CHEN Rui-dong,ZHANG Xiao-song,NIU Wei-na,LAN Hao-yue

DOI: https://doi.org/10.3969/j.issn.1001-0548.2019.06.011

2019-01-01

Abstract:Advanced persistent threat (APT) is a new kind of cyber-attack as a growth security events. This paper analysis more than 150 typical APT cases happened during last decade, and constructs the analytical model of APT attack, indicates 4 major problems of APT attack detection and countering: the fragile penetration protection problem, the low detection accuracy, the difficulty of determining the attack forensic, and the slow response to the unknown attack problem. In the meanwhile, this paper analyzes typical APT attacks in recent years, mines the association based on attacking tools. According to the experiments, there are similarity patterns between the tools used by the same organization. In summary, the integral APT defense scheme in this paper includes the latest achievements of four types of defense schemes, plays an academic supporting role in building a unified attack detection and traceability countermeasure platform.

Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

Jichao Bi,Shibo He,Fengji Luo,Wenchao Meng,Luyue Ji,Da-Wen Huang

DOI: https://doi.org/10.1109/TII.2022.3231406

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial Internet of Things (IIoT) is vulnerable to advanced persistent threat (APT). In this article, we study a scenario in which APT is launched to attack IIoT devices. Considering the APTs lateral movement, a node-level state evolution model is established to calculate the probability of every device in an IIoT system to be compromised by APT. Based on this, a Stackelberg game model is proposed for the APT attacker and defender, which can accurately describe the gaming process. An effective computational approach is developed to obtain the potential Stackelberg equilibrium strategy pair of the game. Extensive case studies and comparison studies are conducted to validate the effectiveness of the proposed method.

Pengdeng Li,Xiaofan Yang,Qingyu Xiong,Junhao Wen,Yuan Yan Tang

DOI: https://doi.org/10.1155/2018/2975376

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:The new cyberattack pattern of advanced persistent threat (APT) has posed a serious threat to modern society. This paper addresses the APT defense problem, that is, the problem of how to effectively defend against an APT campaign. Based on a novel APT attack-defense model, the effectiveness of an APT defense strategy is quantified. Thereby, the APT defense problem is modeled as an optimal control problem, in which an optimal control stands for a most effective APT defense strategy. The existence of an optimal control is proved, and an optimality system is derived. Consequently, an optimal control can be figured out by solving the optimality system. Some examples of the optimal control are given. Finally, the influence of some factors on the effectiveness of an optimal control is examined through computer experiments. These findings help organizations to work out policies of defending against APTs.

Kai Xing,Aiping Li,Rong Jiang,Yan Jia

DOI: https://doi.org/10.1109/dsc50466.2020.00018

2020-01-01

Abstract:Cyberspace has been threatened by attacks ever since its birth. With the development of the Internet and artificial intelligence, forms of cyberattacks are emerging in endlessly, and technical means are constantly being renovated. In particular, advanced persistent threats are intensifying. How to effectively prevent this type of attack has become the focus, and attack detection and defense technology has made great progress. This article mainly discusses the research progress of APT attack detection and defense strategies at home and abroad, and focuses on the practice of using machine learning to perform attack detection while elaborating on traditional attack detection methods. Defense strategy is about how to use game theory to find the best defense strategy in limited resources, dynamic information flow tracking and cloud platform.

Xiang Zhong,Lu-Xing Yang,Xiaofan Yang,Qingyu Xiong,Junhao Wen,Yuan Yan Tang

DOI: https://doi.org/10.1109/tdsc.2018.2858786

2020-01-01

Abstract:The advanced persistent threat (APT) as a new kind of cyber attack has posed a severe threat to modern organizations. When the APT has been detected, the organization has to deal with the APT response problem, i.e., to allocate the available response resources to fix her insecure hosts so as to mitigate her potential loss. This paper addresses the APT response problem by using the risk management approach. First, we introduce a model characterizing the evolution of the organization's expected state. By analyzing this model, we find the organization's expected state approaches a common limit expected state. Then, we use the organization's expected loss per unit time to measure her potential loss, and we find this measure is determined by the organization's limit expected state. On this basis, we model the APT response problem as a game-theoretic problem (the APT response game) in which the organization seeks a Nash equilibrium. We present a greedy algorithm for solving the game. Comparative experiments show that the algorithm is effective. Therefore, we recommend the response strategy generated by performing the algorithm. These findings contribute to defending against the APT. To our knowledge, this is the first time the APT response problem is addressed.

Bin Dong,Wentao Zhao,Jianglong Song

DOI: https://doi.org/10.2991/meita-15.2015.12

2015-01-01

Abstract:This paper reveals the inherent features of advanced persistent threat (APT), and summarizes its general attacking processes, attacking means and methods. The attacking steps model of APT which is based on UML effectively describes the application principles of APT and its behavior features, mode features and target features. Therefore, a series of methods to defend APT are proposed.

陈剑锋,王强,伍淼

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.07.027

2012-01-01

Abstract:APT, as information security threat, aims at important enterprise and government assets and constitutes a serious challenge to information systems＇ usability and reliability. APT, being versatile, effective, and difficult to defend, gradually becomes the main evolution trend of network infiltration and system attack, thus receiving much attention from IA researchers. Current study on APT is done principally by security vendors, and these vendors focus on output of their security concept by threat assessment, while neglecting the thorough analysis on the constitution and developing background of APT. Starting from normal definition and feature of APT, the developing background and procedure of APT attack is described in detail, and some feasible measures for detecting, reacting on and preventing APT attack are also Riven.

Hao Yan,Qianzhen Zhang,Junjie Xie,Ziyue Lu,Sheng Chen,Deke Guo

DOI: https://doi.org/10.1109/ICPADS53394.2021.00062

2021-01-01

Abstract:The advanced persistent threat (APT) is a stealthy cyber attack perpetrated by a group that gains unauthorized access to a computer network and remains undiscovered to steal specific data and resources. Fast detection and defense of APT attacks are critical tasks in cyber security. Previous works use simple feature extraction and classification methods to distinguish APT information flow from the ...

Bo Zhang,Yansong Gao,Boyu Kuang,Changlong Yu,Anmin Fu,Willy Susilo

DOI: https://doi.org/10.1145/3700749

IF: 16.6

2024-01-01

ACM Computing Surveys

Abstract:In recent years, frequent Advanced Persistent Threat (APT) attacks have caused disastrous damage to critical facilities, leading to severe information leakages, economic losses, and even social disruptions. Via sophisticated, long-term, and stealthy network intrusions, APT attacks are often beyond the capabilities of traditional intrusion detection methods. Existing methods employ various techniques to enhance APT detection at different stages, but this makes it difficult to fairly and objectively evaluate the capability, value, and orthogonality of available techniques. Overly focusing on hardening specific APT detection stages cannot address some essential challenges from a global perspective, which would result in severe consequences. To holistically tackle this problem and explore effective solutions, we abstract a unified framework that covers the complete process of APT attack detection, with standardized summaries of state-of-the-art solutions and analysis of feasible techniques. Further, we provide an in-depth discussion of the challenges and countermeasures faced by each component of the detection framework. In addition, we comparatively analyze public datasets and outline the capability criteria to provide a reference for standardized evaluations. Finally, we discuss insights into potential areas for future research.

Yuqing Li,Wenkuan Dai,Jie Bai,Xiaoying Gan,Jingchao Wang,Xinbing Wang

DOI: https://doi.org/10.1109/TIFS.2018.2847671

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Combined with many different attack forms, advanced persistent threats (APTs) are becoming a major threat to cyber security. Existing security protection works typically either focus on one-shot case, or separate detection from response decisions. Such practices lead to tractable analysis, but miss key inherent APTs persistence and risk heterogeneity. To this end, we propose a Lyapunov-based secur...

WANG Zhiwei,HE Xijie,YI Xin,LI Ziyang,CAO Xudong,YIN Tao,LI Shuhao,FU Anmin,ZHANG Yuqing

DOI: https://doi.org/10.11959/j.issn.1000-436x.2024128

2024-01-01

Abstract:The advanced persistent threat (APT) attack was explored from two perspectives: attack methods and detection methods. First, the definitions and characteristics of APT attacks were reviewed and the development of related attack models was summarized. Based on this, a more general APT full lifecycle model was proposed, which was divided into four stages: information gathering, intrusion execution, internal network penetration, and data exfiltration. For each stage, recent research papers from the past five years were thoroughly reviewed, and the attack and detection techniques for each stage were analyzed. Finally, in light of the dynamic landscape of APT attack and defense technologies, the paper underscores the formidable challenges confronting both offense and defense and offers guidance for future research in this domain.

Kai Xing,Aiping Li,Rong Jiang

DOI: https://doi.org/10.12783/dtetr/mcaee2020/35023

2020-01-01

DEStech Transactions on Engineering and Technology Research

Abstract:Cyberspace has been constantly threatened by attacks since its birth. With the development of high-tech and artificial intelligence, intelligent and efficient attack methods have emerged endlessly, and technological methods have been constantly renovated. In particular, Advanced Persistent Threat (APT) attacks are intensifying. How to effectively prevent this attack method has become the focus. With the advantages of machine learning, the thinking and technology of detection have made great progress. This article mainly discusses several innovative methods for detecting APT attacks based on machine learning, and looks forward to the future development direction.

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1809.02227

2018-09-07

Abstract:Advanced Persistent Threats (APTs) have created new security challenges for critical infrastructures due to their stealthy, dynamic, and adaptive natures. In this work, we aim to lay a game-theoretic foundation by establishing a multi-stage Bayesian game framework to capture incomplete information of deceptive APTs and their multi-stage multi-phase movement. The analysis of the perfect Bayesian Nash equilibrium (PBNE) enables a prediction of attacker's behaviors and a design of defensive strategies that can deter the adversaries and mitigate the security risks. A conjugate-prior method allows online computation of the belief and reduces Bayesian update into an iterative parameter update. The forwardly updated parameters are assimilated into the backward dynamic programming computation to characterize a computationally tractable and time-consistent equilibrium solution based on the expanded state space. The Tennessee Eastman (TE) process control problem is used as a case study to demonstrate the dynamic game under the information asymmetry and show that APTs tend to be stealthy and deceptive during their transitions in the cyber layer and behave aggressively when reaching the targeted physical plant. The online update of the belief allows the defender to learn the behavior of the attacker and choose strategic defensive actions that can thwart adversarial behaviors and mitigate APTs. Numerical results illustrate the defender's tradeoff between the immediate reward and the future expectation as well as the attacker's goal to reach an advantageous system state while making the defender form a positive belief.

Computer Science and Game Theory

ZHANG Xiao-song,NIU Wei-na,YANG Guo-wu,ZHUO Zhong-liu,L Feng-mao

DOI: https://doi.org/10.3969/j.issn.1001-0548.2016.04.011

2016-01-01

Abstract:In recent years, advanced persistent threat (APT) has become one of the most important factors threatening cyber security. However, due to the complicated attacking method and strong conceal ability of APT, it is very hard to predict APT using the common boundary protection technique based on feature matching. To solve the problem of APT attack detection and defense, we propose an APT attacks prediction method based on tree structure. An APT exfiltration model of an attack target combing the kill chain model with stage characteristics is first constructed. And then the correlation analysis of massive logs is conducted to formulate attack events context, and the credibility ratio and DS evidence theory are introduced to determine true attack events. Finally, all possible attack paths are calculated. Experimental results show that our proposed method can predict APT attacks, and it can obtain good scalability and practicability.

ZHANG Yu,PAN Xiaoming,LIU Qingzhong,CAO Junkuo,LUO Ziqiang

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2017.21.024

2017-01-01

Abstract:Advanced persistent threats (APT) have gradually evolved into a complex of social engineering attacks and zero day exploits as some of the most serious cyberspace security threats.APT attacks often attack infrastructure and steal sensitive information with strong national strategic interests,so that cyberspace security threats evolve from random attacks to purposeful,organized,premeditated attacks.In recent years,APT attacks and defenses have rapidly developed in the cyberspace security community.The origin and development of APTs are reviewed here with analyses of the mechanism and life cycle of APTs.Then,APT defenses and detection methods are described with problems and further research directions identified.

Xiaofan Yang,Tianrui Zhang,Lu-Xing Yang,Luosheng Wen,Yuan Yan Tang

DOI: https://doi.org/10.48550/arxiv.1707.02437

2017-01-01

Abstract:As a new type of cyber attacks, advanced persistent threats (APTs) pose a severe threat to modern society. This paper focuses on the assessment of the risk of APTs. Based on a dynamic model characterizing the time evolution of the state of an organization, the organization's risk is defined as its maximum possible expected loss, and the risk assessment problem is modeled as a constrained optimization problem. The influence of different factors on an organization's risk is uncovered through theoretical analysis. Based on extensive experiments, we speculate that the attack strategy obtained by applying the hill-climbing method to the proposed optimization problem, which we call the HC strategy, always leads to the maximum possible expected loss. We then present a set of five heuristic attack strategies and, through comparative experiments, show that the HC strategy causes a higher risk than all these heuristic strategies do, which supports our conjecture. Finally, the impact of two factors on the attacker's HC cost profit is determined through computer simulations. These findings help understand the risk of APTs in a quantitative manner.

Lu-Xing Yang,Pengdeng Li,Yushu Zhang,Xiaofan Yang,Yong Xiang,Wanlei Zhou

DOI: https://doi.org/10.1109/tifs.2018.2885251

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Advanced persistent threat (APT) is a new kind of cyberattack that poses a serious threat to modern society. When an APT campaign on an organization has been identified, the available repair resources must be reasonably allocated to the potentially insecure hosts to mitigate the potential loss of the organization. We refer to the feasible repair resource allocation strategies as repair strategies. This paper focuses on the APT repair problem, i.e., the problem of developing effective repair strategies for organizations. First, for an organization with time-varying communication relationship, we establish an evolution model of the organization’s expected state, in which the impact of lateral movement of APT is accommodated. On this basis, we model the APT repair problem as a differential Nash game problem (the APT repair game) in which the attacker attempts to maximize his potential benefit, and the organization manages to minimize its potential loss. Second, we derive a system (the potential system) for calculating a potential Nash equilibrium of an APT repair game, and we examine the structure of the potential attack and repair strategies in a potential Nash equilibrium. Next, we solve some potential systems to get the corresponding potential Nash equilibria. Finally, by comparison with a large number of randomly generated attack and repair strategies, we conclude that the potential Nash equilibrium of each APT repair game is a Nash equilibrium of the game. Therefore, we recommend to organizations their respective potential repair strategies. Our findings help to better understand and effectively defend against APT.

Stefan Rass,Sandra König,Stefan Schauer

DOI: https://doi.org/10.1371/journal.pone.0168675

2022-05-02

Abstract:Advanced persistent threats (APT) combine a variety of different attack forms ranging from social engineering to technical exploits. The diversity and usual stealthiness of APT turns them into a central problem of contemporary practical system security, since information on attacks, the current system status or the attacker's incentives is often vague, uncertain and in many cases even unavailable. Game theory is a natural approach to model the conflict between the attacker and the defender, and this work investigates a generalized class of matrix games as a risk mitigation tool for an APT defense. Unlike standard game and decision theory, our model is tailored to capture and handle the full uncertainty that is immanent to APT, such as disagreement among qualitative expert risk assessments, unknown adversarial incentives and uncertainty about the current system state (in terms of how deeply the attacker may have penetrated into the system's protective shells already). Practically, game-theoretic APT models can be derived straightforwardly from topological vulnerability analysis, together with risk assessments as they are done in common risk management standards like the ISO 31000 family. Theoretically, these models come with different properties than classical game theoretic models, whose technical solution presented in this work may be of independent interest.

Cryptography and Security,Computer Science and Game Theory

Yulu Qi,Rong Jiang,Yan Jia,Aiping Li

DOI: https://doi.org/10.1109/dsc50466.2020.00017

2020-01-01

Abstract:The essence of Internet security is information security, as more and more industries rely on the Internet, in order to protect the information security of these industries, spawned local area networks (LANs), intranets and so on. With the development of information sensor technology, the Internet of Things (IoT) that interconnects physical devices has emerged. As a unity of computing process and physical process, the Cyberphysical systems (CPS) is the next generation intelligent system which integrates computing, communication and control. CyberPhysical systems cover a wide range of applications, including intelligent transportation systems, telemedicine, smart grids, aerospace, and many other fields, many of which involve critical infrastructure. The APT attacks are typically directed against these critical infrastructures around the world. So, timely and accurate detection APT attacks and take effective defensive measures, it is meaningful to protect the national information security. Although APT attacks seem destructive, their attack process are complex and changeable, in essence, they usually follow certain rules. This paper proposes an APT attack analysis framework based on the APT attack rules and current mainstream detection technologies. The framework iteratively matches the collected data with the cyber security knowledge graph, and implements constraints relies on the cyber security knowledge graph and self-defined attack rules, thereby realizing the current security status of the network in real time.