Detection of advanced persistent threat using machine-learning correlation analysis

As one of the most serious types of cyber attack, Advanced Persistent Threats (APT) have caused major concerns on a global scale. APT refers to a persistent, multi-stage attack with the intention to compromise the system and gain information from the targeted system, which has the potential to cause significant damage and substantial financial loss. The accurate detection and prediction of APT is an ongoing challenge. This work proposes a novel machine learning-based system entitled MLAPT, which can accurately and rapidly detect and predict APT attacks in a systematic way. The MLAPT runs through three main phases: (1) Threat detection, in which eight methods have been developed to detect different techniques used during the various APT steps. The implementation and validation of these methods with real traffic is a significant contribution to the current body of research; (2) Alert correlation, in which a correlation framework is designed to link the outputs of the detection methods, aims to identify alerts that could be related and belong to a single APT scenario; and (3) Attack prediction, in which a machine learning-based prediction module is proposed based on the correlation framework output, to be used by the network security team to determine the probability of the early alerts to develop a complete APT attack. MLAPT is experimentally evaluated and the presented sy

Handling minority class problem in threats detection based on heterogeneous ensemble learning approach.

Multiclass problem, such as detecting multi-steps behaviour of Advanced Persistent Threats (APTs) have been a major global challenge, due to their capability to navigates around defenses and to evade detection for a prolonged period of time. Targeted APT attacks present an increasing concern for both cyber security and business continuity. Detecting the rare attack is a classification problem with data imbalance. This paper explores the applications of data resampling techniques, together with heterogeneous ensemble approach for dealing with data imbalance caused by unevenly distributed data elements among classes with our focus on capturing the rare attack. It has been shown that the suggested algorithms provide not only detection capability, but can also classify malicious data traffic corresponding to rare APT attacks

Intelligent Phishing Detection Scheme Using Deep Learning Algorithms

Purpose: Phishing attacks have evolved in recent years due to high-tech-enabled economic growth worldwide. The rise in all types of fraud loss in 2019 has been attributed to the increase in deception scams and impersonation, as well as to sophisticated online attacks such as phishing. The global impact of phishing attacks will continue to intensify, and thus, a more efficient phishing detection method is required to protect online user activities. To address this need, this study focussed on the design and development of a deep learning-based phishing detection solution that leveraged the universal resource locator and website content such as images, text and frames. Design/methodology/approach: Deep learning techniques are efficient for natural language and image classification. In this study, the convolutional neural network (CNN) and the long short-term memory (LSTM) algorithm were used to build a hybrid classification model named the intelligent phishing detection system (IPDS). To build the proposed model, the CNN and LSTM classifier were trained by using 1m universal resource locators and over 10,000 images. Then, the sensitivity of the proposed model was determined by considering various factors such as the type of feature, number of misclassifications and split issues. Findings: An extensive experimental analysis was conducted to evaluate and compare the effectiveness of the IPDS in detecting phishing web pages and phishing attacks when applied to large data sets. The results showed that the model achieved an accuracy rate of 93.28% and an average detection time of 25 s. Originality/value: The hybrid approach using deep learning algorithm of both the CNN and LSTM methods was used in this research work. On the one hand, the combination of both CNN and LSTM was used to resolve the problem of a large data set and higher classifier prediction performance. Hence, combining the two methods leads to a better result with less training time for LSTM and CNN architecture, while using the image, frame and text features as a hybrid for our model detection. The hybrid features and IPDS classifier for phishing detection were the novelty of this study to the best of the authors' knowledge

Advanced persistent threat detection: a survey

Advanced Persistent Threat is a very sophisticated targeted attack aimed at organizations. Several approaches have been proposed to detect APT. This paper defines an APT as an attack that has certain objectives to be achieved, and are performed by well-funded organizations, and is long term campaign. In this paper we have identified APT as a threat that follows a kill chain process. Intrusion detection and intrusion detection methods are summarized in this paper. Detection of an APT is a challenge. In this paper various detection methods used by researchers and the challenges in detecting APT is highlighted

Optimal Repair Strategy Against Advanced Persistent Threats Under Time-Varying Networks

Advanced persistent threat (APT) is a kind of stealthy, sophisticated, and long-term cyberattack that has brought severe financial losses and critical infrastructure damages. Existing works mainly focus on APT defense under stable network topologies, while the problem under time-varying dynamic networks (e.g., vehicular networks) remains unexplored, which motivates our work. Besides, the spatiotemporal dynamics in defense resources, complex attackers' lateral movement behaviors, and lack of timely defense make APT defense a challenging issue under time-varying networks. In this paper, we propose a novel game-theoretical APT defense approach to promote real-time and optimal defense strategy-making under both periodic time-varying and general time-varying environments. Specifically, we first model the interactions between attackers and defenders in an APT process as a dynamic APT repair game, and then formulate the APT damage minimization problem as the precise prevention and control (PPAC) problem. To derive the optimal defense strategy under both latency and defense resource constraints, we further devise an online optimal control-based mechanism integrated with two backtracking-forward algorithms to fastly derive the near-optimal solution of the PPAC problem in real time. Extensive experiments are carried out, and the results demonstrate that our proposed scheme can efficiently obtain optimal defense strategy in 54481 ms under seven attack-defense interactions with 9.64$\%$ resource occupancy in stimulated periodic time-varying and general time-varying networks. Besides, even under static networks, our proposed scheme still outperforms existing representative APT defense approaches in terms of service stability and defense resource utilization

Advanced Persistent Threats in Cybersecurity – Cyber Warfare

This book aims to provide a comprehensive analysis of Advanced Persistent Threats (APTs), including their characteristics, origins, methods, consequences, and defense strategies, with a focus on detecting these threats. It explores the concept of advanced persistent threats in the context of cyber security and cyber warfare. APTs represent one of the most insidious and challenging forms of cyber threats, characterized by their sophistication, persistence, and targeted nature. The paper examines the origins, characteristics and methods used by APT actors. It also explores the complexities associated with APT detection, analyzing the evolving tactics used by threat actors and the corresponding advances in detection methodologies. It highlights the importance of a multi-faceted approach that integrates technological innovations with proactive defense strategies to effectively identify and mitigate APT

Amenințările persistente avansate în securitatea cibernetică – Războiul cibernetic

O analiză cuprinzătoare a Amenințărilor Persistente Avansate (Advanced Persistent Threats, APT), inclusiv caracteristicile, originile, metodele, consecințele și strategiile de apărare ale acestora, cu accent pe detectarea acestor amenințări. Se explorează conceptul de amenințări persistente avansate în contextul securității cibernetice și al războiului cibernetic. APT reprezintă una dintre cele mai insidioase și provocatoare forme de amenințări cibernetice, caracterizate prin sofisticarea, persistența și natura lor țintită. Această carte analizează originile, caracteristicile și metodele folosite de actorii APT. De asemenea, explorează complexitățile asociate cu detectarea APT, analizând tacticile evolutive folosite de actorii amenințărilor și a progreselor corespunzătoare în metodologiile de detectare. Cartea subliniază importanța abordării cu mai multe fațete, care integrează inovații tehnologice cu strategii proactive de apărare pentru a identifica în mod eficient și atenua APT

Les menaces persistantes avancées en cybersécurité – La guerre cybernétique

Ce livre vise à fournir une analyse complète des menaces persistantes avancées, y compris leurs caractéristiques, origines, méthodes, conséquences et stratégies de défense, en mettant l'accent sur la détection de ces menaces. Il explore le concept de menaces persistantes avancées dans le contexte de la cybersécurité et de la cyberguerre. Les menaces persistantes avancées représentent l’une des formes de cybermenaces les plus insidieuses et les plus complexes, caractérisée par leur sophistication, leur persistance et leur nature ciblée. Le livre examine les origines, les caractéristiques et les méthodes utilisées par les acteurs des menaces persistantes avancées. Il explore également les complexités associées à la détection des menaces persistantes avancées, en analysant l'évolution des tactiques utilisées par les acteurs de la menace et les avancées correspondantes dans les méthodologies de détection. Il souligne l’importance d’une approche multidimensionnelle intégrant les innovations technologiques à des stratégies de défense proactives pour identifier et atténuer efficacement les menaces persistantes avancées

A Machine Learning Approach for RDP-based Lateral Movement Detection

Detecting cyber threats has been an on-going research endeavor. In this era, advanced persistent threats (APTs) can incur significant costs for organizations and businesses. The ultimate goal of cybersecurity is to thwart attackers from achieving their malicious intent, whether it is credential stealing, infrastructure takeover, or program sabotage. Every cyberattack goes through several stages before its termination. Lateral movement (LM) is one of those stages that is of particular importance. Remote Desktop Protocol (RDP) is a method used in LM to successfully authenticate to an unauthorized host that leaves footprints on both host and network logs. In this thesis, we propose to detect evidence of LM using an anomaly-based approach that leverages Windows RDP event logs. We explore different feature sets extracted from these logs and evaluate various supervised and unsupervised machine learning (ML) techniques for classifying RDP sessions with high precision and recall. We also compare the performance of our proposed approach to a state-of-the-art approach and demonstrate that our ML model outperforms in classifying RDP sessions in Windows event logs. In addition, we demonstrate that our model is robust against certain types of adversarial attacks