Alerts Correlation and Causal Analysis for APT Based Cyber Attack Detection

Khosravi, Mehran; Ladani, Behrouz Tork

doi:10.1109/access.2020.3021499

Cited by 30 publications

(18 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Next, we will present the findings and analysis of the research questions. Watering hole [3,28,79,84,88,99,101,102] Malware [1,3,88,89,[102][103][104][105] Application repackaging [106] Attacks on an Internet-facing server [3,83,89,101] Removable device [3,89,107] Drive-by download [96] Spoofing attack [7,82,108] SQL injection Execution [3,5,82,84,[86][87][88]90,94,97,101,[109][110][111][112][113][114] Zero day, known vulnerability [79,101,115] Remote code execution/Code injection ...…”

Section: Analysis and Findings Of Research Questionsmentioning

confidence: 99%

“…Credential access [28] Pass hash [79,82,83,117,118] Man-in-the-middle [119] Password cracking [120] Eavesdropping [78,[80][81][82]85,87,97,105,107,111,[121][122][123] Social engineering Discovery [124] Probe [100,125] Lateral/Internal spear-phishing emails Lateral movement [108] Data leakage Collection Cloud data leakage [126] Removable device C&C and Exfiltration Tunneling over protocol [3,76,79,81,92,97,111,115,[124][125][126][127][128][129][130] DOS Impact [4,82,131] Botnet [108] Software update Data fabrication In this section, the findings and analysis of Research Question 1 related to APT features are presented. APT is a hard-to-detect cyber threat group or campaign that may use familiar attacks (such as spear phishing, watering hole, appl...…”

Section: Analysis and Findings Of Research Questionsmentioning

confidence: 99%

“…Social engineering-In order to obtain information and gain access to a system, social engineering attacks often target people as their primary target. Most APT attackers use this technique to gather information about the targeted user at the reconnaissance stage, moving laterally to other systems or figuring out the compromised systems [78,[80][81][82]85,87,97,105,107,111,[121][122][123]; 2.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Exploration of Mobile Device Behavior for Mitigating Advanced Persistent Threats (APT): A Systematic Literature Review and Conceptual Framework

Jabar

Singh

2022

Sensors

View full text Add to dashboard Cite

During the last several years, the Internet of Things (IoT), fog computing, computer security, and cyber-attacks have all grown rapidly on a large scale. Examples of IoT include mobile devices such as tablets and smartphones. Attacks can take place that impact the confidentiality, integrity, and availability (CIA) of the information. One attack that occurs is Advanced Persistent Threat (APT). Attackers can manipulate a device’s behavior, applications, and services. Such manipulations lead to signification of a deviation from a known behavioral baseline for smartphones. In this study, the authors present a Systematic Literature Review (SLR) to provide a survey of the existing literature on APT defense mechanisms, find research gaps, and recommend future directions. The scope of this SLR covers a detailed analysis of most cybersecurity defense mechanisms and cutting-edge solutions. In this research, 112 papers published from 2011 until 2022 were analyzed. This review has explored different approaches used in cybersecurity and their effectiveness in defending against APT attacks. In a conclusion, we recommended a Situational Awareness (SA) model known as Observe–Orient–Decide–Act (OODA) to provide a comprehensive solution to monitor the device’s behavior for APT mitigation.

show abstract

Section: Analysis and Findings Of Research Questionsmentioning

confidence: 99%

Section: Analysis and Findings Of Research Questionsmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Exploration of Mobile Device Behavior for Mitigating Advanced Persistent Threats (APT): A Systematic Literature Review and Conceptual Framework

Jabar

Singh

2022

Sensors

View full text Add to dashboard Cite

show abstract

“…There are some methods proposed for the detection of advanced persistent threats (APTs) which are multistep attacks in IT and ICS networks [47][48][49]. Detection based on attack signatures is a method proposed for APT attacks.…”

Section: Introductionmentioning

confidence: 99%

“…APT attacks have dynamic behaviours, and they follow diverse attacking techniques and tactics to reach their goal. Therefore, detection based on attack signatures is not efficient for zero-day attacks [47]. Two other methods proposed for an ICS environment are correlation analysis and causality analysis of loges [48,49].…”

Section: Introductionmentioning

confidence: 99%

Automated detection-in-depth in industrial control systems

Jadidi

Foo

Hussain

et al. 2021

Int J Adv Manuf Technol

View full text Add to dashboard Cite

Legacy industrial control systems (ICSs) are not designed to be exposed to the Internet and linking them to corporate networks has introduced a large number of cyber security vulnerabilities. Due to the distributed nature of ICS devices, a detection-in-depth strategy is required to simultaneously monitor the behaviour of multiple sources of ICS data. While a detection-in-depth method leads to detecting attacks, like flooding attacks in earlier phases before the attacker can reach the end target, most research papers have focused on anomaly detection based on a single source of ICS data. Here, we present a detection-in-depth method for an ICS network. The new method is called automated flooding attack detection (AFAD) which consists of three stages: data acquisition, pre-processing, and a flooding anomaly detector. Data acquisition includes data collection from different sources like programmable logic controller (PLC) logs and network traffic. We then generate NetFlow data to provide light-weight anomaly detection in ICS networks. NetFlow-based analysis has been used as a scalable method for anomaly detection in high-speed networks. It only analyses packet headers, and it is an efficient method for detecting flooding attacks like denial of service attacks, and its performance is not affected by encrypted data. However, it has not been sufficiently studied in industrial control systems. Besides NetFlow data, ICS device logs are a rich source of information that can be used to detect abnormal behaviour. Both NetFlow traffic and log data are processed in our pre-processing stage. The third stage of AFAD is anomaly detection which consists of two parallel machine learning analysis methods, which respectively analyse the behaviours of device logs and NetFlow records. Due to the lack of enough labelled training datasets in most environments, an unsupervised predictor and an unsupervised clustering method are respectively used in the anomaly detection stage. We validated our approach using traffic captured in a factory automation dataset, Modbus dataset, and SWAT dataset. These datasets contain physical and network level normal and abnormal data. The performance of AFAD was compared with single-layer anomaly detection and with other studies. Results showed the high precision of AFAD in detecting flooding attacks.

show abstract