Combating advanced persistent threats: From network event correlation to incident detection

An advanced persistent threat (also known as APT) is a deliberately slow-moving cyberattack that is applied to quietly compromise interconnected information systems without revealing itself. APTs often use a variety of attack methods to get unauthorized system access initially and then gradually spread throughout the network. In contrast to traditional attacks, they are not used to interrupt services but primarily to steal intellectual property, sensitive internal business and legal documents and other data. If an attack on a system is successful, timely detection is of paramount importance to mitigate its impact and prohibit APTs from further spreading. However, recent security incidents, such as Operation Shady Rat, Operation Red October or the discovery of MiniDuke - just to name a few - have impressively demonstrated that current security mechanisms are mostly insufficient to prohibit targeted and customized attacks. This paper therefore proposes a novel anomaly detection approach which is a promising basis for modern intrusion detection systems. In contrast to other common approaches, which apply a kind of black-list approach and consider only actions and behaviour that match to well-known attack patterns and signatures of malware traces, our system works with a white-list approach. Our anomaly detection technique keeps track of system events, their dependencies and occurrences, and thus learns the normal system behaviour over time and reports all actions that differ from the created system model. In this work, we describe this system in theory and show evaluation results from a pilot study under real-world conditions.

[1]  Hong Wen,et al.  Bayesian Statistical Inference in Machine Learning Anomaly Detection , 2010, 2010 International Conference on Communications and Intelligence Information Security.

[2]  Ross Brewer,et al.  Advanced persistent threats: minimising the damage , 2014, Netw. Secur..

[3]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[4]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[5]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[6]  Mark O'Neill The Internet of Things: do more devices mean more risks? , 2014 .

[7]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[8]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[9]  Howard Rush,et al.  The cybercrime ecosystem: Online innovation in the shadows? , 2013 .

[10]  Richard Barber Hackers Profiled — Who Are They and What Are Their Motivations? , 2001 .

[11]  Gisung Kim,et al.  A novel hybrid intrusion detection method integrating anomaly detection with misuse detection , 2014, Expert Syst. Appl..

[12]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[13]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[14]  Tracey Caldwell Spear-phishing: how to spot and mitigate the menace , 2013 .

[15]  Richard J. Enbody,et al.  Crimeware-as-a-service - A survey of commoditized crimeware in the underground market , 2013, Int. J. Crit. Infrastructure Prot..

[16]  Qingbo Yang,et al.  A Survey of Anomaly Detection Methods in Networks , 2009, 2009 International Symposium on Computer Network and Multimedia Technology.

[17]  Gordon Thomson APTs: a poorly understood challenge , 2011, Netw. Secur..

[18]  Florian Skopik,et al.  Semi-synthetic data set generation for security software evaluation , 2014, 2014 Twelfth Annual International Conference on Privacy, Security and Trust.

[19]  Florian Skopik,et al.  Dealing with advanced persistent threats in smart grid ICT networks , 2014, ISGT 2014.

[20]  Nathalie Japkowicz,et al.  Anomaly Detection via Coupled Gaussian Kernels , 2012, Canadian Conference on AI.

[21]  Rossouw von Solms,et al.  From information security to cyber security , 2013, Comput. Secur..

[22]  Maria Kjaerland,et al.  A taxonomy and comparison of computer security incidents from the commercial and government sectors , 2006, Comput. Secur..

[23]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[24]  Ali Movaghar-Rahimabadi,et al.  Intrusion Detection: A Survey , 2008, 2008 Third International Conference on Systems and Networks Communications.

[25]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[26]  Yingbing Yu,et al.  A survey of anomaly intrusion detection techniques , 2012 .

[27]  Jason Steer The gaping hole in our security defences , 2014 .

[28]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[29]  Florian Skopik,et al.  Intrusion Detection in Distributed Systems using Fingerprinting and Massive Event Correlation , 2013, GI-Jahrestagung.

[30]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[31]  Ya-ling Zhang,et al.  A Network Anomaly Detection Method Based on Relative Entropy Theory , 2009, 2009 Second International Symposium on Electronic Commerce and Security.

[32]  Václav Bartos,et al.  Network Anomaly Detection: Comparison and Real-Time Issues , 2012, AIMS.

[33]  Jian Yin,et al.  Multi-events analysis for anomaly intrusion detection , 2004, Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826).