ABSTRACT
Advanced Persistent Threats (APTs) are a new breed of internet based smart threats, which can go undetected with the existing state of-the-art internet traffic monitoring and protection systems. With the evolution of internet and cloud computing, a new generation of smart APT attacks has also evolved and signature based threat detection systems are proving to be futile and insufficient. One of the essential strategies in detecting APTs is to continuously monitor and analyze various features of a TCP/IP connection, such as the number of transferred packets, the total count of the bytes exchanged, the duration of the TCP/IP connections, and details of the number of packet flows. The current threat detection approaches make extensive use of machine learning algorithms that utilize statistical and behavioral knowledge of the traffic. However, the performance of these algorithms is far from satisfactory in terms of reducing false negatives and false positives simultaneously. Mostly, current algorithms focus on reducing false positives, only. This paper presents a fractal based anomaly classification mechanism, with the goal of reducing both false positives and false negatives, simultaneously. A comparison of the proposed fractal based method with a traditional Euclidean based machine learning algorithm (k-NN) shows that the proposed method significantly outperforms the traditional approach by reducing false positive and false negative rates, simultaneously, while improving the overall classification rates.
- Anna Sperotto, Ramin Sadre, and Aiko Pras, "Anomaly Characterization in Flow-Based Traffic Time Series," in Lecture Notes in Computer Science, IP Operations and Management, vol. 5275, 2008, pp. 15--27. Google ScholarDigital Library
- Beth E. Binde, Russ McRee, and Terrence J. O'Connor, "Assessing Outbound Traffic to Uncover Advanced Persistent Threat - Joint Written Project," SANS Technology Institute, 2011. {Online}. http://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdfGoogle Scholar
- Brad Miller, Ling Huang, A. D. Joseph, and J. D. Tygar, "I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis," vol. 8555, pp. 143--163, 2014.Google Scholar
- Colin Tankard, "Advanced Persistent threats and how to monitor and deter them," Network Security, vol. 2011, no. 8, pp. 16--19, August 2011.Google ScholarCross Ref
- Damballa Inc. (2010) Advanced Persistent Threat (APT).Google Scholar
- Daniel Barbara and Ping Chen, "Using the fractal dimension to cluster datasets," in Proceedings of International conference on Knowledge discovery and data mining, 2000, pp. 260--264. Google ScholarDigital Library
- Deana Shick and Angela Horneman , "Investigating Advanced Persistent Threat 1 (APT1)," CERT Division, Software Engineering Institute, Carnegie Mellon University, USA, 2014.Google Scholar
- Eric M. Hutchins, Michael J. Clopperty, and Rohan M. Amin, "Intelligence-Driven Computer Network Defence Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains," in 6th Annual International Conference on Information Warfare and Security, Washington, DC, USA, 2011.Google Scholar
- Fatima Barcelo-Rico, Anna I. Esparcia-Alcazar, and Antonio Villalon-Huerta, "Semi-Supervised Classification System for the Detection of Advanced Persistent Threats," Recent Advances in Computational Intelligence in Defense and Security, pp. 225--248, December 2015.Google Scholar
- George Nychis, Vyas Sekar, David G. Andersen, Hyong Kim, and Hui Zhang, "An Empirical Evaluation of Entropy-based Traffic Anomaly Detection," in Internet Measurement Conference, Greece, 2008. Google ScholarDigital Library
- Ignasi Paredes-Oliva, Ismael Castell-Uroz, Pere Barlet-Ros, Xenofontas A. Dimitropoulos, and Josep Sole-Pareta , "Practical anomaly detection based on classifying frequent traffic patterns," in IEEE conference on Computer Communications Workshops, 2012, pp. 49--54.Google Scholar
- Ivo Friedberg, Florian Skopik, Giuseppe Settanni, and Roman Fiedler, "Combating advanced persistent threats: From network event correlation to incident detection," Computers & Security, vol. 48, pp. 35--57, February 2015.Google ScholarDigital Library
- J. Zico Kolter and Marcus A. Maloof, "Learning to detect and classify malicious executables in the Wild," Journal of Machine Learning Research, vol. 7, pp. 2721--2744, 2006. Google ScholarDigital Library
- McAfee Inc., "Combating Advanced Persistent Threats- How to prevent, detect, and remediate APTs," 2011.Google Scholar
- Mila Parkour. (2013) Contagio malware database. {Online}. https://www.mediafire.com/folder/c2az029ch6cke/TRAFFIC_PATTERNS_COLLECTION#734479hwy1b97Google Scholar
- Nart Villeneuve and James Bennett, "Detecting APT Activity with Network Traffic Analysis," Trend Micro Incorporated Research Paper, 2012.Google Scholar
- Nenad Tomasev and Krisztian Buza, "Hubness-aware kNN classification of high-dimensional data in presence of label noise," Neurocomputing, vol. 160, pp. 157--172, February 2015. Google ScholarDigital Library
- PREDICT. (2009) DARPA Scalable Network Monitoring (SNM) Program Traffic.Google Scholar
- Przemysław Berezinski, Jozef Pawelec, Marek Małowidzki, and Rafał Piotrowski, "Entropy-Based Internet Traffic Anomaly Detection: A case study," in Processings of 9th International Conference on Dependability and Complex Systems, Advances in Intelligent Systems and Computing, vol. 268, Brunow, Poland, 2014, pp. 47--58.Google Scholar
- Ross Brewer, "Advanced persistent threats: minimising the damage," Network Security, vol. 2014, no. 4, 2014.Google Scholar
- Ruoyu Yan and Yingfeng Wang, "Hurst Parameter for Security Evaluation of LAN Traffic," Information Technology Journal, vol. 11, no. 2, 2012.Google ScholarCross Ref
- Seyed Mahmoud Anisheh and Hamid Hassanpour, "Designing an Approach for Network Traffic Anomaly Detection," International Journal of Computer Applications, vol. 37, no. 3, 2012.Google Scholar
- Thuy T.T. Nguyen and Grenville Armitage, "A Survey of Techniques for Internet Traffic Classification using Machine Learning," vol. 10, no. 4, pp. 56--76, 2007. Google ScholarDigital Library
- Trevor Hastie, Robert Tibshirani, and Jerome Friedman, The Elements of Statistical Learning - Data Mining, Inference, and Prediction, 2nd ed.: Springer, 2013.Google Scholar
- Ugur Demiryurek , Farnoush Banaei-Kashani, and Cyrus Shahabi, "Efficient k-nearest neighbor search in time-dependent spatial networks," in 21st international conference on Database and expert systems applications: Part I, Bilbao, Spain, 2010. Google ScholarDigital Library
- Wireshark. (2015) https://www.wireshark.org/docs/man-pages/tshark.html.Google Scholar
- Witold Kinsner, Graduate lectures on Fractal and Chaos Engineering, 2015.Google Scholar
- Witold Kinsner , "It's time for multiscale analysis and synthesis in cognitive systems," in IEEE 10th Intl. Conf. Cognitive Informatics & Cognitive Computing (ICCI*CC11), Banff, AB, 2011, pp. 7--10.Google Scholar
- Witold Kinsner , "System Complexity and Its Measures: How Complex Is Complex," in Advances in Cognitive Informatics and Cognitive Computing Studies in Computational Intelligence, Yingxu Wang , Du Zhang, and Witold Kinsner, Eds.: Springer Berlin Heidelberg, 2010, vol. 323, pp. 265--295.Google Scholar
- Youngki Park, Sungchan Park, Sang-goo Lee, and Woosung Jung, "Greedy Filtering: A Scalable Algorithm for K-Nearest Neighbor Graph Construction," in 19th International Conference Database Systems for Advanced Applications-Part I, vol. 8421, Bali, Indonesia, 2014, pp. 327--341.Google Scholar
- Yulios Zavala, Jeferson Wilian de Godoy Stênico, and Lee Luan Ling, "Internet Traffic Classification Using Multifractal Analysis Approach," vol. 3, no. 8, pp. 388--394, 2013.Google Scholar
Index Terms
- Detecting Advanced Persistent Threats using Fractal Dimension based Machine Learning Classification
Recommendations
Machine Learning-Enabled IoT Security: Open Issues and Challenges Under Advanced Persistent Threats
Despite its technological benefits, the Internet of Things (IoT) has cyber weaknesses due to vulnerabilities in the wireless medium. Machine Larning (ML)-based methods are widely used against cyber threats in IoT networks with promising performance. An ...
Decepticon: a Theoretical Framework to Counter Advanced Persistent Threats
AbstractDeception has been proposed in the literature as an effective defense mechanism to address Advanced Persistent Threats (APT). However, administering deception in a cost-effective manner requires a good understanding of the attack landscape. The ...
Combating advanced persistent threats
An advanced persistent threat (also known as APT) is a deliberately slow-moving cyberattack that is applied to quietly compromise interconnected information systems without revealing itself. APTs often use a variety of attack methods to get unauthorized ...
Comments