WANG Zhiwei,HE Xijie,YI Xin,LI Ziyang,CAO Xudong,YIN Tao,LI Shuhao,FU Anmin,ZHANG Yuqing

DOI: https://doi.org/10.11959/j.issn.1000-436x.2024128

2024-01-01

Abstract:The advanced persistent threat (APT) attack was explored from two perspectives: attack methods and detection methods. First, the definitions and characteristics of APT attacks were reviewed and the development of related attack models was summarized. Based on this, a more general APT full lifecycle model was proposed, which was divided into four stages: information gathering, intrusion execution, internal network penetration, and data exfiltration. For each stage, recent research papers from the past five years were thoroughly reviewed, and the attack and detection techniques for each stage were analyzed. Finally, in light of the dynamic landscape of APT attack and defense technologies, the paper underscores the formidable challenges confronting both offense and defense and offers guidance for future research in this domain.

CHEN Rui-dong,ZHANG Xiao-song,NIU Wei-na,LAN Hao-yue

DOI: https://doi.org/10.3969/j.issn.1001-0548.2019.06.011

2019-01-01

Abstract:Advanced persistent threat (APT) is a new kind of cyber-attack as a growth security events. This paper analysis more than 150 typical APT cases happened during last decade, and constructs the analytical model of APT attack, indicates 4 major problems of APT attack detection and countering: the fragile penetration protection problem, the low detection accuracy, the difficulty of determining the attack forensic, and the slow response to the unknown attack problem. In the meanwhile, this paper analyzes typical APT attacks in recent years, mines the association based on attacking tools. According to the experiments, there are similarity patterns between the tools used by the same organization. In summary, the integral APT defense scheme in this paper includes the latest achievements of four types of defense schemes, plays an academic supporting role in building a unified attack detection and traceability countermeasure platform.

Hao Yan,Qianzhen Zhang,Junjie Xie,Ziyue Lu,Sheng Chen,Deke Guo

DOI: https://doi.org/10.1109/ICPADS53394.2021.00062

2021-01-01

Abstract:The advanced persistent threat (APT) is a stealthy cyber attack perpetrated by a group that gains unauthorized access to a computer network and remains undiscovered to steal specific data and resources. Fast detection and defense of APT attacks are critical tasks in cyber security. Previous works use simple feature extraction and classification methods to distinguish APT information flow from the ...

Yuqing Li,Wenkuan Dai,Jie Bai,Xiaoying Gan,Jingchao Wang,Xinbing Wang

DOI: https://doi.org/10.1109/TIFS.2018.2847671

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Combined with many different attack forms, advanced persistent threats (APTs) are becoming a major threat to cyber security. Existing security protection works typically either focus on one-shot case, or separate detection from response decisions. Such practices lead to tractable analysis, but miss key inherent APTs persistence and risk heterogeneity. To this end, we propose a Lyapunov-based secur...

BinHui Tang,JunFeng Wang,Zhongkun Yu,Bohan Chen,Wenhan Ge,Jian Yu,TingTing Lu

DOI: https://doi.org/10.1016/j.compeleceng.2022.108261

2022-10-01

Abstract:With the boom in Internet and information technology, cyber-attacks are becoming more frequent and sophisticated, especially Advanced Persistent Threat (APT) attacks. Unlike traditional attacks, APT attacks are more targeted, stealthy, and adversarial, rendering it challenging to manually analyze threat behaviors for APT detection, attribution, and response. Therefore, the research community has focused on intelligent defense methods. Intelligent threat profiling is dedicated to analyzing APT attacks and improving defense capability with Knowledge Graph and Deep Learning methods. With this insight, this paper provides the first systematic review of intelligent threat profiling techniques for APT attacks, covering three aspects: data, methods, and applications. The contents include data processing techniques, threat modeling, representation, reasoning methods, etc. Furthermore, this paper summarizes the latest research in applications, proposes the research framework and technical architecture, and provides insights into future research trends. This paper contributes to recognizing the advantages and challenges of intelligent threat profiling. It paves the way for integrating knowledge graphs and deep learning to achieve intelligent security.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Tiantian Zhu,Jinkai Yu,Tieming Chen,Jiayu Wang,Jie Ying,Ye Tian,Mingqi Lv,Yan Chen,Yuan Fan,Ting Wang

DOI: https://doi.org/10.48550/arXiv.2112.09008

2021-12-17

Abstract:Advanced Persistent Threat (APT) attack usually refers to the form of long-term, covert and sustained attack on specific targets, with an adversary using advanced attack techniques to destroy the key facilities of an organization. APT attacks have caused serious security threats and massive financial loss worldwide. Academics and industry thereby have proposed a series of solutions to detect APT attacks, such as dynamic/static code analysis, traffic detection, sandbox technology, endpoint detection and response (EDR), etc. However, existing defenses are failed to accurately and effectively defend against the current APT attacks that exhibit strong persistent, stealthy, diverse and dynamic characteristics due to the weak data source integrity, large data processing overhead and poor real-time performance in the process of real-world scenarios. To overcome these difficulties, in this paper we propose APTSHIELD, a stable, efficient and real-time APT detection system for Linux hosts. In the aspect of data collection, audit is selected to stably collect kernel data of the operating system so as to carry out a complete portrait of the attack based on comprehensive analysis and comparison of existing logging tools; In the aspect of data processing, redundant semantics skipping and non-viable node pruning are adopted to reduce the amount of data, so as to reduce the overhead of the detection system; In the aspect of attack detection, an APT attack detection framework based on ATT\&CK model is designed to carry out real-time attack response and alarm through the transfer and aggregation of labels. Experimental results on both laboratory and Darpa Engagement show that our system can effectively detect web vulnerability attacks, file-less attacks and remote access trojan attacks, and has a low false positive rate, which adds far more value than the existing frontier work.

Cryptography and Security

Yuan Wang,Yongjun Wang,Jing Liu,Zhijian Huang

DOI: https://doi.org/10.1109/3PGCIC.2014.41

2014-01-01

Abstract:Advanced Persistent Threat (APT) poses a serious threat to cyber security, and its unique high unpredictability, deep concealment and grave harmfulness make the traditional network monitoring technology facing unprecedented challenges in the background of massive and complicated network traffic. This paper aimed for the urgent demand of APT network monitoring. Relying on the rapid development of big data analysis and cloud computing technology, to draw lessons from biology gene concept, we put forward a new connotation of the network gene to depict the semantic-rich behavior characteristics pattern of network applications. Through the organic combination of network protocol reverse analysis and the network data stream processing technology, we established a set of basic theories and technical architecture of network gene construction and calculation, forming a new detection framework for APTs to support the construction of intrusion-tolerant network ecological environment.

Kai Xing,Aiping Li,Rong Jiang

DOI: https://doi.org/10.12783/dtetr/mcaee2020/35023

2020-01-01

DEStech Transactions on Engineering and Technology Research

Abstract:Cyberspace has been constantly threatened by attacks since its birth. With the development of high-tech and artificial intelligence, intelligent and efficient attack methods have emerged endlessly, and technological methods have been constantly renovated. In particular, Advanced Persistent Threat (APT) attacks are intensifying. How to effectively prevent this attack method has become the focus. With the advantages of machine learning, the thinking and technology of detection have made great progress. This article mainly discusses several innovative methods for detecting APT attacks based on machine learning, and looks forward to the future development direction.

Yuntao Wang,Han Liu,Zhendong Li,Zhou Su,Jiliang Li

DOI: https://doi.org/10.1109/MNET.2024.3389734

2024-04-12

Abstract:The rise of advanced persistent threats (APTs) has marked a significant cybersecurity challenge, characterized by sophisticated orchestration, stealthy execution, extended persistence, and targeting valuable assets across diverse sectors. Provenance graph-based kernel-level auditing has emerged as a promising approach to enhance visibility and traceability within intricate network environments. However, it still faces challenges including reconstructing complex lateral attack chains, detecting dynamic evasion behaviors, and defending smart adversarial subgraphs. To bridge the research gap, this paper proposes an efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach. Through prototype implementation and extensive experiments, we validate the effectiveness of our system. Lastly, crucial open research directions are outlined in this emerging field.

Cryptography and Security

Nur Ilzam Che Mat,Norziana Jamil,Yunus Yusoff,Laiha Mat Kiah,Nur Ilzam Che Mat,Miss Laiha Mat Kiah

DOI: https://doi.org/10.1093/cybsec/tyad023

2024-01-01

Journal of Cyber Security

Abstract:Abstract Advanced persistent threats (APTs) pose significant security-related challenges to organizations owing to their sophisticated and persistent nature, and are inimical to the confidentiality, integrity, and availability of organizational information and services. This study systematically reviews the literature on methods of detecting APTs by comprehensively surveying research in the area, identifying gaps in the relevant studies, and proposing directions for future work. The authors provide a detailed analysis of current methods of APT detection that are based on multi-stage attack-related behaviors. We adhered to the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines and conducted an extensive search of a variety of databases. A total of 45 studies, encompassing sources from both academia and the industry, were considered in the final analysis. The findings reveal that APTs have the capability to laterally propagate and achieve their objectives by identifying and exploiting existing systemic vulnerabilities. By identifying shortcomings in prevalent methods of APT detection, we propose integrating the multi-stage attack-related behaviors of APTs with the assessment of the presence of vulnerabilities in the network and their susceptibility to being exploited in order to improve the accuracy of their identification. Such an improved approach uses vulnerability scores and probability metrics to determine the probable sequence of targeted nodes, and visualizes the path of APT attacks. This technique of advanced detection enables the early identification of the most likely targets, which, in turn, allows for the implementation of proactive measures to prevent the network from being further compromised. The research here contributes to the literature by highlighting the importance of integrating multi-stage attack-related behaviors, vulnerability assessment, and techniques of visualization for APT detection to enhance the overall security of organizations.

Kai Xing,Aiping Li,Rong Jiang,Yan Jia

DOI: https://doi.org/10.1109/dsc50466.2020.00018

2020-01-01

Abstract:Cyberspace has been threatened by attacks ever since its birth. With the development of the Internet and artificial intelligence, forms of cyberattacks are emerging in endlessly, and technical means are constantly being renovated. In particular, advanced persistent threats are intensifying. How to effectively prevent this type of attack has become the focus, and attack detection and defense technology has made great progress. This article mainly discusses the research progress of APT attack detection and defense strategies at home and abroad, and focuses on the practice of using machine learning to perform attack detection while elaborating on traditional attack detection methods. Defense strategy is about how to use game theory to find the best defense strategy in limited resources, dynamic information flow tracking and cloud platform.

Pengdeng Li,Xiaofan Yang,Qingyu Xiong,Junhao Wen,Yuan Yan Tang

DOI: https://doi.org/10.1155/2018/2975376

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:The new cyberattack pattern of advanced persistent threat (APT) has posed a serious threat to modern society. This paper addresses the APT defense problem, that is, the problem of how to effectively defend against an APT campaign. Based on a novel APT attack-defense model, the effectiveness of an APT defense strategy is quantified. Thereby, the APT defense problem is modeled as an optimal control problem, in which an optimal control stands for a most effective APT defense strategy. The existence of an optimal control is proved, and an optimality system is derived. Consequently, an optimal control can be figured out by solving the optimality system. Some examples of the optimal control are given. Finally, the influence of some factors on the effectiveness of an optimal control is examined through computer experiments. These findings help organizations to work out policies of defending against APTs.

Aaron Zimba,Hongsong Chen,Zhaoshun Wang,Mumbi Chishimba

DOI: https://doi.org/10.1016/j.future.2020.01.032

IF: 7.307

2020-01-01

Future Generation Computer Systems

Abstract:Advanced Persistent Threats (APT) present the most sophisticated types of attacks to modern networks which have proved to be very challenging to address. Using sophisticated attack techniques, attackers remotely control infected machines and exfiltrate sensitive information from organizations and governments. Security products deployed by enterprise networks based on traditional defenses often fail at detecting APT infections because of the dynamic nature of the APT attack process. To overcome the current limitations of attack network dynamics faced in APT studies, an innovative APT attack detection model based on a semi-supervised learning approach and complex networks characteristics is proposed in this paper. The entire targeted network is modeled as a small-world network and the evolving APT-Attack Network (APT-AN) as a scale-free network. Finite state machines are employed to model the state transitions of the nodes in the time domain in order to characterize the state changes during the APT attack process. The effectiveness of the model is demonstrated by applying it to real-world data from a large-scale enterprise network consisting of 17,684 hosts from the Los Alamos security lab. The proposed approach analyzes efficiently the large-scale dataset to reveal APT attack characteristics between the command and control center and the victim hosts. The final result is a ranked list of suspicious hosts participating in APT attack activities. The average detection precision of three APT stage is 90.5% in our proposed APT detection framework. The results show that the model can effectively detect the suspicious hosts at different stages of the APT attack process.

Yulu Qi,Rong Jiang,Aiping Li,Zhaoquan Gu,Yan Jia

DOI: https://doi.org/10.1007/978-3-030-71590-8_12

2021-01-01

Abstract:Information security is an important part of Internet security. As more and more industries rely on the Internet, it has become urgent to protect information security of these industries, spawned local area networks (LANs), intranets and so on. With the development of information sensor technology, the Internet of Things (IoT) that interconnects physical devices has emerged. As a unity of computing process and physical process, the Cyber-physical systems (CPS) is the next generation intelligent system which integrates computing, communication and controlling capabilities. CPS covers a wide range of applications and critical infrastructures, including intelligent transportation systems, telemedicine, smart grids, aerospace, and many other fields. The APT attacks are typically conducted directly against these critical infrastructures around the world, which would incur severe consequences. It is meaningful to protect these information by detecting the APT attacks timely and accurately, and effective defensive measures could be adopted. Although the APT attacks seem destructive, the attack process are complex and changeable. In essence, the attack process usually follows certain rules. In this chapter, we introduce a distributed framework for detecting the APT attacks. Cyber security knowledge graph stores existing knowledge and the attack rules, which plays an important role in analyzing the attacks. We first analyze potential attack events by the proposed distributed framework on Spark, then we mine the attack chains from massive data with the spatial and temporal characteristics. These steps could help identify complicated attacks. We also conduct extensive experiments, the results show that the analysis accuracy depends on the completeness of the cyber security knowledge graph and the precision of the detection results from security equipments. With the rational expectation about more exposure of attacks and faster upgrade of security equipments, it is sufficient and necessary to improve the cyber security knowledge graph constantly for better performance.KeywordsMDATAAPT attackCyberspace securityDistributed framework

陈剑锋,王强,伍淼

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.07.027

2012-01-01

Abstract:APT, as information security threat, aims at important enterprise and government assets and constitutes a serious challenge to information systems＇ usability and reliability. APT, being versatile, effective, and difficult to defend, gradually becomes the main evolution trend of network infiltration and system attack, thus receiving much attention from IA researchers. Current study on APT is done principally by security vendors, and these vendors focus on output of their security concept by threat assessment, while neglecting the thorough analysis on the constitution and developing background of APT. Starting from normal definition and feature of APT, the developing background and procedure of APT attack is described in detail, and some feasible measures for detecting, reacting on and preventing APT attack are also Riven.

Wang Xiaoqi,Li Qiang,Yan Guanghua,Xuan Guangzhe,Guo Dong

DOI: https://doi.org/10.7544/issn1000-1239.2017.20170403

2017-01-01

Journal of Computer Research and Development

Abstract:In recent years ,advanced persistent threats (APT ) jeopardize the safety of enterprises , organizations and even countries ,leading to heavy economic losses .An important feature of APT is that it can persist in attacking and can lurk in the target network for a long time .Unfortunately ,we cannot detect APT effectively by current security measures . Recent researches have found that analyzing DNS request of the target network will help detect APT attacks .We add a time feature in the DNS traffic which is combined with change vector analysis (CVA ) and reputation score to detect covert and suspicious DNS behavior .In this paper ,we propose a new framework called APDD to detect covert and suspicious DNS behavior in long-term APT by analyzing a mass of DNS request data .We execute the data reduction algorithm on DNS request data and then extract their features .By using the CVA and the sliding time window method ,we analyze the similarity between the access records of the domains to be detected and those of the related domains of current APT .We build a reputation scoring system to grade the domain access records of high similarity . The APDD framework will output a list of suspicious domain access records so that security experts are able to analyze the top-k records in the list , which will surely improve the detection efficiency of APT attacks .Finally ,we use 1584225274 pieces of DNS request records which come from a large campus network and then simulate the attack data to verify the effectiveness and correctness of APDD . Experiments show that the APDD framework can effectively detect covert and suspicious DNS behavior in APT .

Lei Chen,Rong Jiang,Changjian Lin,Aiping Li

DOI: https://doi.org/10.1109/dsc55868.2022.00053

2022-01-01

Abstract:Advanced Persistent Threats (APT) have the characteristics of concealment, low frequency and high technology integration. Threat hunting techniques can help the security analyst trace the attack path and locate the attacker. The use case of APT attacks and threat hunting is given to introduce the the process of network attack and defense. Artificial intelligence technology is widely used to trace the source of attacks. Based on typical use cases of APT attacks and their threat hunting procedure, this paper provides a comprehensive analysis of the existing threat hunting techniques classified by industry and academia, and focuses on unsupervised learning-based and supervised learning-based analysis techniques. Challenges and research directions for threat hunting are given finally.

Chenquan Gan,Jiabin Lin,Da-Wen Huang,Qingyi Zhu,Liang Tian

DOI: https://doi.org/10.3390/math11143115

IF: 2.4

2023-07-15

Mathematics

Abstract:The industrial internet of things (IIoT) is a key pillar of the intelligent society, integrating traditional industry with modern information technology to improve production efficiency and quality. However, the IIoT also faces serious challenges from advanced persistent threats (APTs), a stealthy and persistent method of attack that can cause enormous losses and damages. In this paper, we give the definition and development of APTs. Furthermore, we examine the types of APT attacks that each layer of the four-layer IIoT reference architecture may face and review existing defense techniques. Next, we use several models to model and analyze APT activities in IIoT to identify their inherent characteristics and patterns. Finally, based on a thorough discussion of IIoT security issues, we propose some open research topics and directions.

mathematics

ZHANG Yu,PAN Xiaoming,LIU Qingzhong,CAO Junkuo,LUO Ziqiang

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2017.21.024

2017-01-01

Abstract:Advanced persistent threats (APT) have gradually evolved into a complex of social engineering attacks and zero day exploits as some of the most serious cyberspace security threats.APT attacks often attack infrastructure and steal sensitive information with strong national strategic interests,so that cyberspace security threats evolve from random attacks to purposeful,organized,premeditated attacks.In recent years,APT attacks and defenses have rapidly developed in the cyberspace security community.The origin and development of APTs are reviewed here with analyses of the mechanism and life cycle of APTs.Then,APT defenses and detection methods are described with problems and further research directions identified.

Yue Li,Teng Zhang,Xue Li,Ting Li

DOI: https://doi.org/10.1007/978-981-13-6621-5_10

2019-01-01

Abstract:AbstractThe targets of Advanced Persistent Threat (APT) are mainly concentrate on national key information infrastructure, key research institutes, and large commercial companies, for the purpose of stealing sensitive information, trade secrets or destroying important infrastructure. Traditional protection system is difficult to detect the APT attack, due to the method of the APT attack is unknown and uncertain. And the persisted evolution ability destroyed the traditional protection methods based on feature detection. Therefore, this paper based on the theory of red-blue confrontation, to construct the game model of attack and defense. And then combined the APT offense and defense experience, presents a model based on cyber threat detection to deal with APT attacks.