A Comprehensive Survey on Advanced Persistent Threat (APT) Detection Techniques

The increase in number of people using the Internet leads to increased cyberattack opportunities.Advanced Persistent Threats,or APTs,are among the most dangerous targeted cyberattacks.APT attacks utilize various advanced tools and techniques for attacking targets with specific goals.Even countries with advanced technologies,like the US,Russia,the UK,and India,are susceptible to this targeted attack.APT is a sophisticated attack that involves multiple stages and specific strategies.Besides,TTP(Tools,Techniques,and Procedures)involved in the APT attack are commonly new and developed by an attacker to evade the security system.However,APTs are generally implemented in multiple stages.If one of the stages is detected,we may apply a defense mechanism for subsequent stages,leading to the entire APT attack failure.The detection at the early stage of APT and the prediction of the next step in the APT kill chain are ongoing challenges.This survey paper will provide knowledge about APT attacks and their essential steps.This follows the case study of known APT attacks,which will give clear information about the APT attack process—in later sections,highlighting the various detection methods defined by different researchers along with the limitations of the work.Data used in this article comes from the various annual reports published by security experts and blogs and information released by the enterprise networks targeted by the attack.

基于超图Transformer的APT攻击威胁狩猎网络模型

针对物联网环境中高级持续性威胁(APT)具有隐蔽性强、持续时间长、更新迭代快等特点,传统被动检测模型难以对其进行有效搜寻的问题,提出了一种基于超图Transformer的APT攻击威胁狩猎(HTTN)模型,能够在时间跨度长、信息隐蔽复杂的物联网系统中快速定位和发现APT攻击痕迹。该模型首先将输入的网络威胁情报(CTI)日志图和物联网系统内核审计日志图编码为超图,经超图神经网络(HGNN)层计算日志图的全局信息和节点特征;然后由Transformer编码器提取超边位置特征;最后对超边进行匹配计算相似度分数,从而实现物联网系统网络环境下APT攻击的威胁狩猎。在物联网仿真环境下的实验结果表明,提出的HTTN模型与目前主流的图匹配神经网络相比均方误差降低约20%,Spearman等级相关系数提升约0.8%,匹配精度提升约1.2%。

APT攻击与检测研究

随着网络在社会的应用越来越广泛和深入,信息安全的重要性也得到越来越多的关注,高级持续性威胁(Advanced Persistent Threat,APT)已成为高等级网络安全威胁的主要组成部分,其相对传统安全威胁具有隐蔽性强、时间跨度久、针对性强等特点,对传统安全防御体系造成严重威胁。该文介绍历史上一些典型的APT攻击案例,梳理APT的攻击特点和典型流程,最后探讨现有的对抗APT比较有效的检测方法。

基于传染病和网络流模型分析APT攻击对列车控制系统的影响

高级可持续威胁(APT)是目前工业控制系统面临的主要威胁之一。APT攻击利用计算机设备漏洞入侵列车控制网络,感染并且扩散到网络中的其他设备,影响系统正常运行,因此评价APT攻击对列车控制系统的影响非常必要。提出一种基于传染病模型和网络流理论结合的APT攻击影响分析方法。首先,分析在APT攻击的不同阶段设备节点状态之间的转化规则,结合传染病理论建立APT攻击传播模型,研究攻击过程中的节点状态变化趋势;其次,把设备节点的状态变化融入网络流模型中,研究APT攻击过程中设备节点状态变化对列车控制网络中列车移动授权信息流的影响;最后,结合列车控制系统的信息物理耦合关系,分析APT攻击对列控系统整体性能的影响。仿真实验展现了APT攻击过程中节点状态变化的趋势,验证该方法在分析APT病毒软件在列车控制网络中的传播过程对列车控制系统整体性能影响的有效性,为管理者制定防御方案提供依据,提升列车控制系统信息安全水平。

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

Recently,with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic,the possibility of cyberattacks through endpoints has increased.Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats.In particular,because telecommuting,telemedicine,and teleeducation are implemented in uncontrolled environments,attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information,and reports of endpoint attacks have been increasing considerably.Advanced persistent threats(APTs)using various novel variant malicious codes are a form of a sophisticated attack.However,conventional commercial antivirus and anti-malware systems that use signature-based attack detectionmethods cannot satisfactorily respond to such attacks.In this paper,we propose a method that expands the detection coverage inAPT attack environments.In this model,an open-source threat detector and log collector are used synergistically to improve threat detection performance.Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks,as defined by MITRE Adversarial Tactics,Techniques,and Common Knowledge(ATT&CK).We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response(GRR),an open-source threat detection tool,and Graylog,an open-source log collector.The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11%compared with that conventional methods.

A Cyber Kill Chain Approach for Detecting Advanced Persistent Threats

The number of cybersecurity incidents is on the rise despite significant investment in security measures.The existing conventional security approaches have demonstrated limited success against some of the more complex cyber-attacks.This is primarily due to the sophistication of the attacks and the availability of powerful tools.Interconnected devices such as the Internet of Things(IoT)are also increasing attack exposures due to the increase in vulnerabilities.Over the last few years,we have seen a trend moving towards embracing edge technologies to harness the power of IoT devices and 5G networks.Edge technology brings processing power closer to the network and brings many advantages,including reduced latency,while it can also introduce vulnerabilities that could be exploited.Smart cities are also dependent on technologies where everything is interconnected.This interconnectivity makes them highly vulnerable to cyber-attacks,especially by the Advanced Persistent Threat(APT),as these vulnerabilities are amplified by the need to integrate new technologies with legacy systems.Cybercriminals behind APT attacks have recently been targeting the IoT ecosystems,prevalent in many of these cities.In this paper,we used a publicly available dataset on Advanced Persistent Threats(APT)and developed a data-driven approach for detecting APT stages using the Cyber Kill Chain.APTs are highly sophisticated and targeted forms of attacks that can evade intrusion detection systems,resulting in one of the greatest current challenges facing security professionals.In this experiment,we used multiple machine learning classifiers,such as Naïve Bayes,Bayes Net,KNN,Random Forest and Support Vector Machine(SVM).We used Weka performance metrics to show the numeric results.The best performance result of 91.1%was obtained with the Naïve Bayes classifier.We hope our proposed solution will help security professionals to deal with APTs in a timely and effective manner.

Advanced Persistent Threat Detection and Mitigation Using Machine Learning Model

The detection of cyber threats has recently been a crucial research domain as the internet and data drive people’s livelihood.Several cyber-attacks lead to the compromise of data security.The proposed system offers complete data protection from Advanced Persistent Threat(APT)attacks with attack detection and defence mechanisms.The modified lateral movement detection algorithm detects the APT attacks,while the defence is achieved by the Dynamic Deception system that makes use of the belief update algorithm.Before termination,every cyber-attack undergoes multiple stages,with the most prominent stage being Lateral Movement(LM).The LM uses a Remote Desktop protocol(RDP)technique to authenticate the unauthorised host leaving footprints on the network and host logs.An anomaly-based approach leveraging the RDP event logs on Windows is used for detecting the evidence of LM.After extracting various feature sets from the logs,the RDP sessions are classified using machine-learning techniques with high recall and precision.It is found that the AdaBoost classifier offers better accuracy,precision,F1 score and recall recording 99.9%,99.9%,0.99 and 0.98%.Further,a dynamic deception process is used as a defence mechanism to mitigateAPTattacks.A hybrid encryption communication,dynamic(Internet Protocol)IP address generation,timing selection and policy allocation are established based on mathematical models.A belief update algorithm controls the defender’s action.The performance of the proposed system is compared with the state-of-the-art models.

Detecting APT-Exploited Processes through Semantic Fusion and Interaction Prediction

Considering the stealthiness and persistence of Advanced Persistent Threats(APTs),system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host.Rule-based provenance graph APT detection approaches require elaborate rules and cannot detect unknown attacks,and existing learning-based approaches are limited by the lack of available APT attack samples or generally only perform graph-level anomaly detection,which requires lots of manual efforts to locate attack entities.This paper proposes an APT-exploited process detection approach called ThreatSniffer,which constructs the benign provenance graph from attack-free audit logs,fits normal system entity interactions and then detects APT-exploited processes by predicting the rationality of entity interactions.Firstly,ThreatSniffer understands system entities in terms of their file paths,interaction sequences,and the number distribution of interaction types and uses the multi-head self-attention mechanism to fuse these semantics.Then,based on the insight that APT-exploited processes interact with system entities they should not invoke,ThreatSniffer performs negative sampling on the benign provenance graph to generate non-existent edges,thus characterizing irrational entity interactions without requiring APT attack samples.At last,it employs a heterogeneous graph neural network as the interaction prediction model to aggregate the contextual information of entity interactions,and locate processes exploited by attackers,thereby achieving fine-grained APT detection.Evaluation results demonstrate that anomaly-based detection enables ThreatSniffer to identify all attack activities.Compared to the node-level APT detection method APT-KGL,ThreatSniffer achieves a 6.1%precision improvement because of its comprehensive understanding of entity semantics.

一种基于ATT&CK的新型电力系统APT攻击建模

以新能源为主体的新型电力系统,新能源与多元负荷形态比例大幅提升。高比例的可再生新能源与电力电子设备的接入以及供给侧和需求侧的随机性,导致电网遭受的攻击面增大,攻击者利用隐蔽和复杂的手段针对新型电力系统发动高级可持续威胁攻击,严重影响电网调度与能源消纳。文章基于ATT&CK知识库建立了面向新型电力系统APT攻击的杀伤链模型,针对传统方法难以将APT攻击技术划分到杀伤链攻击阶段,从而导致安全员无法迅速做出防御决策的情况,提出了一种基于杀伤链模型的APT攻击技术阶段划分方法,并采用Bert模型对技术文本进行语义分析,自动将攻击技术划分到所属阶段。实验结果表明,文章所提方法比现有模型具有更好的效果。

结合动态行为和静态特征的APT攻击检测方法

针对APT攻击网络流量难以获得,模拟的数据与现实又很难匹配的问题,提出了一种基于动态行为和静态特征结合的APT攻击检测方法。采用Noriben沙箱提取待测软件的进程行为、文件行为、注册表行为和网络行为构建动态行为特征集,基于Transformer-Encoder算法识别APT恶意软件的准确率达到了95.8%。对识别出的APT恶意软件进行组织分类,提取软件调用的DLL(dynamic link library)和API(application programming interface),并组合成DLL:API的特征形式,将1D-CNN(one dimensional convolutional neural networks)算法应用于APT恶意软件组织分类的准确率达到了98.7%,比之前的方法提高了5个百分点。与热门的深度学习算法和机器学习算法的实验效果做对比,数据表明,提出的方法相比其他方法,准确率有较大提升。

基于改进CNN的新型电力系统APT攻击检测

高级持续性威胁(advanced persistent threat,APT)已经成为新型电力系统网络安全的主要威胁之一,面对其隐蔽性强、破坏力大、持续时间长的攻击行为特点,现有的传统检测方法无法满足新型电力系统的安全要求。对此,文章提出一种基于卷积神经网络的通道与空间并行结合的注意力机制(parallel channel and spatial attention mechanism based convolutional neural network,PCSA-CNN)的APT攻击检测方法。该算法引入通道与空间并行的注意力机制,以突出APT攻击数据特征并生成对应的特征向量矩阵,然后采用卷积神经网络模型完成对APT攻击的检测。实验结果表明,基于PCSA-CNN模型的APT攻击检测方法可达到99.87%的准确率,相较现有主流神经网络模型检测效果有明显提升。

全流量回溯结合APT建模分析技术

研究海量网络数据包存储及快速检索技术,并结合高级持续性威胁(APT)组织攻击链特征,提出一种全流量回溯与APT建模分析技术方案,实现APT精准识别.系统通过网络流量聚合成大块文件,实现磁盘的顺序写入及文件系统的零碎片,提升数据包写入速度;通过两级索引,提升数据包检索速度.结合APT组织的TTP模型,对原始流量快速提取反分析,实现APT攻击的精准识别、回溯分析和攻击链还原.

APT攻击趋势分析和防御建议

APT(Advaneed Persistent Threat,高级持续性威胁)攻击严重威胁全球经济发展和国家安全稳定,文章首先简述了APT攻击的特点和生命周期,然后结合近年来APT攻击典型案例分析APT发展趋势和特点,最后提出提升我国APT监测和防御能力的方法建议。

基于半监督引导的网络APT检测知识图谱构建

各国信息系统等重要设施的高级持续性威胁(APT)攻击愈发频繁,且APT具有针对性强、隐蔽性好、破坏性大等特点。为了高效检测APT攻击,提出一种基于知识库的APT攻击检测方案。首先,通过搜集大量开源APT威胁数据,提出一种基于深度学习级联模型结构的新型APT知识获取方法。然后,针对数据的多源异构性,提出一种半监督Bootstrap的知识融合方法,以自动构建APT知识图谱。接下来,针对APT攻击检测识别的准确性,提出一种基于Bert+BiLSTM+Self-Attention+CRF模型的APT攻击检测方案,Bert模型提取文本特征,BILSTM提取输入语句与上下文之间的关系,融合Self-Attention机制关注上下文中的语义及APT实体间的关系,CRF模型根据标签间的依赖关系提取全局最优的输出标签序列,以得到APT攻击命名实体。实验表明,Bert+BiLSTM+Self-Attention+CRF模型的准确率、召回率、F1值分别达到88.69%、77.13%和82.5%,整体性能相较于现有方法更优。

一种应对APT攻击的安全架构:异常发现

威胁是一种对特定系统、组织及其资产造成破坏的潜在因素,反映的是攻击实施者依照其任务需求对被攻击对象长期持续地施以各种形式攻击的过程.面对高级可持续威胁(advanced persistent threat,APT),在其造成严重经济损失之前,现有的安全架构无法协助防御者及时发现威胁的存在.在深入剖析威胁的外延和内涵的基础上,详细探讨了威胁防御模型.提出了一种应对APT攻击的安全防御理论架构:异常发现,以立足解决威胁发现的难题.异常发现作为防御策略和防护部署工作的前提,通过实时多维地发现环境中存在的异常、解读未知威胁、分析攻击实施者的目的,为制定具有针对性的应对策略提供必要的信息.设计并提出了基于异常发现的安全体系技术架构:"慧眼",通过高、低位协同监测的技术,从APT攻击的源头、途径和终端3个层面监测和发现.

基于大数据分析的APT攻击检测研究综述

高级持续性威胁(APT,advanced persistent threat)已成为高安全等级网络的最主要威胁之一,其极强的针对性、伪装性和阶段性使传统检测技术无法有效识别,因此新型攻击检测技术成为APT攻击防御领域的研究热点。首先,结合典型APT攻击技术和原理,分析攻击的6个实施阶段,并归纳攻击特点;然后,综述现有APT攻击防御框架研究的现状,并分析网络流量异常检测、恶意代码异常检测、社交网络安全事件挖掘和安全事件关联分析等4项基于网络安全大数据分析的APT攻击检测技术的研究内容与最新进展;最后,提出抗APT攻击的系统综合防御框架和智能反馈式系统安全检测框架,并指出相应技术在应对APT攻击过程中面临的挑战和下一步发展方向。

基于攻击图的APT脆弱节点评估方法

高级可持续性威胁(advanced persistent threat,APT)具有行为隐蔽性强、攻击周期持久的特点,增加了攻击检测的难度。据此,引入攻击图理论评估网络系统在APT攻击下的脆弱节点,提出了一种基于攻击图的APT脆弱节点评估方法,有效地提高了发现攻击的概率。对APT攻击行为的异常特征进行提取和定义,对目标网络系统建立风险属性攻击图(risk attribute attack graph,RAAG)模型;基于APT攻击行为特征的脆弱性对系统节点的行为脆弱性进行评估,并以通用漏洞评分系统(common vulnerability scoring system,CVSS)标准做为参照评估系统节点的通联脆弱性;基于上述2个方面的评估,计算系统中各节点的整体脆弱性,并发现目标网络系统在面向APT攻击时的脆弱节点。实验结果表明,所提方法能够对APT攻击行为特征进行合理量化,对系统节点的脆弱性进行有效评估,在APT攻击检测率上有较好表现。

基于树型结构的APT攻击预测方法

近年来,高级持续性威胁已成为威胁网络安全的重要因素之一。然而APT攻击手段复杂多变,且具有极强的隐蔽能力,使得目前常用的基于特征匹配的边界防护技术显得力不从心。面对APT攻击检测防御难题,提出了一种基于树型结构的APT攻击预测方法。首先结合杀伤链模型构建原理,分析APT攻击阶段性特征,针对攻击目标构建窃密型APT攻击模型;然后,对海量日志记录进行关联分析形成攻击上下文,通过引入可信度和DS证据组合规则确定攻击事件,计算所有可能的攻击路径。实验结果表明,利用该方法设计的预测模型能够有效地对攻击目标进行预警,具有较好的扩展性和实用性。

因果图表征的网络攻击数据集构建

高级可持续威胁攻击因其多阶段可持续的特性,已经成为现阶段网络攻击的主要形式。针对此类型攻击的检测、预测研究,不可避免地需要相关数据集的支撑。在构建数据集时,往往需要真实的网络与主机数据。但出于隐私与安全的考虑,很少有满足要求的开源数据集。现有的数据集也往往只提供原始的网络流和日志数据,对长时攻击上下文解析的缺乏导致单纯地利用神经网络进行数据包的恶性甄别和预测的实用性不足。为了解决这些问题,该文基于网络环境的真实攻击过程数据,构建并公布了一个基于因果图的网络攻击数据集。与传统的原始网络流和日志数据集相比,该数据集充分挖掘了攻击上下文中的因果关系,可以跨长时域对高级可持续威胁攻击进行建模,方便研究人员进行攻击检测与预测的研究。该数据集开源在https://github.com/GuangmingZhu/CausalGraphAPTDataset上。

一种基于图注意力机制的威胁情报归因方法

威胁情报关联分析已成为网络攻击溯源的有效方式。从公开威胁情报源爬取了不同高级持续性威胁(APT)组织的威胁情报分析报告,并提出一种基于图注意力机制的威胁情报报告归类的方法,目的是检测新产生的威胁情报分析报告类别是否为已知的攻击组织,从而有助于进一步的专家分析。通过设计威胁情报知识图谱,提取战术和技术情报,对恶意样本、IP和域名进行属性挖掘,构建复杂网络,使用图注意力神经网络进行威胁情报报告节点分类。评估表明:所提方法在考虑类别分布不均衡的情况下,可以达到78%的准确率,达到对威胁情报报告所属组织进行有效判定的目的。