International Journal of Computer Science & Network Security

International Journal of Computer Science & Network Security (국제컴퓨터통신보호논문지학회)
권호 표지
DOI QR코드

DOI QR Code

A Novel Framework for APT Attack Detection Based on Network Traffic

  • Vu Ngoc Son (Information Assurance dept. FPT University)
  • Received : 2024.01.05
  • Published : 2024.01.30
Download PDF
⟨ Previous Next ⟩

Abstract

APT (Advanced Persistent Threat) attack is a dangerous, targeted attack form with clear targets. APT attack campaigns have huge consequences. Therefore, the problem of researching and developing the APT attack detection solution is very urgent and necessary nowadays. On the other hand, no matter how advanced the APT attack, it has clear processes and lifecycles. Taking advantage of this point, security experts recommend that could develop APT attack detection solutions for each of their life cycles and processes. In APT attacks, hackers often use phishing techniques to perform attacks and steal data. If this attack and phishing phase is detected, the entire APT attack campaign will be crash. Therefore, it is necessary to research and deploy technology and solutions that could detect early the APT attack when it is in the stages of attacking and stealing data. This paper proposes an APT attack detection framework based on the Network traffic analysis technique using open-source tools and deep learning models. This research focuses on analyzing Network traffic into different components, then finds ways to extract abnormal behaviors on those components, and finally uses deep learning algorithms to classify Network traffic based on the extracted abnormal behaviors. The abnormal behavior analysis process is presented in detail in section III.A of the paper. The APT attack detection method based on Network traffic is presented in section III.B of this paper. Finally, the experimental process of the proposal is performed in section IV of the paper.

Keywords

References

  1. A. Alshamrani, A. Chowdhary, S, Myneni, D. Huang, "A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities," IEEE Communications Surveys & Tutorials, vol. 1, pp. 1-29, 2019. 
  2. M. Marchetti, F. Pierazzi, M. Colajanni, A. Guido, "Analysis of high volumes of network traffic for Advanced Persistent Threat detection," Computer Networks, vol. 109, pp. 127-141, 2016.  https://doi.org/10.1016/j.comnet.2016.05.018
  3. Do Xuan Cho, Ha Hai Nam, "A Method of Monitoring and Detecting APT Attacks Based on Unknown Domains," Procedia Computer Science, vol. 150, pp. 316-323, 2019.  https://doi.org/10.1016/j.procs.2019.02.058
  4. Cho Do Xuan, Hoa Dinh Nguyen, Hoang Mai Dao, "APT attack detection based on flow network analysis techniques using deep learning," Journal of Intelligent & Fuzzy Systems, vol. 290, no.3, pp. 4785-4801, 2020.
  5. Cho Do Xuan, "Detecting APT Attacks Based on Network Traffic Using Machine Learning," Journal of Web Engineering, vol. 20, no. 1, pp. 171-190, 2021. 
  6. Do Xuan, C., Dao, M.H. A novel approach for APT attack detection based on combined deep learning model. Neural Comput & Applic 33, 13251-13264 (2021). https://doi.org/10.1007/s00521-021-05952-5. 
  7. G. Yan, Q. Li, D. Guo, X. Meng, "Discovering Suspicious APT Behaviors by Analyzing DNS Activities," Sensors, vol. 20, pp. 1-17, 2020. https://doi.org/10.1109/JSEN.2019.2959158
  8. Zongyuan Xiang, Dong Guo, Qiang Li, "Detecting Mobile Advanced Persistent Threats Based on Large-scale DNS Logs," Computers & Security, vol. 96, 2020.
  9. R. Vinayakumara, K.P. Somana, P. Poornachandranb, "Detecting malicious domain names using deep learning approaches at scale," Journal of Intelligent and Fuzzy Systems, vol. 34, pp. 1355-1367, 2018.  https://doi.org/10.3233/JIFS-169431
  10. Nguyen Van Can et al., "A New Method to Classify Malicious Domain Name Using Neutrosophic Sets in DGA Botnet Detection," Journal of Intelligent and Fuzzy Systems, vol. 36, pp. 4223 - 4236, 2020.
  11. L.C. Wen, J.L. Chih, N.C. Ke, "Detection and Classification of Advanced Persistent Threats and Attacks Using the Support Vector Machine," Applied Sciences, vol. 9, pp. 45-79, 2019. 
  12. Peng Huaa, Liu Lianga, Liu Jiayonga Lewis, Johnwb R.b, "Network traffic anomaly detection algorithm using mahout classifier," Journal of Intelligent & Fuzzy Systems, vol. 37, pp. 137-144, 2019.  https://doi.org/10.3233/JIFS-179072
  13. Huang Hea, Deng Haojiang, Sheng Yiqiang, Ye Xiaozhou, "Accelerating convolutional neural network-based malware traffic detection through ant-colony clustering," Journal of Intelligent & Fuzzy Systems, vol. 37, pp. 409-423, 2019.  https://doi.org/10.3233/JIFS-179096
  14. Wang Hui, Cao Zijian, Hong Bo, "A network intrusion detection system based on convolutional neural network," Journal of Intelligent & Fuzzy Systems, vol. 38, pp. 7623-7637, 2020. https://doi.org/10.3233/JIFS-179833
  15. Ibrahim Ghafir et al., "Hidden Markov Models and Alert Correlations for the Prediction of Advanced Persistent Threats," IEEE Access, vol. 7, pp. 99508-99520, 2019.  https://doi.org/10.1109/ACCESS.2019.2930200
  16. Zimba Aaron, Chen Hong Song, Wang Zhaoshun, Chishimba Mumbi, "Modeling and detection of the multi-stages of Advanced Persistent Threats attacks based on semi-supervised learning and complex networks characteristics," Future Generation Computer Systems, vol. 106, pp. 501-517, 2020.  https://doi.org/10.1016/j.future.2020.01.032
  17. Lajevardi Amir, Amini Morteza, "A semantic-based correlation approach for detecting hybrid and low-level APTs," Future Generation Computer Systems, vol. 96, pp. 64-88, 2019.  https://doi.org/10.1016/j.future.2019.01.056
  18. Ghafir Ibrahim et al., "Detection of advanced persistent threat using machine-learning correlation analysis," Future Generation Computer Systems, vol. 89, pp. 349-359, 2018.  https://doi.org/10.1016/j.future.2018.06.055
  19. Adel Alshamrani, Ankur Chowdhary, Oussama Mjihil, Sowmya Myneni, Dijiang Huang, "Combining Dynamic and Static Attack Information for Attack Tracing and Event Correlation," in proceedings of the 2018 IEEE Global Communications Conference (GLOBECOM). pp. 1-7, 2018. 
  20. Shiqing Ma, et al., "MPI: Multiple Perspective Attack Investigation with Semantics Aware Execution Partitioning," in proceedings of the 26th USENIX Conference on Security Symposium, pp. 1111-1128, 2017. 
  21. Fei Wang, Yonghwi Kwon, Shiqing Ma, Xiangyu Zhang, "Lprov: Practical Library-aware Provenance Tracing," in proceedings of the 34th Annual Computer Security Applications Conference, pp. 605-617, 2018. 
  22. Ji. Yang Lee, et al., "RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking," in proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 377-390, 2017. 
  23. Suricata. Available online: https://suricata-ids.org/. (Accessed Feb 14, 2020). 
  24. Xuan Cho Do, Duong Duc, Dau Hoang Xuan, "A multi-layer approach for advanced persistent threat detection using machine learning based on network traffic," Journal of Intelligent & Fuzzy Systems, vol. 40, no. 6, pp. 11311-11329, 2021.  https://doi.org/10.3233/JIFS-202465
  25. Sepp Hochreiter, Jurgen Schmidhuber, "Long Short-Term Memory," Neural Computation, vol. 9, no. 8, pp. 1735 - 1780, 1997.  https://doi.org/10.1162/neco.1997.9.8.1735
  26. Alex Sherstinsky, "Fundamentals of Recurrent Neural Network (RNN) and Long Short-Term Memory (LSTM) network," Physica D: Nonlinear Phenomena 404, 2020. https://doi.org/10.1016/j.physd.2019.132306 
  27. Malware Capture Facility Project. Available online: https://www.stratosphereips.org/datasets-malware. (Accessed on 8 June 2021). 
  28. Xuan, Cho Do and Duong, Duc. 'Optimization of APT Attack Detection Based on a Model Combining ATTENTION and Deep Learning'. 1 Jan. 2021 : 1 - 17.