Abstract
The advanced Persistent Threat (APT) is a sophisticated and target-oriented cyber attack for accessing valuable information. The attacker leverages the customized malware as the stepping stone to intrude into the enterprise network. For enterprises and forensic analysts, finding the victims and investigating them to evaluate the damages are critical, but the investigation is often limited by resources and time. In this paper, we propose an N-Victims approach that starts from a known malware-infected computer to determine the top N most likely victims. We test our approach in a real APT case that happened in a large enterprise network consisting of several thousand computers, which run a commercial antivirus system. N-Victims can find more malware-infected computers than N-Gram based approaches. In the top 20 detected computers, N-Victims also had a higher detection rate and a lower false positive rate than N-Gram based approaches.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Daly, M. K.: The Advanced Persistent Threat (2009), http://static.useeix.org/event/lisa09/tech/slides/daly.pdf
Damballa. Advanced Persistent Threats (APT) (2010), http://www.damballa.com/knowledge/advanced-persistent-threats.php
Hoglund, G.: Advanced Persistent Threat (2010), http://www.issa-sac.org/info_resources/ISSA_20100219_HBGary_Advanced_Persistent_Threat.pdf
Juels, A., Yen, T.F.: Sherlock Holmes and The Case of the Advanced Persistent Threat. In: 5th USENIX Workshop on Large-Scale Exxploits and Emergent Threats (2012)
Winder, D.: Persistent and Evasive Attacks Uncovered. Infosecurity 8(5), 40–43 (2011)
Tankard, C.: Advanced Persistent threats and how to monitor and deter them. Network Security 2011(8), 16–19 (2011)
Li, F., Lai, A., Ddl, D.: Evidence of Advanced Persistent Threat: A case study of malware for political espionage. In: 6th International Conference on Malicious and Unwanted Software, MALWARE (2011)
Frankie Li, A.A.: A Detailed Analysis of an Advanced Persistent Threat Malware. SANS Institute InfoSec Reading Room (2011)
Alperovitch, D., McAfee: Revealed: operation shady RAT (2011), http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
Rieck, K., et al.: Botzilla: detecting the ”phoning home” of malicious software. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1978–1984. ACM, Sierre (2010)
Warmer, M.: Detection of web based command & control channels (2011), http://essay.utwente.nl/61232/
Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, p. 26. USENIX Association, San Jose (2010)
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)
Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by IRC nickname evaluation. In: roceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p. 8. USENIX Association, Cambridge (2007)
Brustoloni, J., et al.: Efficient Detection of Bots in Subscribers’ Computers. In: IEEE International Conference on Communications, ICC 2009 (2009)
Liu, S.T., Chen, Y.M.: Retrospective Detection of Malware Attacks by Cloud Computing. In: 2010 IEEE International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (2010)
Oberheide, J., Cooke, E., Jahanian, F.: Cloudav: N-version antivirus in the network cloud. In: The Proceedings of 17th USENIX Security Symposium (2008)
Brian Grow, K.E., Tschang, C.-C.: The New E-spionage Threat (2008), http://www.businessweek.com/magazine/content/08_16/b4080032218430.html
Websense. Advanced attack or APT (2011), http://www.websense.com/content/advanced-attacks-in-the-news.aspx
Gordon, T.: APTs: a poorly understood challenge. Network Security 11, 9–11 (2011)
Zhaosheng, Z., et al.: Botnet Research Survey. In: Proceedings of the 32th Annual IEEE International Computer Software and Applications Conference (2008)
Yadav, S., et al.: Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis. IEEE/ACM Transactions on Networking 99, 1 (2012)
Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting malware’s failover C&C strategies with squeeze. In: Proceedings of the 27th Annual Computer Security Applications Conference, Orlando, Florida, pp. 21–30 (2011)
Ma, J., et al.: Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1245–1254. ACM, Paris (2009)
Kantardzic, M.: Data mining: concepts, models, methods, and algorithms. Wiley-IEEE Press (2011)
Live View (2009), http://liveview.sourceforge.net/
Binde, B., McRee, R., O’Connor, T.J.: Assessing Outbound Traffic to Uncover Advanced Persistent Threat. Sans Institute (2011), http://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Liu, ST., Chen, YM., Hung, HC. (2012). N-Victims: An Approach to Determine N-Victims for APT Investigations. In: Lee, D.H., Yung, M. (eds) Information Security Applications. WISA 2012. Lecture Notes in Computer Science, vol 7690. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35416-8_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-35416-8_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35415-1
Online ISBN: 978-3-642-35416-8
eBook Packages: Computer ScienceComputer Science (R0)