack intentions. We apply a reformative Apriori algorithm to mine frequent attack sequence patterns from history alert data. We use correlativity between two contextual elements in the attack sequence to correlate attack behaviors and identify potential attack intentions. The idea is easy to implement and it can be used to detect novel multi-stage attack strategies compared with other techniques. Experiments show that our approach can effectively learn high level attack strategies and can accordingly predict next possible attack behavior.

Zian Jia,Xiaosu Wang,Yun Xiong,Yao Zhang,JinJing Zhao

DOI: https://doi.org/10.1109/dsc55868.2022.00056

2022-01-01

Abstract:Advanced Persistent Threats (APT) are difficult to detect and defend due to their high variability and concealment. Current APT detection and investigation approaches suffer from two major problems. First, most recent models heavily rely on heuristic rules derived from a large amount of expensive prior knowledge, which in turn prevents the models from generalizing to new types of APT attacks. Second, the development of existing fully supervised models is limited by the scarcity of APT attack data. In this paper, we first construct the provenance graph by introducing logical entities to reduce the dependency on prior knowledge. Then we propose a novel self-supervised representation-learning based model, AISLE, for the investigation of the APT attack, which consists of a graph structure encoder (GSE) and an entity interaction pattern encoder (IPE). The GSE employs a graph attention auto-encoder to effectively compress the structural information of the graph; and the IPE employs a LSTM auto-encoder to extract the interaction patterns of entities from their interaction history. The two entity embeddings calculated respectively by the two auto-encoders are concatenated to form the final representation of the entity, which is evaluated by the attack investigation module to identify attack entities. Our model is evaluated on ten real-world APT attacks in a realistic virtual environment. The results show that our model can achieve superior generalization ability and consistently outperform the latest state-of-the-art APT attack investigation approaches.

CHEN Rui-dong,ZHANG Xiao-song,NIU Wei-na,LAN Hao-yue

DOI: https://doi.org/10.3969/j.issn.1001-0548.2019.06.011

2019-01-01

Abstract:Advanced persistent threat (APT) is a new kind of cyber-attack as a growth security events. This paper analysis more than 150 typical APT cases happened during last decade, and constructs the analytical model of APT attack, indicates 4 major problems of APT attack detection and countering: the fragile penetration protection problem, the low detection accuracy, the difficulty of determining the attack forensic, and the slow response to the unknown attack problem. In the meanwhile, this paper analyzes typical APT attacks in recent years, mines the association based on attacking tools. According to the experiments, there are similarity patterns between the tools used by the same organization. In summary, the integral APT defense scheme in this paper includes the latest achievements of four types of defense schemes, plays an academic supporting role in building a unified attack detection and traceability countermeasure platform.

Wei Qiao,Yebo Feng,Teng Li,Zijian Zhang,Zhengzi Xu,Zhuo Ma,Yulong Shen,JianFeng Ma,Yang Liu

2024-10-23

Abstract:Advanced Persistent Threats (APTs) represent sophisticated cyberattacks characterized by their ability to remain undetected within the victim system for extended periods, aiming to exfiltrate sensitive data or disrupt operations. Existing detection approaches often struggle to effectively identify these complex threats, construct the attack chain for defense facilitation, or resist adversarial attacks. To overcome these challenges, we propose Slot, an advanced APT detection approach based on provenance graphs and graph reinforcement learning. Slot excels in uncovering multi-level hidden relationships, such as causal, contextual, and indirect connections, among system behaviors through provenance graph mining. By pioneering the integration of graph reinforcement learning, Slot dynamically adapts to new user activities and evolving attack strategies, enhancing its resilience against adversarial attacks. Additionally, Slot automatically constructs the attack chain according to detected attacks with clustering algorithms, providing precise identification of attack paths and facilitating the development of defense strategies. Evaluations with real-world datasets demonstrate Slot's outstanding accuracy, efficiency, adaptability, and robustness in APT detection, with most metrics surpassing state-of-the-art methods. Additionally, case studies conducted to assess Slot's effectiveness in supporting APT defense further establish it as a practical and reliable tool for cybersecurity protection.

Cryptography and Security

Neeraj Saini,Vivekananda Bhat Kasaragod,Krishna Prakasha,Ashok Kumar Das

DOI: https://doi.org/10.1002/cpe.7865

2023-07-19

Concurrency and Computation: Practice and Experience

Abstract:Summary A persistent, targeted cyber attack is called an advanced persistent threat (APT) attack. The attack is mainly launched to gain sensitive information, take over the system, and for financial gain, which creates nowadays more hurdles and challenges for the organization in preventing, detecting, and recovering from such attacks. Due to the nature of APT attacks, it is difficult to detect them quickly. Therefore machine learning techniques come into these research areas. This study uses deep and machine learning models such as random forest, decision tree, convolutional neural network, multilayer perceptron and so forth to categorize and effectively detect APT attacks by utilizing publicly accessible datasets. The datasets used in this study are CSE‐CIC‐IDS2018, CIC‐IDS2017, NSL‐KDD, and UNSW‐NB15. This study proposes the hybrid ensemble machine learning model, a mixed approach of random forest and XGBoost classifiers. It has obtained the maximum prediction accuracy of 98.92%, 99.91%, 99.24%, and 97.11% for datasets CSE‐CIC‐IDS2018, CIC‐IDS2017, NSL‐KDD, and UNSW‐NB15, with a false positive rate of 0.52%, 0.12%, 0.62%, and 5.29% respectively. These results are compared to other closely related recent studies in the literature. Our experiment's findings show that our model has performed significantly better for all datasets.

computer science, theory & methods, software engineering

Cho Do Xuan,Nguyen Hoa Cuong

DOI: https://doi.org/10.1371/journal.pone.0305618

IF: 3.7

2024-06-25

PLoS ONE

Abstract:Advanced Persistent Threat (APT) attacks are causing a lot of damage to critical organizations and institutions. Therefore, early detection and warning of APT attack campaigns are very necessary today. In this paper, we propose a new approach for APT attack detection based on the combination of Feature Intelligent Extraction (FIE) and Representation Learning (RL) techniques. In particular, the proposed FIE technique is a combination of the Bidirectional Long Short-Term Memory (BiLSTM) deep learning network and the Attention network. The FIE combined model has the function of aggregating and extracting unusual behaviors of APT IPs in network traffic. The RL method proposed in this study aims to optimize classifying APT IPs and normal IPs based on two main techniques: rebalancing data and contrastive learning. Specifically, the rebalancing data method supports the training process by rebalancing the experimental dataset. And the contrastive learning method learns APT IP's important features based on finding and pulling similar features together as well as pushing contrasting data points away. The combination of FIE and RL (abbreviated as the FIERL model) is a novel proposal and innovation and has not been proposed and published by any research. The experimental results in the paper have proved that the proposed method in the paper is correct and reasonable when it has shown superior efficiency compared to some other studies and approaches over 5% on all measurements.

multidisciplinary sciences

Xiaoxiao Liu,Fan Xu,Nan Wang,Qinxin Zhao,Dalin Zhang,Xibin Zhao,Jiqiang Liu

2024-04-04

Abstract:Advanced Persistent Threat (APT) is challenging to detect due to prolonged duration, infrequent occurrence, and adept concealment techniques. Existing approaches primarily concentrate on the observable traits of attack behaviors, neglecting the intricate relationships formed throughout the persistent attack lifecycle. Thus, we present an innovative APT detection framework named LTRDetector, implementing an end-to-end holistic operation. LTRDetector employs an innovative graph embedding technique to retain comprehensive contextual information, then derives long-term features from these embedded provenance graphs. During the process, we compress the data of the system provenance graph for effective feature learning. Furthermore, in order to detect attacks conducted by using zero-day exploits, we captured the system's regular behavior and detects abnormal activities without relying on predefined attack signatures. We also conducted extensive evaluations using five prominent datasets, the efficacy evaluation of which underscores the superiority of LTRDetector compared to existing state-of-the-art techniques.

Cryptography and Security

Kai Xing,Aiping Li,Rong Jiang

DOI: https://doi.org/10.12783/dtetr/mcaee2020/35023

2020-01-01

DEStech Transactions on Engineering and Technology Research

Abstract:Cyberspace has been constantly threatened by attacks since its birth. With the development of high-tech and artificial intelligence, intelligent and efficient attack methods have emerged endlessly, and technological methods have been constantly renovated. In particular, Advanced Persistent Threat (APT) attacks are intensifying. How to effectively prevent this attack method has become the focus. With the advantages of machine learning, the thinking and technology of detection have made great progress. This article mainly discusses several innovative methods for detecting APT attacks based on machine learning, and looks forward to the future development direction.

Luoli Wang

DOI: https://doi.org/10.1088/1742-6596/2113/1/012037

2021-11-01

Journal of Physics: Conference Series

Abstract:Abstract Advanced Persistent Threats (APT) have caused severe damage to the core information infrastructure of many governments and organizations. APT attacks usually remain low and slow which makes them difficult to be detected. In this case, the way of correlatively analyzing massive logs generated by various security devices for effectively detecting the new type of cyber threat turns out to be more and more significant. In this paper, on the basis of analyzing the principles and characteristics of APT, we propose an intelligent threat detection method based on the expanded Cyber Attack Chain (CAC) model and the long short-term memory network (LSTM) autoencoder to extensively correlate malicious behaviors from spatial and temporal dimensions, which provides a brain new idea for the application and practice of complex network attack detection.

Jiazhong Lu,Xiaosong Zhang,Wang Junfeng,Ying Lingyun

DOI: https://doi.org/10.1109/ICITBS.2016.87

2016-01-01

Abstract:APT(Advanced persist threat) is an emerging attack on the Internet. Attackers may combine phishing emails, malware, social engineering and botnets to create a series of attacks in one APT attack which makes it quite difficult for detection. In this way, attackers can remotely control the infected host, or steal sensitive information. In this paper, we proposed a time transform features approach for distinguishing APT attacks based on the observation that malicious payload must be transferred to the target hosts in an APT attack. By comparing the normal traffic with the traffic containing a malicious payload, we are able to catch the signal of malicious payload and further infer the existence of APT attacks. Then we use machine learning methods to detect APT attacks in big data. To verify this approach, we placed a device on the gateway of our university for catching the real Internet traffic of the university for one month. Then we mixed the APT traffic with these flows, and see whether our approach can identify the malicious payloads. We found our approach is not only accurate but also efficient for catching APT attacks.

Yulu Qi,Rong Jiang,Aiping Li,Zhaoquan Gu,Yan Jia

DOI: https://doi.org/10.1007/978-3-030-71590-8_12

2021-01-01

Abstract:Information security is an important part of Internet security. As more and more industries rely on the Internet, it has become urgent to protect information security of these industries, spawned local area networks (LANs), intranets and so on. With the development of information sensor technology, the Internet of Things (IoT) that interconnects physical devices has emerged. As a unity of computing process and physical process, the Cyber-physical systems (CPS) is the next generation intelligent system which integrates computing, communication and controlling capabilities. CPS covers a wide range of applications and critical infrastructures, including intelligent transportation systems, telemedicine, smart grids, aerospace, and many other fields. The APT attacks are typically conducted directly against these critical infrastructures around the world, which would incur severe consequences. It is meaningful to protect these information by detecting the APT attacks timely and accurately, and effective defensive measures could be adopted. Although the APT attacks seem destructive, the attack process are complex and changeable. In essence, the attack process usually follows certain rules. In this chapter, we introduce a distributed framework for detecting the APT attacks. Cyber security knowledge graph stores existing knowledge and the attack rules, which plays an important role in analyzing the attacks. We first analyze potential attack events by the proposed distributed framework on Spark, then we mine the attack chains from massive data with the spatial and temporal characteristics. These steps could help identify complicated attacks. We also conduct extensive experiments, the results show that the analysis accuracy depends on the completeness of the cyber security knowledge graph and the precision of the detection results from security equipments. With the rational expectation about more exposure of attacks and faster upgrade of security equipments, it is sufficient and necessary to improve the cyber security knowledge graph constantly for better performance.KeywordsMDATAAPT attackCyberspace securityDistributed framework

Tao Yi,Xingshu Chen,Qindong Li,Yi Zhu

DOI: https://doi.org/10.1016/j.cose.2024.103809

IF: 5.105

2024-03-29

Computers & Security

Abstract:APT attacks have the characteristics of low frequency, stealth, and persistence. Achieving attack objectives and preventing trace-back often involve diverse tactics, various tools, and changing processes and patterns. Additionally, the goals of APT attacks are diverse. Apart from service disruptions or network outages, the main goals include remotely penetrating target hosts through the network to steal information, unauthorized encryption, and destructive wiping. Existing methods for characterizing attack features lack sufficient research on the communication methods and data transmission patterns used in attacks. In particular, due to the non-associated addresses, low frequency, fragmentation, and silent requirements of attacks, the features exhibited in a single session are increasingly minimal. Traditional approaches are no longer sufficient to address these challenges that relying solely on single-sample statistical features and "packet-sniffing" windowed traffic grouping detection methods. To tackle these issues, we propose a innovative approach to characterize network attack traffic based on Spatial Pyramid Pooling (SPP) by analyzing the attack communication methods and data transmission patters in the network session traffic of APT attacks with the remote information theft. Specifically, it employs derived feature attributes that integrate mean, total, and concentration characteristics to longitudinally extract multi-level spatiotemporal correlated behavioral features from aggregated multi-session sets. These features are then fused with single-session characteristics, ensuring that each session sample possesses both current traffic features and correlated properties of contextual session traffic. Additionally, this approach meets the requirements of fixed-length input for heterogeneous data in deep learning. Extensive experiments have been conducted to demonstrate that this method enhances the effective detection of APT attacks by deep learning models. Experiments results show that this approach exhibits superior timeliness, precision, and specificity when compared to Principal Component Analysis (PCA) artificial feature engineering methods and other methods based on fixed-length deep learning for raw data.

computer science, information systems

Jiazhong Lu,Kai Chen,Zhongliu Zhuo,XiaoSong Zhang

DOI: https://doi.org/10.1007/s10586-017-1256-y

2017-01-01

Cluster Computing

Abstract:Advanced persist threat (APT for short) is an emerging attack on the Internet. Such attack patterns leave their footprints spatio-temporally dispersed across many different type traffics in victim machines. However, existing traffic analysis systems typically target only a single type of traffic to discover evidence of an attack and therefore fail to exploit fundamental inter-traffic connections. The output of such single-traffic analysis can hardly detect the complete APT attack story for complex, multi-stage attacks. Additionally, some existing approaches require heavyweight system instrumentation, which makes them impractical to deploy in real production environments. To address these problems, we present an automated temporal correlation traffic detection system (ATCTDS). Inspired by anomaly traffic analytics research in big data network analysis, we model multi-type traffic analysis as a detection problem. Our evaluation with 36 well-known APT attack dataset demonstrates that our system can detect attack behaviors from a spectrum of cyber attacks that involve multiple types with high accuracy and low false positive rates.

Fan Shen,Zhiyuan Liu,Levi Perigo

DOI: https://doi.org/10.14569/ijacsa.2023.0140303

IF: 0.9

2023-01-01

International Journal of Advanced Computer Science and Applications

Abstract:Advanced Persistent Threats (APT) are a type of sophisticated multistage cyber attack, and the defense against APT is challenging. Existing studies apply signature-based or behavior-based methods to analyze monitoring data to detect APT, but little research has been dedicated to the important problem of addressing APT detection with limited resources. In order to maintain the primary functionality of a system, the resources allocated for security purposes, for example logging and examining the behavior of a system, are usually constrained. Therefore, when facing multiple simultaneous powerful cyber attacks like APT, the allocation of limited security resources becomes critical. The research in this paper focuses on the threat model where multiple simultaneous APT attacks exist in the defender's system, but the defender does not have sufficient monitoring resources to check every running process. To capture the footprint of multistage activities including APT attacks and benign activities, this work leverages the provenance graph which is constructed based on dependencies of processes. Furthermore, this work studies the monitoring strategy to efficiently detect APT attacks from incomplete information of paths on the provenance graph, by considering both the "exploitation" effect and the "exploration" effect. The contributions of this work are two-fold. First, it extends the classic UCB algorithm in the domain of the multi-armed bandit problem to solve cyber security problems, and proposes to use the malevolence value of a path, which is generated by a novel LSTM neural network as the exploitation term. Second, the consideration of "exploration" is innovative in the detection of APT attacks with limited monitoring resources. The experimental results show that the use of the LSTM neural network is beneficial to enforce the exploitation effect as it satisfies the same property as the exploitation term in the classic UCB algorithm and that by using the proposed monitoring strategy, multiple simultaneous APT attacks are detected more efficiently than using the random strategy and the greedy strategy, regarding the time needed to detect same number of APT attacks.