Advanced Persistent Threats(APTs)represent one of the most complex and dangerous categories of cyber-attacks characterised by their stealthy behaviour,long-term persistence,and ability to bypass traditional detection ...Advanced Persistent Threats(APTs)represent one of the most complex and dangerous categories of cyber-attacks characterised by their stealthy behaviour,long-term persistence,and ability to bypass traditional detection systems.The complexity of real-world network data poses significant challenges in detection.Machine learning models have shown promise in detecting APTs;however,their performance often suffers when trained on large datasets with redundant or irrelevant features.This study presents a novel,hybrid feature selection method designed to improve APT detection by reducing dimensionality while preserving the informative characteristics of the data.It combines Mutual Information(MI),Symmetric Uncertainty(SU)and Minimum Redundancy Maximum Relevance(mRMR)to enhance feature selection.MI and SU assess feature relevance,while mRMR maximises relevance and minimises redundancy,ensuring that the most impactful features are prioritised.This method addresses redundancy among selected features,improving the overall efficiency and effectiveness of the detection model.Experiments on a real-world APT datasets were conducted to evaluate the proposed method.Multiple classifiers including,Random Forest,Support Vector Machine(SVM),Gradient Boosting,and Neural Networks were used to assess classification performance.The results demonstrate that the proposed feature selection method significantly enhances detection accuracy compared to baseline models trained on the full feature set.The Random Forest algorithm achieved the highest performance,with near-perfect accuracy,precision,recall,and F1 scores(99.97%).The proposed adaptive thresholding algorithm within the selection method allows each classifier to benefit from a reduced and optimised feature space,resulting in improved training and predictive performance.This research offers a scalable and classifier-agnostic solution for dimensionality reduction in cybersecurity applications.展开更多
The increase in number of people using the Internet leads to increased cyberattack opportunities.Advanced Persistent Threats,or APTs,are among the most dangerous targeted cyberattacks.APT attacks utilize various advan...The increase in number of people using the Internet leads to increased cyberattack opportunities.Advanced Persistent Threats,or APTs,are among the most dangerous targeted cyberattacks.APT attacks utilize various advanced tools and techniques for attacking targets with specific goals.Even countries with advanced technologies,like the US,Russia,the UK,and India,are susceptible to this targeted attack.APT is a sophisticated attack that involves multiple stages and specific strategies.Besides,TTP(Tools,Techniques,and Procedures)involved in the APT attack are commonly new and developed by an attacker to evade the security system.However,APTs are generally implemented in multiple stages.If one of the stages is detected,we may apply a defense mechanism for subsequent stages,leading to the entire APT attack failure.The detection at the early stage of APT and the prediction of the next step in the APT kill chain are ongoing challenges.This survey paper will provide knowledge about APT attacks and their essential steps.This follows the case study of known APT attacks,which will give clear information about the APT attack process—in later sections,highlighting the various detection methods defined by different researchers along with the limitations of the work.Data used in this article comes from the various annual reports published by security experts and blogs and information released by the enterprise networks targeted by the attack.展开更多
The number of cybersecurity incidents is on the rise despite significant investment in security measures.The existing conventional security approaches have demonstrated limited success against some of the more complex...The number of cybersecurity incidents is on the rise despite significant investment in security measures.The existing conventional security approaches have demonstrated limited success against some of the more complex cyber-attacks.This is primarily due to the sophistication of the attacks and the availability of powerful tools.Interconnected devices such as the Internet of Things(IoT)are also increasing attack exposures due to the increase in vulnerabilities.Over the last few years,we have seen a trend moving towards embracing edge technologies to harness the power of IoT devices and 5G networks.Edge technology brings processing power closer to the network and brings many advantages,including reduced latency,while it can also introduce vulnerabilities that could be exploited.Smart cities are also dependent on technologies where everything is interconnected.This interconnectivity makes them highly vulnerable to cyber-attacks,especially by the Advanced Persistent Threat(APT),as these vulnerabilities are amplified by the need to integrate new technologies with legacy systems.Cybercriminals behind APT attacks have recently been targeting the IoT ecosystems,prevalent in many of these cities.In this paper,we used a publicly available dataset on Advanced Persistent Threats(APT)and developed a data-driven approach for detecting APT stages using the Cyber Kill Chain.APTs are highly sophisticated and targeted forms of attacks that can evade intrusion detection systems,resulting in one of the greatest current challenges facing security professionals.In this experiment,we used multiple machine learning classifiers,such as Naïve Bayes,Bayes Net,KNN,Random Forest and Support Vector Machine(SVM).We used Weka performance metrics to show the numeric results.The best performance result of 91.1%was obtained with the Naïve Bayes classifier.We hope our proposed solution will help security professionals to deal with APTs in a timely and effective manner.展开更多
The detection of cyber threats has recently been a crucial research domain as the internet and data drive people’s livelihood.Several cyber-attacks lead to the compromise of data security.The proposed system offers c...The detection of cyber threats has recently been a crucial research domain as the internet and data drive people’s livelihood.Several cyber-attacks lead to the compromise of data security.The proposed system offers complete data protection from Advanced Persistent Threat(APT)attacks with attack detection and defence mechanisms.The modified lateral movement detection algorithm detects the APT attacks,while the defence is achieved by the Dynamic Deception system that makes use of the belief update algorithm.Before termination,every cyber-attack undergoes multiple stages,with the most prominent stage being Lateral Movement(LM).The LM uses a Remote Desktop protocol(RDP)technique to authenticate the unauthorised host leaving footprints on the network and host logs.An anomaly-based approach leveraging the RDP event logs on Windows is used for detecting the evidence of LM.After extracting various feature sets from the logs,the RDP sessions are classified using machine-learning techniques with high recall and precision.It is found that the AdaBoost classifier offers better accuracy,precision,F1 score and recall recording 99.9%,99.9%,0.99 and 0.98%.Further,a dynamic deception process is used as a defence mechanism to mitigateAPTattacks.A hybrid encryption communication,dynamic(Internet Protocol)IP address generation,timing selection and policy allocation are established based on mathematical models.A belief update algorithm controls the defender’s action.The performance of the proposed system is compared with the state-of-the-art models.展开更多
Advanced Persistent Threats(APTs)pose significant challenges to detect due to their“low-and-slow”attack patterns and frequent use of zero-day vulnerabilities.Within this task,the extraction of long-term features is ...Advanced Persistent Threats(APTs)pose significant challenges to detect due to their“low-and-slow”attack patterns and frequent use of zero-day vulnerabilities.Within this task,the extraction of long-term features is often crucial.In this work,we propose a novel end-to-end APT detection framework named Long-Term Feature Association Provenance Graph Detector(LT-ProveGD).Specifically,LT-ProveGD encodes contextual information of the dynamic provenance graph while preserving the topological information with space efficiency.To combat“low-and-slow”attacks,LT-ProveGD develops an autoencoder with an integrated multi-head attention mechanism to extract long-term dependencies within the encoded representations.Furthermore,to facilitate the detection of previously unknown attacks,we leverage Jenks’natural breaks methodology,enabling detection without relying on specific attack information.By conducting extensive experiments on five widely used datasets with state-of-the-art attack detection methods,we demonstrate the superior effectiveness of LT-ProveGD.展开更多
Recently,with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic,the possibility of cyberattacks through endpoints has increased.Numerous endpoint devices are managed meticu...Recently,with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic,the possibility of cyberattacks through endpoints has increased.Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats.In particular,because telecommuting,telemedicine,and teleeducation are implemented in uncontrolled environments,attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information,and reports of endpoint attacks have been increasing considerably.Advanced persistent threats(APTs)using various novel variant malicious codes are a form of a sophisticated attack.However,conventional commercial antivirus and anti-malware systems that use signature-based attack detectionmethods cannot satisfactorily respond to such attacks.In this paper,we propose a method that expands the detection coverage inAPT attack environments.In this model,an open-source threat detector and log collector are used synergistically to improve threat detection performance.Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks,as defined by MITRE Adversarial Tactics,Techniques,and Common Knowledge(ATT&CK).We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response(GRR),an open-source threat detection tool,and Graylog,an open-source log collector.The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11%compared with that conventional methods.展开更多
As cyber threats keep changing and business environments adapt, a comprehensive approach to disaster recovery involves more than just defensive measures. This research delves deep into the strategies required to respo...As cyber threats keep changing and business environments adapt, a comprehensive approach to disaster recovery involves more than just defensive measures. This research delves deep into the strategies required to respond to threats and anticipate and mitigate them proactively. Beginning with understanding the critical need for a layered defense and the intricacies of the attacker’s journey, the research offers insights into specialized defense techniques, emphasizing the importance of timely and strategic responses during incidents. Risk management is brought to the forefront, underscoring businesses’ need to adopt mature risk assessment practices and understand the potential risk impact areas. Additionally, the value of threat intelligence is explored, shedding light on the importance of active engagement within sharing communities and the vigilant observation of adversary motivations. “Beyond Defense: Proactive Approaches to Disaster Recovery and Threat Intelligence in Modern Enterprises” is a comprehensive guide for organizations aiming to fortify their cybersecurity posture, marrying best practices in proactive and reactive measures in the ever-challenging digital realm.展开更多
In the tobacco industry,insider employee attack is a thorny problem that is difficult to detect.To solve this issue,this paper proposes an insider threat detection method based on heterogeneous graph embedding.First,t...In the tobacco industry,insider employee attack is a thorny problem that is difficult to detect.To solve this issue,this paper proposes an insider threat detection method based on heterogeneous graph embedding.First,the interrelationships between logs are fully considered,and log entries are converted into heterogeneous graphs based on these relationships.Second,the heterogeneous graph embedding is adopted and each log entry is represented as a low-dimensional feature vector.Then,normal logs and malicious logs are classified into different clusters by clustering algorithm to identify malicious logs.Finally,the effectiveness and superiority of the method is verified through experiments on the CERT dataset.The experimental results show that this method has better performance compared to some baseline methods.展开更多
The successful penetration of government,corporate,and organizational IT systems by state and non-state actors deploying APT vectors continues at an alarming pace.Advanced Persistent Threat(APT)attacks continue to pos...The successful penetration of government,corporate,and organizational IT systems by state and non-state actors deploying APT vectors continues at an alarming pace.Advanced Persistent Threat(APT)attacks continue to pose significant challenges for organizations despite technological advancements in artificial intelligence(AI)-based defense mechanisms.While AI has enhanced organizational capabilities for deterrence,detection,and mitigation of APTs,the global escalation in reported incidents,particularly those successfully penetrating critical government infrastructure has heightened concerns among information technology(IT)security administrators and decision-makers.Literature review has identified the stealthy lateral movement(LM)of malware within the initially infected local area network(LAN)as a significant concern.However,current literature has yet to propose a viable approach for resource-efficient,real-time detection of APT malware lateral movement within the initially compromised LAN following perimeter breach.Researchers have suggested the nature of the dataset,optimal feature selection,and the choice of machine learning(ML)techniques as critical factors for detection.Hence,the objective of the research described here was to successfully demonstrate a simplified lightweight ML method for detecting the LM of APT vectors.While the nearest detection rate achieved in the LM domain within LAN was 99.89%,as reported in relevant studies,our approach surpassed it,with a detection rate of 99.95%for the modified random forest(RF)classifier for dataset 1.Additionally,our approach achieved a perfect 100%detection rate for the decision tree(DT)and RF classifiers with dataset 2,a milestone not previously reached in studies within this domain involving two distinct datasets.Using the ML life cycle methodology,we deployed K-nearest neighbor(KNN),support vector machine(SVM),DT,and RF on three relevant datasets to detect the LM of APTs at the affected LAN prior to data exfiltration/destruction.Feature engineering presented four critical APT LM intrusion detection(ID)indicators(features)across the three datasets,namely,the source port number,the destination port number,the packets,and the bytes.This study demonstrates the effectiveness of lightweight ML classifiers in detecting APT lateral movement after network perimeter breach.It contributes to the field by proposing a non-intrusive network detection method capable of identifying APT malware before data exfiltration,thus providing an additional layer of organizational defense.展开更多
Considering the stealthiness and persistence of Advanced Persistent Threats(APTs),system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host....Considering the stealthiness and persistence of Advanced Persistent Threats(APTs),system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host.Rule-based provenance graph APT detection approaches require elaborate rules and cannot detect unknown attacks,and existing learning-based approaches are limited by the lack of available APT attack samples or generally only perform graph-level anomaly detection,which requires lots of manual efforts to locate attack entities.This paper proposes an APT-exploited process detection approach called ThreatSniffer,which constructs the benign provenance graph from attack-free audit logs,fits normal system entity interactions and then detects APT-exploited processes by predicting the rationality of entity interactions.Firstly,ThreatSniffer understands system entities in terms of their file paths,interaction sequences,and the number distribution of interaction types and uses the multi-head self-attention mechanism to fuse these semantics.Then,based on the insight that APT-exploited processes interact with system entities they should not invoke,ThreatSniffer performs negative sampling on the benign provenance graph to generate non-existent edges,thus characterizing irrational entity interactions without requiring APT attack samples.At last,it employs a heterogeneous graph neural network as the interaction prediction model to aggregate the contextual information of entity interactions,and locate processes exploited by attackers,thereby achieving fine-grained APT detection.Evaluation results demonstrate that anomaly-based detection enables ThreatSniffer to identify all attack activities.Compared to the node-level APT detection method APT-KGL,ThreatSniffer achieves a 6.1%precision improvement because of its comprehensive understanding of entity semantics.展开更多
TTPs (Tactics, Techniques, and Procedures), which represent an attacker’s goals and methods, are the long period and essential feature of the attacker. Defenders can use TTP intelligence to perform the penetration te...TTPs (Tactics, Techniques, and Procedures), which represent an attacker’s goals and methods, are the long period and essential feature of the attacker. Defenders can use TTP intelligence to perform the penetration test and compensate for defense deficiency. However, most TTP intelligence is described in unstructured threat data, such as APT analysis reports. Manually converting natural language TTPs descriptions to standard TTP names, such as ATT&CK TTP names and IDs, is time-consuming and requires deep expertise. In this paper, we define the TTP classification task as a sentence classification task. We annotate a new sentence-level TTP dataset with 6 categories and 6061 TTP descriptions from 10761 security analysis reports. We construct a threat context-enhanced TTP intelligence mining (TIM) framework to mine TTP intelligence from unstructured threat data. The TIM framework uses TCENet (Threat Context Enhanced Network) to find and classify TTP descriptions, which we define as three continuous sentences, from textual data. Meanwhile, we use the element features of TTP in the descriptions to enhance the TTPs classification accuracy of TCENet. The evaluation result shows that the average classification accuracy of our proposed method on the 6 TTP categories reaches 0.941. The evaluation results also show that adding TTP element features can improve our classification accuracy compared to using only text features. TCENet also achieved the best results compared to the previous document-level TTP classification works and other popular text classification methods, even in the case of few-shot training samples. Finally, the TIM framework organizes TTP descriptions and TTP elements into STIX 2.1 format as final TTP intelligence for sharing the long-period and essential attack behavior characteristics of attackers. In addition, we transform TTP intelligence into sigma detection rules for attack behavior detection. Such TTP intelligence and rules can help defenders deploy long-term effective threat detection and perform more realistic attack simulations to strengthen defense.展开更多
Hunting the advanced threats hidden in the enterprise networks has always been a complex and difficult task.Due to the variety of attacking means,it is difficult for traditional security systems to detect threats.Most...Hunting the advanced threats hidden in the enterprise networks has always been a complex and difficult task.Due to the variety of attacking means,it is difficult for traditional security systems to detect threats.Most existing methods analyze log records,but the amount of log records generated every day is very large.How to find the information related to the attack events quickly and effectively from massive data streams is an important problem.Considering that the knowledge graph can be used for automatic relation calculation and complex relation analysis,and can get relatively fast feedback,our work proposes to construct the knowledge graph based on kernel audit records,which fully considers the global correlation among entities observed in audit logs.We design the construction and application process of knowledge graph,which can be applied to actual threat hunting activities.Then we explore different ways to use the constructed knowledge graph for hunting actual threats in detail.Finally,we implement a LAN-wide hunting system which is convenient and flexible for security analysts.Evaluations based on the adversarial engagement designed by DARPA prove that our platform can effectively hunt sophisticated threats,quickly restore the attack path or assess the impact of attack.展开更多
Advanced persistent threat(APT)can use malware,vulnerabilities,and obfuscation countermeasures to launch cyber attacks against specific targets,spy and steal core information,and penetrate and damage critical infrastr...Advanced persistent threat(APT)can use malware,vulnerabilities,and obfuscation countermeasures to launch cyber attacks against specific targets,spy and steal core information,and penetrate and damage critical infrastructure and target systems.Also,the APT attack has caused a catastrophic impact on global network security.Traditional APT attack detection is achieved by constructing rules or manual reverse analysis using expert experience,with poor intelligence and robustness.However,current research lacks a comprehensive effort to sort out the intelligent methods of APT attack detection.To this end,we summarize and review the research on intelligent detection methods for APT attacks.Firstly,we propose two APT attack intelligent detection frameworks for endpoint samples and malware,and for malwaregenerated audit logs.Secondly,this paper divides APT attack detection into four critical tasks:malicious attack detection,malicious family detection,malicious behavior identification,and malicious code location.In addition,we further analyze and summarize the strategies and characteristics of existing intelligent methods for each task.Finally,we look forward to the forefront of research and potential directions of APT attack detection,which can promote the development of intelligent defense against APT attacks.展开更多
Lateral movement represents the most covert and critical phase of Advanced Persistent Threats(APTs),and its detection still faces two primary challenges:sample scarcity and“cold start”of new entities.To address thes...Lateral movement represents the most covert and critical phase of Advanced Persistent Threats(APTs),and its detection still faces two primary challenges:sample scarcity and“cold start”of new entities.To address these challenges,we propose an Uncertainty-Driven Graph Embedding-Enhanced Lateral Movement Detection framework(UGEA-LMD).First,the framework employs event-level incremental encoding on a continuous-time graph to capture fine-grained behavioral evolution,enabling newly appearing nodes to retain temporal contextual awareness even in the absence of historical interactions and thereby fundamentally mitigating the cold-start problem.Second,in the embedding space,we model the dependency structure among feature dimensions using a Gaussian copula to quantify the uncertainty distribution,and generate augmented samples with consistent structural and semantic properties through adaptive sampling,thus expanding the representation space of sparse samples and enhancing the model’s generalization under sparse sample conditions.Unlike static graph methods that cannot model temporal dependencies or data augmentation techniques that depend on predefined structures,UGEA-LMD offers both superior temporaldynamic modeling and structural generalization.Experimental results on the large-scale LANL log dataset demonstrate that,under the transductive setting,UGEA-LMD achieves an AUC of 0.9254;even when 10%of nodes or edges are withheld during training,UGEA-LMD significantly outperforms baseline methods on metrics such as recall and AUC,confirming its robustness and generalization capability in sparse-sample and cold-start scenarios.展开更多
Advanced Persistent Threat (APT) attack, an attack option in recent years, poses serious threats to the security of governments and enterprises data due to its advanced and persistent attacking characteristics. To a...Advanced Persistent Threat (APT) attack, an attack option in recent years, poses serious threats to the security of governments and enterprises data due to its advanced and persistent attacking characteristics. To address this issue, a security policy of big data analysis has been proposed based on the analysis of log data of servers and terminals in Spark. However, in practical applications, Spark cannot suitably analyze very huge amounts of log data. To address this problem, we propose a scheduling optimization technique based on the reuse of datasets to improve Spark performance. In this technique, we define and formulate the reuse degree of Directed Acyclic Graphs (DAGs) in Spark based on Resilient Distributed Datasets (RDDs). Then, we define a global optimization function to obtain the optimal DAG sequence, that is, the sequence with the least execution time. To implement the global optimization function, we further propose a novel cost optimization algorithm based on the traditional Genetic Algorithm (GA). Our experiments demonstrate that this scheduling optimization technique in Spark can greatly decrease the time overhead of analyzing log data for detecting APT attacks.展开更多
The attribution of cyber attacks is often neglected.The consensus still is that little can be done to prosecute the perpetrators–and unfortunately,this might be right in many cases.What is however only of limited int...The attribution of cyber attacks is often neglected.The consensus still is that little can be done to prosecute the perpetrators–and unfortunately,this might be right in many cases.What is however only of limited interest for the private industry is in the center of interest for nation states.Investigating if an attack was carried out in the name of a nation state is a crucial task for secret services.Many methods,tools and processes exist for network-and computer forensics that allow the collection of traces and evidences.They are the basis to associate adversarial actions to threat actors.However,a serious problem which has not got the appropriate attention from research yet,are false flag campaigns,cyber attacks which apply covert tactics to deceive or misguide attribution attempts–either to hide traces or to blame others.In this paper we provide an overview of prominent attack techniques along the cyber kill chain.We investigate traces left by attack techniques and which questions in course of the attribution process are answered by investigating these traces.Eventually,we assess how easily traces can be spoofed and rate their relevancy with respect to identifying false flag campaigns.展开更多
The attribution of cyber attacks is often neglected.The consensus still is that little can be done to prosecute the perpetrators–and unfortunately,this might be right in many cases.What is however only of limited int...The attribution of cyber attacks is often neglected.The consensus still is that little can be done to prosecute the perpetrators–and unfortunately,this might be right in many cases.What is however only of limited interest for the private industry is in the center of interest for nation states.Investigating if an attack was carried out in the name of a nation state is a crucial task for secret services.Many methods,tools and processes exist for network-and computer forensics that allow the collection of traces and evidences.They are the basis to associate adversarial actions to threat actors.However,a serious problem which has not got the appropriate attention from research yet,are false flag campaigns,cyber attacks which apply covert tactics to deceive or misguide attribution attempts–either to hide traces or to blame others.In this paper we provide an overview of prominent attack techniques along the cyber kill chain.We investigate traces left by attack techniques and which questions in course of the attribution process are answered by investigating these traces.Eventually,we assess how easily traces can be spoofed and rate their relevancy with respect to identifying false flag campaigns.展开更多
基金funded by Universiti Teknologi Malaysia under the UTM RA ICONIC Grant(Q.J130000.4351.09G61).
文摘Advanced Persistent Threats(APTs)represent one of the most complex and dangerous categories of cyber-attacks characterised by their stealthy behaviour,long-term persistence,and ability to bypass traditional detection systems.The complexity of real-world network data poses significant challenges in detection.Machine learning models have shown promise in detecting APTs;however,their performance often suffers when trained on large datasets with redundant or irrelevant features.This study presents a novel,hybrid feature selection method designed to improve APT detection by reducing dimensionality while preserving the informative characteristics of the data.It combines Mutual Information(MI),Symmetric Uncertainty(SU)and Minimum Redundancy Maximum Relevance(mRMR)to enhance feature selection.MI and SU assess feature relevance,while mRMR maximises relevance and minimises redundancy,ensuring that the most impactful features are prioritised.This method addresses redundancy among selected features,improving the overall efficiency and effectiveness of the detection model.Experiments on a real-world APT datasets were conducted to evaluate the proposed method.Multiple classifiers including,Random Forest,Support Vector Machine(SVM),Gradient Boosting,and Neural Networks were used to assess classification performance.The results demonstrate that the proposed feature selection method significantly enhances detection accuracy compared to baseline models trained on the full feature set.The Random Forest algorithm achieved the highest performance,with near-perfect accuracy,precision,recall,and F1 scores(99.97%).The proposed adaptive thresholding algorithm within the selection method allows each classifier to benefit from a reduced and optimised feature space,resulting in improved training and predictive performance.This research offers a scalable and classifier-agnostic solution for dimensionality reduction in cybersecurity applications.
文摘The increase in number of people using the Internet leads to increased cyberattack opportunities.Advanced Persistent Threats,or APTs,are among the most dangerous targeted cyberattacks.APT attacks utilize various advanced tools and techniques for attacking targets with specific goals.Even countries with advanced technologies,like the US,Russia,the UK,and India,are susceptible to this targeted attack.APT is a sophisticated attack that involves multiple stages and specific strategies.Besides,TTP(Tools,Techniques,and Procedures)involved in the APT attack are commonly new and developed by an attacker to evade the security system.However,APTs are generally implemented in multiple stages.If one of the stages is detected,we may apply a defense mechanism for subsequent stages,leading to the entire APT attack failure.The detection at the early stage of APT and the prediction of the next step in the APT kill chain are ongoing challenges.This survey paper will provide knowledge about APT attacks and their essential steps.This follows the case study of known APT attacks,which will give clear information about the APT attack process—in later sections,highlighting the various detection methods defined by different researchers along with the limitations of the work.Data used in this article comes from the various annual reports published by security experts and blogs and information released by the enterprise networks targeted by the attack.
基金supported in part by the School of Computing and Digital Technology at Birmingham City UniversityThe work of M.A.Rahman was supported in part by the Flagship Grant RDU190374.
文摘The number of cybersecurity incidents is on the rise despite significant investment in security measures.The existing conventional security approaches have demonstrated limited success against some of the more complex cyber-attacks.This is primarily due to the sophistication of the attacks and the availability of powerful tools.Interconnected devices such as the Internet of Things(IoT)are also increasing attack exposures due to the increase in vulnerabilities.Over the last few years,we have seen a trend moving towards embracing edge technologies to harness the power of IoT devices and 5G networks.Edge technology brings processing power closer to the network and brings many advantages,including reduced latency,while it can also introduce vulnerabilities that could be exploited.Smart cities are also dependent on technologies where everything is interconnected.This interconnectivity makes them highly vulnerable to cyber-attacks,especially by the Advanced Persistent Threat(APT),as these vulnerabilities are amplified by the need to integrate new technologies with legacy systems.Cybercriminals behind APT attacks have recently been targeting the IoT ecosystems,prevalent in many of these cities.In this paper,we used a publicly available dataset on Advanced Persistent Threats(APT)and developed a data-driven approach for detecting APT stages using the Cyber Kill Chain.APTs are highly sophisticated and targeted forms of attacks that can evade intrusion detection systems,resulting in one of the greatest current challenges facing security professionals.In this experiment,we used multiple machine learning classifiers,such as Naïve Bayes,Bayes Net,KNN,Random Forest and Support Vector Machine(SVM).We used Weka performance metrics to show the numeric results.The best performance result of 91.1%was obtained with the Naïve Bayes classifier.We hope our proposed solution will help security professionals to deal with APTs in a timely and effective manner.
文摘The detection of cyber threats has recently been a crucial research domain as the internet and data drive people’s livelihood.Several cyber-attacks lead to the compromise of data security.The proposed system offers complete data protection from Advanced Persistent Threat(APT)attacks with attack detection and defence mechanisms.The modified lateral movement detection algorithm detects the APT attacks,while the defence is achieved by the Dynamic Deception system that makes use of the belief update algorithm.Before termination,every cyber-attack undergoes multiple stages,with the most prominent stage being Lateral Movement(LM).The LM uses a Remote Desktop protocol(RDP)technique to authenticate the unauthorised host leaving footprints on the network and host logs.An anomaly-based approach leveraging the RDP event logs on Windows is used for detecting the evidence of LM.After extracting various feature sets from the logs,the RDP sessions are classified using machine-learning techniques with high recall and precision.It is found that the AdaBoost classifier offers better accuracy,precision,F1 score and recall recording 99.9%,99.9%,0.99 and 0.98%.Further,a dynamic deception process is used as a defence mechanism to mitigateAPTattacks.A hybrid encryption communication,dynamic(Internet Protocol)IP address generation,timing selection and policy allocation are established based on mathematical models.A belief update algorithm controls the defender’s action.The performance of the proposed system is compared with the state-of-the-art models.
基金supported in part by the Fundamental Research Funds for the Central Universities(2024JBMC031)the OpenFund of Advanced Cryptography and System Security Key Laboratory of Sichuan Province(No.SKLACSS-202312)+2 种基金the CCF-NSFOCUS Open Fund,the National Natural Science Foundation of China(Grant Nos.62202042,U20A6003,62076146,62021002,U19A2062,62127803,U1911401 and 6212780016)the Fundamental Research Funds for the Central Universities,JLU,the Industrial Technology Infrastructure Public Service Platform Project‘Public Service Platform for Urban Rail Transit Equipment Signal System Testing and Safety Evaluation’(No.2022-233-225)Ministry of Industry and Information Technology of China.
文摘Advanced Persistent Threats(APTs)pose significant challenges to detect due to their“low-and-slow”attack patterns and frequent use of zero-day vulnerabilities.Within this task,the extraction of long-term features is often crucial.In this work,we propose a novel end-to-end APT detection framework named Long-Term Feature Association Provenance Graph Detector(LT-ProveGD).Specifically,LT-ProveGD encodes contextual information of the dynamic provenance graph while preserving the topological information with space efficiency.To combat“low-and-slow”attacks,LT-ProveGD develops an autoencoder with an integrated multi-head attention mechanism to extract long-term dependencies within the encoded representations.Furthermore,to facilitate the detection of previously unknown attacks,we leverage Jenks’natural breaks methodology,enabling detection without relying on specific attack information.By conducting extensive experiments on five widely used datasets with state-of-the-art attack detection methods,we demonstrate the superior effectiveness of LT-ProveGD.
基金This study is the result of a commissioned research project supported by the affiliated institute of ETRI(No.2021-026)partially supported by the NationalResearch Foundation of Korea(NRF)grant funded by the Korean government(MSIT)(No.2020R1F1A1061107)+2 种基金the Korea Institute for Advancement of Technology(KIAT)grant funded by the Korean government(MOTIE)(P0008703,The Competency Development Program for Industry Specialist)the MSIT under the ICAN(ICT Challenge and Advanced Network of HRD)program[grant number IITP-2022-RS-2022-00156310]supervised by the Institute of Information&Communication Technology Planning and Evaluation(IITP).
文摘Recently,with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic,the possibility of cyberattacks through endpoints has increased.Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats.In particular,because telecommuting,telemedicine,and teleeducation are implemented in uncontrolled environments,attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information,and reports of endpoint attacks have been increasing considerably.Advanced persistent threats(APTs)using various novel variant malicious codes are a form of a sophisticated attack.However,conventional commercial antivirus and anti-malware systems that use signature-based attack detectionmethods cannot satisfactorily respond to such attacks.In this paper,we propose a method that expands the detection coverage inAPT attack environments.In this model,an open-source threat detector and log collector are used synergistically to improve threat detection performance.Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks,as defined by MITRE Adversarial Tactics,Techniques,and Common Knowledge(ATT&CK).We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response(GRR),an open-source threat detection tool,and Graylog,an open-source log collector.The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11%compared with that conventional methods.
文摘As cyber threats keep changing and business environments adapt, a comprehensive approach to disaster recovery involves more than just defensive measures. This research delves deep into the strategies required to respond to threats and anticipate and mitigate them proactively. Beginning with understanding the critical need for a layered defense and the intricacies of the attacker’s journey, the research offers insights into specialized defense techniques, emphasizing the importance of timely and strategic responses during incidents. Risk management is brought to the forefront, underscoring businesses’ need to adopt mature risk assessment practices and understand the potential risk impact areas. Additionally, the value of threat intelligence is explored, shedding light on the importance of active engagement within sharing communities and the vigilant observation of adversary motivations. “Beyond Defense: Proactive Approaches to Disaster Recovery and Threat Intelligence in Modern Enterprises” is a comprehensive guide for organizations aiming to fortify their cybersecurity posture, marrying best practices in proactive and reactive measures in the ever-challenging digital realm.
基金Supported by the National Natural Science Foundation of China(No.62203390)the Science and Technology Project of China TobaccoZhejiang Industrial Co.,Ltd(No.ZJZY2022E004)。
文摘In the tobacco industry,insider employee attack is a thorny problem that is difficult to detect.To solve this issue,this paper proposes an insider threat detection method based on heterogeneous graph embedding.First,the interrelationships between logs are fully considered,and log entries are converted into heterogeneous graphs based on these relationships.Second,the heterogeneous graph embedding is adopted and each log entry is represented as a low-dimensional feature vector.Then,normal logs and malicious logs are classified into different clusters by clustering algorithm to identify malicious logs.Finally,the effectiveness and superiority of the method is verified through experiments on the CERT dataset.The experimental results show that this method has better performance compared to some baseline methods.
基金Rabdan Academy for funding the research presented in the paper.
文摘The successful penetration of government,corporate,and organizational IT systems by state and non-state actors deploying APT vectors continues at an alarming pace.Advanced Persistent Threat(APT)attacks continue to pose significant challenges for organizations despite technological advancements in artificial intelligence(AI)-based defense mechanisms.While AI has enhanced organizational capabilities for deterrence,detection,and mitigation of APTs,the global escalation in reported incidents,particularly those successfully penetrating critical government infrastructure has heightened concerns among information technology(IT)security administrators and decision-makers.Literature review has identified the stealthy lateral movement(LM)of malware within the initially infected local area network(LAN)as a significant concern.However,current literature has yet to propose a viable approach for resource-efficient,real-time detection of APT malware lateral movement within the initially compromised LAN following perimeter breach.Researchers have suggested the nature of the dataset,optimal feature selection,and the choice of machine learning(ML)techniques as critical factors for detection.Hence,the objective of the research described here was to successfully demonstrate a simplified lightweight ML method for detecting the LM of APT vectors.While the nearest detection rate achieved in the LM domain within LAN was 99.89%,as reported in relevant studies,our approach surpassed it,with a detection rate of 99.95%for the modified random forest(RF)classifier for dataset 1.Additionally,our approach achieved a perfect 100%detection rate for the decision tree(DT)and RF classifiers with dataset 2,a milestone not previously reached in studies within this domain involving two distinct datasets.Using the ML life cycle methodology,we deployed K-nearest neighbor(KNN),support vector machine(SVM),DT,and RF on three relevant datasets to detect the LM of APTs at the affected LAN prior to data exfiltration/destruction.Feature engineering presented four critical APT LM intrusion detection(ID)indicators(features)across the three datasets,namely,the source port number,the destination port number,the packets,and the bytes.This study demonstrates the effectiveness of lightweight ML classifiers in detecting APT lateral movement after network perimeter breach.It contributes to the field by proposing a non-intrusive network detection method capable of identifying APT malware before data exfiltration,thus providing an additional layer of organizational defense.
基金This work was supported by the National Natural Science Foundation of China(Nos.U19A2081,62202320)the Fundamental Research Funds for the Central Universities(Nos.2022SCU12116,2023SCU12129,2023SCU12126)+1 种基金the Science and Engineering Connotation Development Project of Sichuan University(No.2020SCUNG129)the Key Laboratory of Data Protection and Intelligent Management(Sichuan University),Ministry of Education.
文摘Considering the stealthiness and persistence of Advanced Persistent Threats(APTs),system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host.Rule-based provenance graph APT detection approaches require elaborate rules and cannot detect unknown attacks,and existing learning-based approaches are limited by the lack of available APT attack samples or generally only perform graph-level anomaly detection,which requires lots of manual efforts to locate attack entities.This paper proposes an APT-exploited process detection approach called ThreatSniffer,which constructs the benign provenance graph from attack-free audit logs,fits normal system entity interactions and then detects APT-exploited processes by predicting the rationality of entity interactions.Firstly,ThreatSniffer understands system entities in terms of their file paths,interaction sequences,and the number distribution of interaction types and uses the multi-head self-attention mechanism to fuse these semantics.Then,based on the insight that APT-exploited processes interact with system entities they should not invoke,ThreatSniffer performs negative sampling on the benign provenance graph to generate non-existent edges,thus characterizing irrational entity interactions without requiring APT attack samples.At last,it employs a heterogeneous graph neural network as the interaction prediction model to aggregate the contextual information of entity interactions,and locate processes exploited by attackers,thereby achieving fine-grained APT detection.Evaluation results demonstrate that anomaly-based detection enables ThreatSniffer to identify all attack activities.Compared to the node-level APT detection method APT-KGL,ThreatSniffer achieves a 6.1%precision improvement because of its comprehensive understanding of entity semantics.
基金Our research was supported by the National Key Research and Development Program of China(Grant No.2018YFC0824801,No.2019QY1302)the National Natural Science Foundation of China(No.61802404).
文摘TTPs (Tactics, Techniques, and Procedures), which represent an attacker’s goals and methods, are the long period and essential feature of the attacker. Defenders can use TTP intelligence to perform the penetration test and compensate for defense deficiency. However, most TTP intelligence is described in unstructured threat data, such as APT analysis reports. Manually converting natural language TTPs descriptions to standard TTP names, such as ATT&CK TTP names and IDs, is time-consuming and requires deep expertise. In this paper, we define the TTP classification task as a sentence classification task. We annotate a new sentence-level TTP dataset with 6 categories and 6061 TTP descriptions from 10761 security analysis reports. We construct a threat context-enhanced TTP intelligence mining (TIM) framework to mine TTP intelligence from unstructured threat data. The TIM framework uses TCENet (Threat Context Enhanced Network) to find and classify TTP descriptions, which we define as three continuous sentences, from textual data. Meanwhile, we use the element features of TTP in the descriptions to enhance the TTPs classification accuracy of TCENet. The evaluation result shows that the average classification accuracy of our proposed method on the 6 TTP categories reaches 0.941. The evaluation results also show that adding TTP element features can improve our classification accuracy compared to using only text features. TCENet also achieved the best results compared to the previous document-level TTP classification works and other popular text classification methods, even in the case of few-shot training samples. Finally, the TIM framework organizes TTP descriptions and TTP elements into STIX 2.1 format as final TTP intelligence for sharing the long-period and essential attack behavior characteristics of attackers. In addition, we transform TTP intelligence into sigma detection rules for attack behavior detection. Such TTP intelligence and rules can help defenders deploy long-term effective threat detection and perform more realistic attack simulations to strengthen defense.
基金This work is supported in part by the Industrial Internet Innovation and Development Project“Industrial robot external safety enhancement device”(TC200H030)the Cooperation project between Chongqing Municipal undergraduate universities and institutes affiliated to CAS(HZ2021015).
文摘Hunting the advanced threats hidden in the enterprise networks has always been a complex and difficult task.Due to the variety of attacking means,it is difficult for traditional security systems to detect threats.Most existing methods analyze log records,but the amount of log records generated every day is very large.How to find the information related to the attack events quickly and effectively from massive data streams is an important problem.Considering that the knowledge graph can be used for automatic relation calculation and complex relation analysis,and can get relatively fast feedback,our work proposes to construct the knowledge graph based on kernel audit records,which fully considers the global correlation among entities observed in audit logs.We design the construction and application process of knowledge graph,which can be applied to actual threat hunting activities.Then we explore different ways to use the constructed knowledge graph for hunting actual threats in detail.Finally,we implement a LAN-wide hunting system which is convenient and flexible for security analysts.Evaluations based on the adversarial engagement designed by DARPA prove that our platform can effectively hunt sophisticated threats,quickly restore the attack path or assess the impact of attack.
基金supported by the National Natural Science Foundation of China(No.62562012,No.62172308,and No.61972297)the Guizhou Provincial Basic Research Program(Natural Science)under Grant QKHJC-MS[2025]686+3 种基金the Major Scientific and Technological Special Project of Guizhou Province under Grant[2024]014the Guizhou Provincial Key Technology R&D Program under Grant PA[2025]004the Research Project for Recruited Talents at Guizhou University under Grant GDRJH[2024]15the Student Innovation Funding Project of the School of Cyber Security(i.e.,security knowledge graph of Qianxin project).
文摘Advanced persistent threat(APT)can use malware,vulnerabilities,and obfuscation countermeasures to launch cyber attacks against specific targets,spy and steal core information,and penetrate and damage critical infrastructure and target systems.Also,the APT attack has caused a catastrophic impact on global network security.Traditional APT attack detection is achieved by constructing rules or manual reverse analysis using expert experience,with poor intelligence and robustness.However,current research lacks a comprehensive effort to sort out the intelligent methods of APT attack detection.To this end,we summarize and review the research on intelligent detection methods for APT attacks.Firstly,we propose two APT attack intelligent detection frameworks for endpoint samples and malware,and for malwaregenerated audit logs.Secondly,this paper divides APT attack detection into four critical tasks:malicious attack detection,malicious family detection,malicious behavior identification,and malicious code location.In addition,we further analyze and summarize the strategies and characteristics of existing intelligent methods for each task.Finally,we look forward to the forefront of research and potential directions of APT attack detection,which can promote the development of intelligent defense against APT attacks.
基金supported by the Zhongyuan University of Technology Discipline Backbone Teacher Support Program Project(No.GG202417)the Key Research and Development Program of Henan under Grant 251111212000.
文摘Lateral movement represents the most covert and critical phase of Advanced Persistent Threats(APTs),and its detection still faces two primary challenges:sample scarcity and“cold start”of new entities.To address these challenges,we propose an Uncertainty-Driven Graph Embedding-Enhanced Lateral Movement Detection framework(UGEA-LMD).First,the framework employs event-level incremental encoding on a continuous-time graph to capture fine-grained behavioral evolution,enabling newly appearing nodes to retain temporal contextual awareness even in the absence of historical interactions and thereby fundamentally mitigating the cold-start problem.Second,in the embedding space,we model the dependency structure among feature dimensions using a Gaussian copula to quantify the uncertainty distribution,and generate augmented samples with consistent structural and semantic properties through adaptive sampling,thus expanding the representation space of sparse samples and enhancing the model’s generalization under sparse sample conditions.Unlike static graph methods that cannot model temporal dependencies or data augmentation techniques that depend on predefined structures,UGEA-LMD offers both superior temporaldynamic modeling and structural generalization.Experimental results on the large-scale LANL log dataset demonstrate that,under the transductive setting,UGEA-LMD achieves an AUC of 0.9254;even when 10%of nodes or edges are withheld during training,UGEA-LMD significantly outperforms baseline methods on metrics such as recall and AUC,confirming its robustness and generalization capability in sparse-sample and cold-start scenarios.
基金supported by the National Natural Science Foundation of China (Nos. 61379144, 61572026, 61672195, and 61501482)the Open Foundation of State Key Laboratory of Cryptology
文摘Advanced Persistent Threat (APT) attack, an attack option in recent years, poses serious threats to the security of governments and enterprises data due to its advanced and persistent attacking characteristics. To address this issue, a security policy of big data analysis has been proposed based on the analysis of log data of servers and terminals in Spark. However, in practical applications, Spark cannot suitably analyze very huge amounts of log data. To address this problem, we propose a scheduling optimization technique based on the reuse of datasets to improve Spark performance. In this technique, we define and formulate the reuse degree of Directed Acyclic Graphs (DAGs) in Spark based on Resilient Distributed Datasets (RDDs). Then, we define a global optimization function to obtain the optimal DAG sequence, that is, the sequence with the least execution time. To implement the global optimization function, we further propose a novel cost optimization algorithm based on the traditional Genetic Algorithm (GA). Our experiments demonstrate that this scheduling optimization technique in Spark can greatly decrease the time overhead of analyzing log data for detecting APT attacks.
基金This work was partly funded by the Austrian security-research programme FORTE and by the Austrian Ministry for Transport,Innovation and Technology(BMvit)through the FFG project CADSP(873425).
文摘The attribution of cyber attacks is often neglected.The consensus still is that little can be done to prosecute the perpetrators–and unfortunately,this might be right in many cases.What is however only of limited interest for the private industry is in the center of interest for nation states.Investigating if an attack was carried out in the name of a nation state is a crucial task for secret services.Many methods,tools and processes exist for network-and computer forensics that allow the collection of traces and evidences.They are the basis to associate adversarial actions to threat actors.However,a serious problem which has not got the appropriate attention from research yet,are false flag campaigns,cyber attacks which apply covert tactics to deceive or misguide attribution attempts–either to hide traces or to blame others.In this paper we provide an overview of prominent attack techniques along the cyber kill chain.We investigate traces left by attack techniques and which questions in course of the attribution process are answered by investigating these traces.Eventually,we assess how easily traces can be spoofed and rate their relevancy with respect to identifying false flag campaigns.
基金partly funded by the Austrian security-research programme FORTE and by the Austrian Ministry for Transport,Innovation and Technology(BMvit)through the FFG project CADSP(873425).
文摘The attribution of cyber attacks is often neglected.The consensus still is that little can be done to prosecute the perpetrators–and unfortunately,this might be right in many cases.What is however only of limited interest for the private industry is in the center of interest for nation states.Investigating if an attack was carried out in the name of a nation state is a crucial task for secret services.Many methods,tools and processes exist for network-and computer forensics that allow the collection of traces and evidences.They are the basis to associate adversarial actions to threat actors.However,a serious problem which has not got the appropriate attention from research yet,are false flag campaigns,cyber attacks which apply covert tactics to deceive or misguide attribution attempts–either to hide traces or to blame others.In this paper we provide an overview of prominent attack techniques along the cyber kill chain.We investigate traces left by attack techniques and which questions in course of the attribution process are answered by investigating these traces.Eventually,we assess how easily traces can be spoofed and rate their relevancy with respect to identifying false flag campaigns.
