Skip to main content
SpringerLink
Log in

DFA-AD: a distributed framework architecture for the detection of advanced persistent threats

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

Advanced persistent threats (APTs) are target-oriented and advanced cyber-attacks which often leverage the bot control and customized malware techniques in order to control and remotely access valuable information. APTs generally use various attack techniques to gain access to the unauthorized system and then progressively spread throughout the network. The prime objectives of APT attacks are to steal intellectual property, legal documents, sensitive internal business and other data. If an attack is successfully launched on a system, the timely detection of attack is extremely important to stop APTs from further spreading and for mitigating its impact. On the other hand, internet of things (IoT) devices quickly become ubiquitous while IoT services become pervasive. Their prosperity has not gone unnoticed, and the number of attacks and threats against IoT devices and services are also increasing. Cyber-attacks are not new to IoT, but as the IoT will be deeply intertwined in our societies and lives, it becomes essential to take cyber defense seriously. In this paper, we propose a novel distributed framework architecture for the detection of APTs named as distributed framework architecture for APTs detection (DFA-AD), which is a promising basis for modern intrusion detection systems. In contrast to other approaches, the DFA-AD technique for detecting APT attack is based on multiple parallel classifiers, which classify the events in a distributed environment and event correlation among those events. Each classifier method is focused on detecting the APT’s attack technique independently. The evaluation results show that the proposed approach achieves greater effectiveness and accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Iran confirms Stuxnet found at Bushehr nuclear power plant. http://warincontext.org/2010/09/26/iran-confirms-stuxnet-found-at-bushehr-nuclear-power-plant/. Accessed Aug 2016

  2. Brewer, R.: Advanced persistent threats: minimising the damage. Netw. Secur. 4, 5–9 (2014)

    Article  Google Scholar 

  3. Kshetri, N.: The global cybercrime industry: economic, institutional and strategic perspectives. Springer, New York (2010)

    Book  Google Scholar 

  4. Fossi, M., et al.: Symantec internet security threat report trends for 2010. Semant. Enterproses Secur. 16, 1–20 (2011)

    Google Scholar 

  5. Tankard, C.: Advanced persistent threats and how to monitor and deter them. Netw. Secur. 8, 16–19 (2011)

    Article  Google Scholar 

  6. Kaspersky Lab ZAO. Red October diplomatic cyber attacks investigation. https://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-investigation/. Accessed Jul 2016

  7. Mandiant, A.P.T.: Exposing one of China’s cyber espionage units. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. Accessed Aug 2016

  8. Parmar, B.: Protecting against spear-phishing. Comput. Fraud Secur. 1, 8–11 (2012)

    Article  Google Scholar 

  9. Caputo, D.D., et al.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Priv. 12(1), 28–38 (2014)

    Article  Google Scholar 

  10. Faisal, M., Ibrahim, M.: Stuxnet, duqu and beyond. Int. J. Sci. Eng. Investig. 1, 75–78 (2012)

    Google Scholar 

  11. Bencsáth, B., et al.: The cousins of stuxnet: duqu, flame, and gauss. Future Internet. 4, 971–1003 (2012)

    Article  Google Scholar 

  12. O’Gorman, G.; McDonald, G.: The Elderwood project. symantec whitepaper. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf. Accessed Aug 2016

  13. Gragido, W.: Lions at the Watering Hole: The VOHO Affair. RSA blog. http://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/ (2012). Accessed Aug 2016

  14. Internet explorer 8 exploit found in watering hole campaign targeting Chinese dissidents. https://www.fireeye.com/blog/threat-research/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html (2012). Accessed Aug 2016

  15. Operation Snowman: DeputyDog Actor Compromises US Veterans of Foreign Wars Website. https://www.fireeye.com/blog/threat-research/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html (2014). Accessed Aug 2016

  16. Kaspersky lab. https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf. (2015). Accessed Aug 2016

  17. Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Comput. Surv. 41, 15–73 (2009)

    Article  Google Scholar 

  18. Liu, S.T., Chen, Y.M., Lin, S.J.: A novel search engine to uncover potential victims for apt investigations. In: Proceeding of IFIP international conference on network and parallel computing. Springer, New York (2013)

  19. Thonnard, O. et al.: September. Industrial espionage and targeted attacks: understanding the characteristics of an escalating threat. In: Proceeding of international workshop on recent advances in intrusion detection. Springer, Berlin (2012)

  20. Lee, M., Lewis, D.: Clustering disparate attacks: mapping the activities of the advanced persistent threat. https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Lee-VB2011.pdf (2013). Accessed Jul 2016

  21. Balduzzi, M., Ciangaglini, V., McArdle, R.: Targeted attacks detection with spunge. In: Proceeding of 2013 eleventh annual international conference on privacy, security and trust (PST), IEEE (2013)

  22. Bencsáth, B., et al.: Duqu: analysis, detection, and lessons learned\(. \)In: Proceeding of ACM European workshop on system security (EuroSec) (2012)

  23. Wang, P., Wang, Y.S.: Malware behavioural detection and vaccine development by using a support vector model classifier. J. Comput. Syst. Sci. 81, 1012–1026 (2015)

    Article  Google Scholar 

  24. Ki, Y., Kim, E., Kim, H.K.: A novel approach to detect malware based on API call sequence analysis. Int. J. Distrib. Sens. Netw. 2015, 1–9 (2015)

    Google Scholar 

  25. Espejo, P.G., Ventura, S., Herrera, F.: A survey on the application of genetic programming to classification. IEEE Trans. Syst. Man Cybern. 40, 121–144 (2010)

    Article  Google Scholar 

  26. Skopik, F., et al.: Semi-synthetic data set generation for security software evaluation. In: Privacy, security and trust (PST). IEEE twelfth annual international conference on 2014

  27. Dainotti, A., Pescapé, A., Ventre, G.: Nis04-1: Wavelet-based detection of dos attacks. In: Proceeding of global telecommunications conference, GLOBECOM ’06. IEEE (2006)

  28. Lakhina, A., Crovella, M., Diot, C.: Diagnosing network-wide traffic anomalies. In: Proceeding of ACM SIGCOMM computer communication review, ACM (2004)

  29. De Donato, W., Pescapé, A., Dainotti, A.: Traffic identification engine: an open platform for traffic classification. IEEE Netw. 28(2), 56–64 (2014)

    Article  Google Scholar 

  30. Dainotti, A., Pescapé, A., Sansone, C.: Early classification of network traffic through multi-classification. In: Proceeding of international workshop on traffic monitoring and analysis. Springer, New York (2011)

  31. Folino, G., Pisani, F. S.: Combining ensemble of classifiers by using genetic programming for cyber security applications. In: Proceeding of European conference on the applications of evolutionary computation. Springer International Publishing, New York (2015)

  32. Dainotti, A., et al.: Analysis of a/0 stealth scan from a botnet. In: Proceedings of the 2012 ACM conference on internet measurement conference, ACM (2012)

  33. Mehresh, R., et al.: Tamper-resistant monitoring for securing multi-core environments.In : Proceeding of international conference on security and management (SAM) (2011)

  34. Tian, M., et al.: Using statistical analysis and support vector machine classification to detect complicated attacks. In: Proceeding of international conference on machine learning and cybernetics, IEEE (2004)

  35. Ingham, K. L., Inoue, H.: Comparing anomaly detection techniques for http. In: Proceeding of international workshop on recent advances in intrusion detection. Springer, Berlin (2007)

  36. Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM conference on computer and communications security, ACM (2003)

  37. Singh, S., et al.: A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions.  J. Supercomput. pp. 1–32 (2016)

  38. Hu, P., et al.: Dynamic defense strategy against advanced persistent threat with insiders. In: Proceeding of 2015 IEEE conference on computer communications (INFOCOM), IEEE, pp. 747–755 (2015)

  39. Mehresh, R., Shambhu, U.: Surviving advanced persistent threats in a distributed environment-architecture and analysis. Inform. Syst. Front. 17(5), 987–995 (2015)

    Article  Google Scholar 

  40. Zulkefli, Z., Singh, M.M., Malim, N.H.A.H.: Advanced persistent threat mitigation using multi level security-access control framework. In: Proceeding of international conference on computational science and its applications, pp. 90–105. Springer International Publishing, New York (2015)

  41. Mohamed, A., Geir, M.K.: Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. J. Cyber Secur. 4, 65–88 (2015)

    Article  Google Scholar 

  42. Sung, Y., et al.: FS-open security: a taxonomic modeling of security threats in SDN for future sustainable computing. Sustainability 8(9), 919–944 (2016)

    Article  Google Scholar 

Download references

Acknowledgements

This work was supported by Institute for Information & communications Technology Promotion (IITP) Grant funded by the Korea government (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning.

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Seoul National University of Science and Technology (SeoulTech), Seoul, Korea

    Pradip Kumar Sharma, Seo Yeon Moon & Jong Hyuk Park

  2. Department Network Security Research Team, Electronics and Telecommunications Research Institute, Daejeon, Korea

    Daesung Moon

Authors
  1. Pradip Kumar Sharma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Seo Yeon Moon
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daesung Moon
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jong Hyuk Park
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jong Hyuk Park.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sharma, P.K., Moon, S.Y., Moon, D. et al. DFA-AD: a distributed framework architecture for the detection of advanced persistent threats. Cluster Comput 20, 597–609 (2017). https://doi.org/10.1007/s10586-016-0716-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-016-0716-0

Keywords

Search

Navigation