DEVELOPMENT OF THE STRUCTURAL AND ANALYTICAL MODELS FOR EARLY APT-ATTACKS DETECTION AND INTRUDERS IDENTIFICATION
Authors: Sergiy Gnatyuk, Zhadyra Avkurova, Andriy Tolbatov, Yevheniia Krasovska, Bagdat Yagaliyeva, Oleksii Verkhovets
Affiliation: NAU Cybersecurity R&D Lab, National Aviation University, Kyiv, Ukraine, L.N. Gumilyov Eurasian National University, Nur-Sultan, Kazakhstan, Professional College of Engineering and Management, National Aviation University, Kyiv, Ukraine, Yessenov University, Aktau, Kazakhstan, , State Scientific and Research Institute of Cybersecurity Technologies and Information Protection, Kyiv, Ukraine
Keywords: APT-attack, Early Detection, Identification, Honeypot, Fuzzy Logic, Parameter, ICT.
ABSTRACT. Modern information and communication technologies (ICT) are vulnerable to APT-attacks (advanced persistent threats) and other relevant threats. APT-attack is a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to ICT and remains undetected for an extended period. Early detection of APT-attack is very important for ICT of critical infrastructure sectors. But existed approaches don’t allow to detect attacks effectively in cyberspace as fuzzy environment. In this paper, a method of linguistic terms using statistical data was used for structural and analytical models of parameters (both host and network parameters) as well as intruder model based on the defined host and networks parameters was developed. Based on this, logical rules can be developed to provide the functioning of IDS based on honeypot (or other) technology for APT-attacks detection and intruder type identification in ICT.
1. M. Khosravi and B. T. Ladani, “Alerts Correlation and Causal Analysis for APT Based Cyber Attack Detection”, in IEEE Access, Vol. 8, pp. 162642-162656, 2020.
2. Denning D.E. “An Intrusion-Detection Model”, IEEE Transactions On Software Engineering, February 1987, Vol. SE-13, No. 2, pp. 222-232.
3. Hu Z., Odarchenko R., Gnatyuk S., Zaliskyi M., Chaplits A., Bondar S., Borovik V. “Statistical techniques for detecting cyberattacks on computer networks based on an analysis of abnormal traffic behavior”, International Journal of Computer Network and Information Security, Vol. 12, Issue 6, pp. 1-13, 2020.
4. Y. Qi, R. Jiang, Y. Jia and A. Li, “An APT Attack Analysis Framework Based on Self-define Rules and Mapreduce”, 2020 IEEE Fifth International Conference on Data Science in Cyberspace (DSC), 2020, pp. 61-66, doi: 10.1109/DSC50466.2020.00017.
5. D. Liu, H. Zhang, H. Yu, X. Liu, Y. Zhao and G. Lv, “Research and Application of APT Attack Defense and Detection Technology Based on Big Data Technology”, 2019 IEEE 9th International Conference on Electronics Information and Emergency Communication (ICEIEC), 2019, pp. 1-4, doi: 10.1109/ICEIEC.2019.8784483.
6. X. Liu, L. Li, Z. Ma, X. Lin and J. Cao, “Design of APT Attack Defense System Based on Dynamic Deception”, 2019 IEEE 5th International Conference on Computer and Communications (ICCC), 2019, pp. 1655-1659, doi: 10.1109/ICCC47050.2019.9064206.
7. S. -P. Hong, C. -H. Lim and H. J. Lee, “APT attack response system through AM-HIDS”, 2021 23rd International Conference on Advanced Communication Technology (ICACT), 2021, pp. 271-274, doi: 10.23919/ICACT51234.2021.9370749.
8. Y. Su, “Research on APT attack based on game model”, 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), 2020, pp. 295-299, doi: 10.1109/ITNEC48623.2020.9084845.
9. M. Zaliskyi, R. Odarchenko, S. Gnatyuk, Yu. Petrova. A. Chaplits, “Method of traffic monitoring for DDoS attacks detection in e-health systems and networks”, CEUR Workshop Proceedings, Vol. 2255, pp. 193-204, 2018.
10. A. Paradise et al., “Creation and Management of Social Network Honeypots for Detecting Targeted Cyber Attacks”, in IEEE Transactions on Computational Social Systems, vol. 4, No. 3, pp. 65-79, Sept. 2017.
11. Svarovskiy S. “Approximation of membership functions for linguistic variables”, Mathematical issues of data analysis, pp. 127-131, 1980.
12. M. Zuzcak and P. Bujok, “Causal analysis of attacks against honeypots based on properties of countries”, in IET Information Security, Vol. 13, No. 5, pp. 435-447, 9 2019, doi: 10.1049/iet- ifs.2018.5141.
13. W. Zhang, B. Zhang, Y. Zhou, H. He and Z. Ding, “An IoT Honeynet Based on Multiport Honeypots for Capturing IoT Attacks”, in IEEE Internet of Things Journal, Vol. 7, No. 5, pp. 3991-3999, May 2020, doi: 10.1109/JIOT.2019.2956173.
14. Gnatyuk S., Berdibayev R., Avkurova Z., Verkhovets O., Bauyrzhan M. “Studies on cloud-based cyber incidents detection and identification in critical infrastructure”, CEUR Workshop Proceedings, 2021, Vol. 2923, pp. 68-80.
15. Gnatyuk S., Berdibayev R., Smirnova T., Avkurova Z., Iavich M. “Cloud-Based Cyber Incidents Response System and Software Tools”, Communications in Computer and Information Science, Vol. 1486, pp. 169-184, 2021.
16. Maksim Iavich, Sergiy Gnatyuk, Giorgi Iashvili, Andriy Fesenko, Cyber security European standards in business, Scientific and practical cyber security journal, 2019
17. Iavich M., Gnatyuk S., Odarchenko R., Bocu R., Simonov S. (2021) The Novel System of Attacks Detection in 5G. In: Barolli L., Woungang I., Enokido T. (eds) Advanced Information Networking and Applications. AINA 2021. Lecture Notes in Networks and Systems, vol 226. Springer, Cham. https://doi.org/10.1007/978-3-030-75075-6_47