A temporal correlation and traffic analysis approach for APT attacks detection

Advanced persist threat (APT for short) is an emerging attack on the Internet. Such attack patterns leave their footprints spatio-temporally dispersed across many different type traffics in victim machines. However, existing traffic analysis systems typically target only a single type of traffic to discover evidence of an attack and therefore fail to exploit fundamental inter-traffic connections. The output of such single-traffic analysis can hardly detect the complete APT attack story for complex, multi-stage attacks. Additionally, some existing approaches require heavyweight system instrumentation, which makes them impractical to deploy in real production environments. To address these problems, we present an automated temporal correlation traffic detection system (ATCTDS). Inspired by anomaly traffic analytics research in big data network analysis, we model multi-type traffic analysis as a detection problem. Our evaluation with 36 well-known APT attack dataset demonstrates that our system can detect attack behaviors from a spectrum of cyber attacks that involve multiple types with high accuracy and low false positive rates.

[1]  Xiangyu Zhang,et al.  High Accuracy Attack Provenance via Binary-based Execution Partition , 2013, NDSS.

[2]  B. Ripley,et al.  Pattern Recognition , 1968, Nature.

[3]  Aaron Beuhring,et al.  Beyond Blacklisting: Cyberdefense in the Era of Advanced Persistent Threats , 2014, IEEE Security & Privacy.

[4]  Jan van den Berg,et al.  Systems for Detecting Advanced Persistent Threats: A Development Roadmap Using Intelligent Data Analysis , 2012, 2012 International Conference on Cyber Security.

[5]  Luo Si,et al.  LEAPS: Detecting Camouflaged Attacks with Statistical Learning Guided by Program Analysis , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[6]  Xiaosong Zhang,et al.  APT Traffic Detection Based on Time Transform , 2016, 2016 International Conference on Intelligent Transportation, Big Data & Smart City (ICITBS).

[7]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[8]  Thomas M. Chen,et al.  Lessons from Stuxnet , 2011, Computer.

[9]  Levente Buttyán,et al.  The Cousins of Stuxnet: Duqu, Flame, and Gauss , 2012, Future Internet.

[10]  Dimitris Gritzalis,et al.  Trusted Computing vs. Advanced Persistent Threats: Can a Defender Win This Game? , 2013, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing.

[11]  Xuxian Jiang,et al.  Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[12]  Florian Skopik,et al.  Combating advanced persistent threats: From network event correlation to incident detection , 2015, Comput. Secur..

[13]  Chun-Ying Huang,et al.  A fuzzy pattern-based filtering algorithm for botnet detection , 2011, Comput. Networks.

[14]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[15]  Florian Skopik,et al.  Dealing with advanced persistent threats in smart grid ICT networks , 2014, ISGT 2014.

[16]  Jing Liu,et al.  A Network Gene-Based Framework for Detecting Advanced Persistent Threats , 2014, 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing.

[17]  SkopikFlorian,et al.  Combating advanced persistent threats , 2015 .

[18]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[19]  Florian Skopik,et al.  Semi-synthetic data set generation for security software evaluation , 2014, 2014 Twelfth Annual International Conference on Privacy, Security and Trust.

[20]  Xi Wang,et al.  Intrusion Recovery Using Selective Re-execution , 2010, OSDI.

[21]  Witold Kinsner,et al.  Detecting Advanced Persistent Threats using Fractal Dimension based Machine Learning Classification , 2016, IWSPA@CODASPY.

[22]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[23]  Xinxin Niu,et al.  Detection of command and control in advanced persistent threat based on independent access , 2016, 2016 IEEE International Conference on Communications (ICC).

[24]  Chien-Chih Chen,et al.  Ctracer: Uncover C&C in Advanced Persistent Threats Based on Scalable Framework for Enterprise Log Data , 2015, 2015 IEEE International Congress on Big Data.

[25]  B. Wu,et al.  Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis , 2015, IEEE Access.

[26]  Levente Buttyán,et al.  Duqu: Analysis, Detection, and Lessons Learned , 2012 .

[27]  Eric Cole,et al.  Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization , 2012 .

[28]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.