Modeling and detection of the multi-stages of Advanced Persistent Threats attacks based on semi-supervised learning and complex networks characteristics

Abstract Advanced Persistent Threats (APT) present the most sophisticated types of attacks to modern networks which have proved to be very challenging to address. Using sophisticated attack techniques, attackers remotely control infected machines and exfiltrate sensitive information from organizations and governments. Security products deployed by enterprise networks based on traditional defenses often fail at detecting APT infections because of the dynamic nature of the APT attack process. To overcome the current limitations of attack network dynamics faced in APT studies, an innovative APT attack detection model based on a semi-supervised learning approach and complex networks characteristics is proposed in this paper. The entire targeted network is modeled as a small-world network and the evolving APT-Attack Network (APT-AN) as a scale-free network. Finite state machines are employed to model the state transitions of the nodes in the time domain in order to characterize the state changes during the APT attack process. The effectiveness of the model is demonstrated by applying it to real-world data from a large-scale enterprise network consisting of 17,684 hosts from the Los Alamos security lab. The proposed approach analyzes efficiently the large-scale dataset to reveal APT attack characteristics between the command and control center and the victim hosts. The final result is a ranked list of suspicious hosts participating in APT attack activities. The average detection precision of three APT stage is 90.5% in our proposed APT detection framework. The results show that the model can effectively detect the suspicious hosts at different stages of the APT attack process.

[1]  Ramchandra Yadav,et al.  Defense-in-Depth Approach for Early Detection of High-Potential Advanced Persistent Attacks , 2019 .

[2]  Jianwu Dang,et al.  Combination of links and node contents for community discovery using a graph regularization approach , 2019, Future Gener. Comput. Syst..

[3]  Jie Wu,et al.  Generating trusted graphs for trust evaluation in online social networks , 2014, Future Gener. Comput. Syst..

[4]  Ross Brewer,et al.  Advanced persistent threats: minimising the damage , 2014, Netw. Secur..

[5]  Khaled M. Rabie,et al.  Detection of advanced persistent threat using machine-learning correlation analysis , 2018, Future Gener. Comput. Syst..

[6]  Jong Hyuk Park,et al.  A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions , 2019, The Journal of Supercomputing.

[7]  B. Wu,et al.  Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis , 2015, IEEE Access.

[8]  Ping Chen,et al.  A Study on Advanced Persistent Threats , 2014, Communications and Multimedia Security.

[9]  Edgar Toshiro Yano,et al.  Towards a Framework to Detect Multi-stage Advanced Persistent Threats Attacks , 2014, 2014 IEEE 8th International Symposium on Service Oriented System Engineering.

[10]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[11]  Bharti Nagpal,et al.  Cryptoviral Extortion: Evolution, Scenarios, and Analysis , 2016 .

[12]  Levent Ertoz,et al.  A New Shared Nearest Neighbor Clustering Algorithm and its Applications , 2002 .

[13]  Xiaosong Zhang,et al.  Modeling Attack Process of Advanced Persistent Threat Using Network Evolution , 2017, IEICE Trans. Inf. Syst..

[14]  Dijiang Huang,et al.  A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities , 2019, IEEE Communications Surveys & Tutorials.

[15]  Sungjin Lee,et al.  SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[16]  Zhou Li,et al.  Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data , 2014, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[17]  Fan Zhang,et al.  Extended Petri Net-Based Advanced Persistent Threat Analysis Model , 2014 .

[18]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..

[19]  José M. Fernandez,et al.  Survey of publicly available reports on advanced persistent threat actors , 2018, Comput. Secur..

[20]  Morteza Amini,et al.  A semantic-based correlation approach for detecting hybrid and low-level APTs , 2019, Future Gener. Comput. Syst..

[21]  Bethany S. Dohleman Exploratory social network analysis with Pajek , 2006 .

[22]  Daesung Moon,et al.  DFA-AD: a distributed framework architecture for the detection of advanced persistent threats , 2017, Cluster Computing.

[23]  Scott J. Shackelford Should Your Firm Invest in Cyber Risk Insurance , 2012 .

[24]  Duncan J. Watts,et al.  Collective dynamics of ‘small-world’ networks , 1998, Nature.

[25]  Anjali Ganesh Jivani,et al.  The Shared Nearest Neighbor Algorithm with Enclosures (SNNAE) , 2009, 2009 WRI World Congress on Computer Science and Information Engineering.

[26]  E. Maeland On the comparison of interpolation methods. , 1988, IEEE transactions on medical imaging.

[27]  Michel L. Goldstein,et al.  Problems with fitting to the power-law distribution , 2004, cond-mat/0402322.

[28]  Jonathan Grier,et al.  Detecting data theft using stochastic forensics , 2011, Digit. Investig..

[29]  A. Barabasi,et al.  Scale-free characteristics of random networks: the topology of the world-wide web , 2000 .

[30]  Michele Colajanni,et al.  Analysis of high volumes of network traffic for Advanced Persistent Threat detection , 2016, Comput. Networks.

[31]  Edgar R. Weippl Advanced Persistent Threats & Social Engineering , 2014, SECRYPT.

[32]  Paul Vixie,et al.  What DNS is not , 2009, Commun. ACM.

[33]  Feng Liu,et al.  Modeling an Information-Based Advanced Persistent Threat Attack on the Internal Network , 2019, ICC 2019 - 2019 IEEE International Conference on Communications (ICC).

[34]  Eric Cole,et al.  Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization , 2012 .

[35]  Ruzanna Chitchyan,et al.  Data exfiltration: A review of external attack vectors and countermeasures , 2018, J. Netw. Comput. Appl..

[36]  Aaron Zimba,et al.  Bayesian network based weighted APT attack paths modeling in cloud computing , 2019, Future Gener. Comput. Syst..

[37]  Vipin Kumar,et al.  Finding Clusters of Different Sizes, Shapes, and Densities in Noisy, High Dimensional Data , 2003, SDM.

[38]  Richard J. Enbody,et al.  Targeted Cyberattacks: A Superset of Advanced Persistent Threats , 2013, IEEE Security & Privacy.