Proposed Framework for Effective Detection and Prediction of Advanced Persistent Threats Based on the Cyber Kill Chain

Автор: Faisal A. Garba, Sahalu B. Junaidu, Barroon I. Ahmad, Abdoulie M. S. Tekanyi
Организация: Department of Computer Science Education, Sa’adatu Rimi College of Education, Kano, Nigeria, Department of Computer Science, Ahmadu Bello University, Zaria, Nigeria, Department of Electrical & Computer Engineering, Ahmadu Bello University, Zaria, Nigeria

Категория:

Ключевые слова: Advanced Persistent Threat (APT), cyber kill chain (CKC), data breach, cyber attack, APT detection.
Аннотация. The cost of data breach resulting from cyber attacks is estimated to be $3.62 million dollars worldwide according to a report. Advanced Persistent Threat (APT) is a targeted cyber attack that is tailored, proceeds at a stealth and has a high objective. The state of the art security monitoring tools have failed in their attempts to detect APT. Therefore, there is a need for a solution that is fool-proof in the detection of an APT. This paper proposed the use of cyber kill chain to detect the various attack methodologies used in an APT campaign and to correlate and predict the existence of an APT attack. APT attack deploys various attack techniques which are mapped to the stages of the cyber kill chain. For each of those techniques, an attack detection methodology has been proposed in this paper. The detection result of each of these methodologies, will now be correlated in the correlation module to ascertain whether there is an ongoing APT attack and raise an alert. The result from this research work will be evaluated against a current related work. This research will therefore advance the state of the art in APT attack detection.

Библиография:

Agarwal, D. K., & Kumar, R. (2016). Spam Filtering using SVM with different Kernel Functions. International Journal of Computer Applications, 136(5), 16-23. Retrieved from https://www.ijcaonline.org/research/volume136/number5/agarwal-2016-ijca-908395.pdf
Aldridge, J. (2016). Remediating Targeted-threat Intrusions. Fire Eye. Retrieved from https://www2.fireeye.com/rs/848-DID-242/images/WP-Remediating-Intrusions.pdf?mkt_tok=eyJpIjoiT1RNMk1HWmxNalF3WkRBNSIsInQiOiJ6dVwvVXR0cGFZS2UzaFF1UlBsdUZ3Sjl0b2NUbVJWTWpIK3dLS04yazUxcFowN0dJQU9rUlM4ZnF2cGRsMStDb2paU3o5RzFyXC9LdnZyQVpWS29EbUdNaE1ia0p2QXFmQn
Amami, R., Ayed, D. B., & Ellouze, N. (2012). An Empirical Comparison of SVM and Some Supervised Learning Algorithms for Vowel Recognition. International Journal of Intelligent Information Processing (IJIIP), 3(1.6), CoRR. doi:doi: 10.4156/IJIIP
Angle, M. G., Madnick, S., & Kirtley, J. (2017). Identifying and Mitigating Cyber Attacks that Could Cause Physical Damage to Industrial Control Systems . IEEE Power and Energy Technology Systems Journal, 1-10 .
Baksi, R. P., & Upadhyaya, S. J. (2017). Kidemonas: The Silent Guardian. SKM’17, (pp. 1-6). Tampa, FL, USA
Dell SecureWorks. (2012). Lifecycle of an Advanced Persistent Threat. Dell. Retrieved from http://www.redteamusa.com/PDF/Lifecycle%20of%20an%20Advanced%20Persistent%20Threat.pdf
ENISA. (2018). ENISA Threat Landscape Report 2017: 15 Top Cyber-Threats and Trends. Heraklion, Greece: ENISA. doi:DOI 10.2824/967192
Kotsiantis, S. B. (2007). Supervised Machine Learning: A Review of Classification. Informatica, 249-268
Ghafir, I., & Prenosil, V. (2016). Proposed Approach for Targeted Attacks Detection. In H. Sulaiman, M. Othman, M. Othman, Y. Rahim, & N. Pee, Lecture Notes in Electrical Engineering, (Vol. 362, pp. 73-80). Springer, Cham.
Ghafir, I., Hammoudeh, M., Prenosil, V., Han, L., Hegarty, R., Rabie, K., & Aparicio-Navarro, F. J. (2018). Detection of Advanced Persistent Threat using Machine-Learning Correlation Analysis. Future Generation Computer Systems, 89, 349-359. doi:https://doi.org/10.1016/j.future.2018.06.055
Herløw, L. (2015). Detection and Prevention of Advanced Persistent Threats: Evaluating and Testing APT Lifecycle Models Using Real World Examples and Preventing Attacks through the Use of Mitigation Strategies and Current Best Practices. Denmark: DTU Compute: Department of Applied Mathematics and Computer
Hong, H., Pradhan, B., Bui, D. T., Xu, C., Yousseff, A. M., & Chen, W. (2017). Comparison of Four Kernel Functions used in Support Vector Machines for Landslide Susceptibility Mapping: A Case Study at Suichuan Area (China). Geomatic, Natural Hazards and Risk, 8(2), 544–569. doi:http://dx.doi.org/10.1080/19475705.2016.1250112
Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. 6th Annual International Conference on Information Warfare and Security (pp. 1 - 14). Washington DC: Academic Conferences and Publishing International.
Kollitris, N. V. (2015). Detecting Advanced Persistent Threats through Deception Techniques. Greece: Information Security and Critical Infrastructure Protection (INFOSEC) Laboratory
Mandiant. (2004). APT1: Exposing One of China's Cyber Espionage Units. Mandiant
Martin, L. (2015). Gaining the Advantage: Applying Cyber Kill Chain Methodology to Network Defense. Lockheed Martin Corporation
Mezghani, B. A., Boujelbene, Z., & Ellouze, N. (2010). Evaluation of SVM Kernels and Conventional Machine Learning. International Journal of Hybrid Information Technology, 3(3), 23-34. Retrieved from http://www.sersc.org/journals/IJHIT/vol3_no3_2010/3.pdf
Mitre. (2014). Search Results. Retrieved May 5, 2018, from Common Vulnerabilities and Exposures: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE+-2014-3306
Moya, J. R., García, N. D., Díaz, R. Á., & Tamargo, J. L. (2017). Expert Knowledge and Data Analysis for Detecting Advanced Persistent Threats. Open Mathematics, 15(1), 1108-1122. doi:https://doi.org/10.1515/math-2017-0094
NIS Platform. (2014). State of the Art of Secure ICT Landscape. NIS. Retrieved from https://resilience.enisa.europa.eu/nis-platform/shared-documents/wg3-documents/state-of-the-art-of-the-secure-ict-landscape/at_download/file
Oprea, A., Li, Z., Yen, T.-F., Chin, S., & Alrwais, S. (2015). Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data. 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (pp. 45-56). Rio de Janeiro, Brazil: IEEE. doi: 10.1109/DSN.2015.14
Rot, A., & Olszewski, B. (2017). Advanced Persistent Threats Attacks in Cyberspace Threats, Vulnerabilities, Methods of Protection. Federated Conference on Computer Science and Information Systems. 12, pp. 113–117. Prague, Czech Republic: ACSIS. doi:DOI: 10.15439/2017F488
Sharma, P. K., Moon, S. Y., Moon, D., & Park, J. H. (2017). DFA-AD: A Distributed Framework Architecture for the Detection of Advanced Persistent Threats. Cluster Computing, 20(1), 597–609. doi:https://doi.org/10.1007/s10586-016-0716-0
Wei-Chih, H., & Yu, T.-Y. (2009). E-mail Spam Filtering Using Support Vector Machines with Selection of Kernel Function Parameters. 2009 Fourth International Conference on Innovative Computing, Information and Control (pp. 764-767). Kaohsiung, Taiwan: IEEE. doi:DOI: 10.1109/ICICIC.2009.184
Yadav, T., & Mallari, R. A. (2016). Technical Aspects of Cyber Kill Chain. 1 - 7
Yasin, A., & Abuhasan, A. (2016). An Intelligent Classification Model for Phishing Email Detection. International Journal of Network Security & Its Applications (IJNSA), 8(4), 55-72. doi:DOI: 10.5121/ijnsa.2016.8405