MCKC: a modified cyber kill chain model for cognitive APTs analysis within Enterprise multimedia network

The emerging cyber security threats pose many challenges to security analysts of enterprise multimedia environments when analysts attempting to analyze and reconstruct advanced persistent threats (APTs). APTs analysis activities are both time-consuming and labor-intensive. Attack modeling technology represented by kill chain can reduce the burden of manual provenience analysis. However, existing Cyber Kill Chain models represent attacks as several stages solidly, and they cannot reflect the characteristics of progressive penetration. It is difficult for security analysts to automate the correlation analysis of attack events in practical usage. In this paper, we first analyze current Cyber Kill Chain models and heterogeneous data sources for APTs detection. Then we propose MCKC (Modified Cyber Kill Chain model) that can be used for standardized correlation analysis. MCKC organizes sub-chains into a recursive structure, and different kill chain penetration processes in the same attack scenario are better connected The proposed MCKC model offers a novel approach for bi-directional attack analysis: forward analysis and backward reasoning which can facilitate threat detection effectively without relying too much on expert knowledge. The advantage of MCKC model is that it is more suitable for cognitive reasoning and APTs scenario reconstruction. Compared with existing models MCKC gives a feasible technological process for threat analysis. The result of case study shows that the modified kill chain model is effective in discovering security events and reconstructing APT attacks.