Abstract
Advanced persistent threats (APTs) are target-oriented and advanced cyber-attacks which often leverage the bot control and customized malware techniques in order to control and remotely access valuable information. APTs generally use various attack techniques to gain access to the unauthorized system and then progressively spread throughout the network. The prime objectives of APT attacks are to steal intellectual property, legal documents, sensitive internal business and other data. If an attack is successfully launched on a system, the timely detection of attack is extremely important to stop APTs from further spreading and for mitigating its impact. On the other hand, internet of things (IoT) devices quickly become ubiquitous while IoT services become pervasive. Their prosperity has not gone unnoticed, and the number of attacks and threats against IoT devices and services are also increasing. Cyber-attacks are not new to IoT, but as the IoT will be deeply intertwined in our societies and lives, it becomes essential to take cyber defense seriously. In this paper, we propose a novel distributed framework architecture for the detection of APTs named as distributed framework architecture for APTs detection (DFA-AD), which is a promising basis for modern intrusion detection systems. In contrast to other approaches, the DFA-AD technique for detecting APT attack is based on multiple parallel classifiers, which classify the events in a distributed environment and event correlation among those events. Each classifier method is focused on detecting the APT’s attack technique independently. The evaluation results show that the proposed approach achieves greater effectiveness and accuracy.
Similar content being viewed by others
References
Iran confirms Stuxnet found at Bushehr nuclear power plant. http://warincontext.org/2010/09/26/iran-confirms-stuxnet-found-at-bushehr-nuclear-power-plant/. Accessed Aug 2016
Brewer, R.: Advanced persistent threats: minimising the damage. Netw. Secur. 4, 5–9 (2014)
Kshetri, N.: The global cybercrime industry: economic, institutional and strategic perspectives. Springer, New York (2010)
Fossi, M., et al.: Symantec internet security threat report trends for 2010. Semant. Enterproses Secur. 16, 1–20 (2011)
Tankard, C.: Advanced persistent threats and how to monitor and deter them. Netw. Secur. 8, 16–19 (2011)
Kaspersky Lab ZAO. Red October diplomatic cyber attacks investigation. https://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-investigation/. Accessed Jul 2016
Mandiant, A.P.T.: Exposing one of China’s cyber espionage units. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. Accessed Aug 2016
Parmar, B.: Protecting against spear-phishing. Comput. Fraud Secur. 1, 8–11 (2012)
Caputo, D.D., et al.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Priv. 12(1), 28–38 (2014)
Faisal, M., Ibrahim, M.: Stuxnet, duqu and beyond. Int. J. Sci. Eng. Investig. 1, 75–78 (2012)
Bencsáth, B., et al.: The cousins of stuxnet: duqu, flame, and gauss. Future Internet. 4, 971–1003 (2012)
O’Gorman, G.; McDonald, G.: The Elderwood project. symantec whitepaper. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf. Accessed Aug 2016
Gragido, W.: Lions at the Watering Hole: The VOHO Affair. RSA blog. http://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/ (2012). Accessed Aug 2016
Internet explorer 8 exploit found in watering hole campaign targeting Chinese dissidents. https://www.fireeye.com/blog/threat-research/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html (2012). Accessed Aug 2016
Operation Snowman: DeputyDog Actor Compromises US Veterans of Foreign Wars Website. https://www.fireeye.com/blog/threat-research/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html (2014). Accessed Aug 2016
Kaspersky lab. https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf. (2015). Accessed Aug 2016
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Comput. Surv. 41, 15–73 (2009)
Liu, S.T., Chen, Y.M., Lin, S.J.: A novel search engine to uncover potential victims for apt investigations. In: Proceeding of IFIP international conference on network and parallel computing. Springer, New York (2013)
Thonnard, O. et al.: September. Industrial espionage and targeted attacks: understanding the characteristics of an escalating threat. In: Proceeding of international workshop on recent advances in intrusion detection. Springer, Berlin (2012)
Lee, M., Lewis, D.: Clustering disparate attacks: mapping the activities of the advanced persistent threat. https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Lee-VB2011.pdf (2013). Accessed Jul 2016
Balduzzi, M., Ciangaglini, V., McArdle, R.: Targeted attacks detection with spunge. In: Proceeding of 2013 eleventh annual international conference on privacy, security and trust (PST), IEEE (2013)
Bencsáth, B., et al.: Duqu: analysis, detection, and lessons learned\(. \)In: Proceeding of ACM European workshop on system security (EuroSec) (2012)
Wang, P., Wang, Y.S.: Malware behavioural detection and vaccine development by using a support vector model classifier. J. Comput. Syst. Sci. 81, 1012–1026 (2015)
Ki, Y., Kim, E., Kim, H.K.: A novel approach to detect malware based on API call sequence analysis. Int. J. Distrib. Sens. Netw. 2015, 1–9 (2015)
Espejo, P.G., Ventura, S., Herrera, F.: A survey on the application of genetic programming to classification. IEEE Trans. Syst. Man Cybern. 40, 121–144 (2010)
Skopik, F., et al.: Semi-synthetic data set generation for security software evaluation. In: Privacy, security and trust (PST). IEEE twelfth annual international conference on 2014
Dainotti, A., Pescapé, A., Ventre, G.: Nis04-1: Wavelet-based detection of dos attacks. In: Proceeding of global telecommunications conference, GLOBECOM ’06. IEEE (2006)
Lakhina, A., Crovella, M., Diot, C.: Diagnosing network-wide traffic anomalies. In: Proceeding of ACM SIGCOMM computer communication review, ACM (2004)
De Donato, W., Pescapé, A., Dainotti, A.: Traffic identification engine: an open platform for traffic classification. IEEE Netw. 28(2), 56–64 (2014)
Dainotti, A., Pescapé, A., Sansone, C.: Early classification of network traffic through multi-classification. In: Proceeding of international workshop on traffic monitoring and analysis. Springer, New York (2011)
Folino, G., Pisani, F. S.: Combining ensemble of classifiers by using genetic programming for cyber security applications. In: Proceeding of European conference on the applications of evolutionary computation. Springer International Publishing, New York (2015)
Dainotti, A., et al.: Analysis of a/0 stealth scan from a botnet. In: Proceedings of the 2012 ACM conference on internet measurement conference, ACM (2012)
Mehresh, R., et al.: Tamper-resistant monitoring for securing multi-core environments.In : Proceeding of international conference on security and management (SAM) (2011)
Tian, M., et al.: Using statistical analysis and support vector machine classification to detect complicated attacks. In: Proceeding of international conference on machine learning and cybernetics, IEEE (2004)
Ingham, K. L., Inoue, H.: Comparing anomaly detection techniques for http. In: Proceeding of international workshop on recent advances in intrusion detection. Springer, Berlin (2007)
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM conference on computer and communications security, ACM (2003)
Singh, S., et al.: A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions. J. Supercomput. pp. 1–32 (2016)
Hu, P., et al.: Dynamic defense strategy against advanced persistent threat with insiders. In: Proceeding of 2015 IEEE conference on computer communications (INFOCOM), IEEE, pp. 747–755 (2015)
Mehresh, R., Shambhu, U.: Surviving advanced persistent threats in a distributed environment-architecture and analysis. Inform. Syst. Front. 17(5), 987–995 (2015)
Zulkefli, Z., Singh, M.M., Malim, N.H.A.H.: Advanced persistent threat mitigation using multi level security-access control framework. In: Proceeding of international conference on computational science and its applications, pp. 90–105. Springer International Publishing, New York (2015)
Mohamed, A., Geir, M.K.: Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. J. Cyber Secur. 4, 65–88 (2015)
Sung, Y., et al.: FS-open security: a taxonomic modeling of security threats in SDN for future sustainable computing. Sustainability 8(9), 919–944 (2016)
Acknowledgements
This work was supported by Institute for Information & communications Technology Promotion (IITP) Grant funded by the Korea government (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Sharma, P.K., Moon, S.Y., Moon, D. et al. DFA-AD: a distributed framework architecture for the detection of advanced persistent threats. Cluster Comput 20, 597–609 (2017). https://doi.org/10.1007/s10586-016-0716-0
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-016-0716-0