A Novel Search Engine to Uncover Potential Victims for APT Investigations

Advanced Persistent Threats APT are sophisticated and target-oriented cyber attacks which often leverage customized malware and bot control techniques to control the victims for remotely accessing valuable information. As the APT malware samples are specific and few, the signature-based or learning-based approaches are weak to detect them. In this paper, we take a more flexible strategy: developing a search engine for APT investigators to quickly uncover the potential victims based on the attributes of a known APT victim. We test our approach in a real APT case happened in a large enterprise network consisting of several thousands of computers which run a commercial antivirus system. In our best effort to prove, the search engine can uncover the other unknown 33 victims which are infected by the APT malware. Finally, the search engine is implemented on Hadoop platform. In the case of 440GB data, it can return the queries in 2 seconds.

[1]  Kelley L. Dempsey,et al.  Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations: National Institute of Standards and Technology Special Publication 800-137 , 2011 .

[2]  Gordon Thomson APTs: a poorly understood challenge , 2011, Netw. Secur..

[3]  Engin Kirda,et al.  Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats , 2012 .

[4]  Konrad Rieck,et al.  Botzilla: detecting the "phoning home" of malicious software , 2010, SAC '10.

[5]  Sascha Ossowski,et al.  Proceedings of the 2010 ACM Symposium on Applied Computing (SAC), Sierre, Switzerland, March 22-26, 2010 , 2010, SAC.

[6]  L. Jost Entropy and diversity , 2006 .

[7]  Leyla Bilge,et al.  Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat , 2012, RAID.

[8]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[9]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[10]  Eric Baize Developing Secure Products in the Age of Advanced Persistent Threats , 2012, IEEE Security & Privacy.

[11]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[12]  Martin Warmer,et al.  Detection of web based command & control channels , 2011 .

[13]  Marc Dacier,et al.  Research in Attacks, Intrusions and Defenses , 2014, Lecture Notes in Computer Science.

[14]  Yi-Ming Chen,et al.  N-Victims: An Approach to Determine N-Victims for APT Investigations , 2012, WISA.

[15]  Davey Winder Persistent and Evasive Attacks Uncovered , 2011 .

[16]  Yi Ming Chen,et al.  Retrospective Detection of Malware Attacks by Cloud Computing , 2010, CyberC 2010.

[17]  Anthony Lai,et al.  Evidence of Advanced Persistent Threat: A case study of malware for political espionage , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[18]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[19]  Richard J. Enbody,et al.  Targeted Cyberattacks: A Superset of Advanced Persistent Threats , 2013, IEEE Security & Privacy.

[20]  José Carlos Brustoloni,et al.  Efficient Detection of Bots in Subscribers' Computers , 2009, 2009 IEEE International Conference on Communications.

[21]  Lance Cockcroft,et al.  Cisco Security Specialist 1 Certification All-in-One Exam Guide , 2003 .

[22]  Zabih Ghassemlooy,et al.  A MIMO-ANN system for increasing data rates in organic visible light communications systems , 2013, 2013 IEEE International Conference on Communications (ICC).

[23]  Ari Juels,et al.  Sherlock Holmes and the Case of the Advanced Persistent Threat , 2012, LEET.

[24]  Richard J. Enbody,et al.  Cybercrime: Dissecting the State of Underground Enterprise , 2013, IEEE Internet Computing.

[25]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[26]  Maryam Shayegan Hastings,et al.  She Does Math!: Mathematics and Computer Science , 1995 .