APT-Attack Detection Based on Multi-Stage Autoencoders

Neuschmied, Helmut; Winter, Martin; Stojanović, Branka; Hofer-Schmitz, Katharina; Božić, Josip; Kleb, Ulrike

doi:10.3390/app12136816

Cited by 20 publications

(6 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For attack detection systems and security status monitoring systems, observable data is the key information to discover attacks, which includes measurement indicators, such as CPU utilization, disk usage, the rate of network traffic transmission, and also includes the network data flow, system logs, the application information, process information and so on. In order to maintain the covertness, the attacker will minimize the difference from the normal phase of the target system on the basis of achieving the target in the attack phase [10]. This difference and the change of the system represent the covertness of the attack phase.…”

Section: The Evaluation Methods For the Single-phase Of Apt Attackmentioning

confidence: 99%

A quantitative method to evaluate covertness of APT attack

Han

Zhu

2023

Third International Symposium on Computer Engineering and Intelligent Communications (ISCEIC 2022)

View full text Add to dashboard Cite

The high covertness of APT attack is an important feature that is different from traditional cyber-attacks, and it also can reflect the attacker's ability. The existing evaluation methods for the covertness of APT attack usually analyze the malwares used in the APT attack process. To evaluate the covertness of APT attack systematically, we propose a quantitative method. For multiple phases of APT attack, we construct two covertness metrics of each single attack phase considering the probability of the attack detection and the degree of disturbance to the target system, and then merge multiple phases to analyze the covertness of APT attack process. According to the results of simulation experiments, the method can evaluate the covertness of APT attack effectively and accurately. Quantifying APT attack covertness can help defenders to understand the specific process of APT attacks more clearly, and provides a method to learn about the ability of attackers. It also can give some significant suggestions for the distribution of defense resources and the defense strategies.

show abstract

Section: The Evaluation Methods For the Single-phase Of Apt Attackmentioning

confidence: 99%

A quantitative method to evaluate covertness of APT attack

Han

Zhu

2023

Third International Symposium on Computer Engineering and Intelligent Communications (ISCEIC 2022)

View full text Add to dashboard Cite

show abstract

“…Thus, a comparison with SOTA approaches as a baseline is obligatory, e. g., comparisons with other AI/ML-based approaches and/or signature-based IDS, such as Suricata 3 or Snort 4 . Up-todate approaches should also discuss early detection, zeroday attacks, and multi-stage attacks, as these are increasingly problematic to detect [30]. This hypothesis is important for Maggie Manager, as she is the one that wants to buy and include an AI/ML tool.…”

Section: H15: No Comparison With State-of-the-art (Sota) Givenmentioning

confidence: 99%

The Missing Link in Network Intrusion Detection: Taking AI/ML Research Efforts to Users

Dietz,

Mühlhauser,

Kögel

et al. 2024

IEEE Access

View full text Add to dashboard Cite

Intrusion Detection Systems (IDS) tackle the challenging task of detecting network attacks as fast as possible. As this is getting more complex in modern enterprise networks, Artificial Intelligence (AI) and Machine Learning (ML) have gained substantial popularity in research. However, their adoption into real-world IDS solutions remains poor. Academic research often overlooks the interconnection of users and technical aspects. This leads to less explainable AI/ML models that hinder trust among AI/ML non-experts. Additionally, research often neglects secondary concerns such as usability and privacy. If IDS approaches conflict with current regulations or if administrators cannot deal with attacks more effectively, enterprises will not adopt the IDS in practice. To identify those problems systematically, our literature survey takes a user-centric approach; we examine IDS research from the perspective of stakeholders by applying the concept of personas. Further, we investigate multiple factors limiting the adoption of AI/ML in security and suggest technical, non-technical, and user-related considerations to enhance the adoption in practice. Our key contributions are threefold. (i) We derive personas from realistic enterprise scenarios, (ii) we provide a set of relevant hypotheses in the form of a review template, and (iii), based on our reviews, we derive design guidelines for practical implementations. To the best of our knowledge, this is the first paper that analyzes practical adoption barriers of AI/ML-based intrusion detection solutions concerning appropriateness of data, reproducibility, explainability, practicability, usability, and privacy. Our guidelines may help researchers to holistically evaluate their AI/ML-based IDS approaches to increase practical adoption.

show abstract

“…With 400 iterations, their model applied to UNSW-NB15 datasets and synthetic datasets from five clients obtained 96.7% accuracy, which is higher than local models. The authors [23] proposed models for anomaly detection on two datasets, namely Contagio and CICIDS2017, using an unsupervised learning approach. Subsequently, the study will explore various known malware attacks targeting networks.…”

Section: Related Workmentioning

confidence: 99%

Collaborative Federated Learning-Based Model for Alert Correlation and Attack Scenario Recognition

Alkhpor,

Alserhani

2023

Electronics

View full text Add to dashboard Cite

Planned and targeted attacks, such as the advanced persistent threat (APT), are highly sophisticated forms of attack. They involve numerous steps and are intended to remain within a system for an extended length of period before progressing to the next stage of action. Anticipating the next behaviors of attackers is a challenging and crucial task due to the stealthy nature of advanced attack scenarios, in addition to the possible high volumes of false positive alerts generated by different security tools such as intrusion detection systems (IDSs). Intelligent models that are capable of establishing a correlation individual between individual security alerts in order to reconstruct attack scenarios and to extract a holistic view of intrusion activities are required to exploit hidden links between different attack stages. Federated learning models performed in distributed settings have achieved successful and reliable implementations. Alerts from distributed security devices can be utilized in a collaborative manner based on several learning models to construct a federated model. Therefore, we propose an intelligent detection system that employs federated learning models to identify advanced attack scenarios such as APT. Features extracted from alerts are preprocessed and engineered to produce a model with high accuracy and fewer false positives. We conducted training on four machine learning models in a centralized learning; these models are XGBoost, Random Forest, CatBoost, and an ensemble learning model. To maintain privacy and ensure the integrity of the global model, the proposed model has been implemented using conventional neural network federated learning (CNN_FL) across several clients during the process of updating weights. The experimental findings indicate that ensemble learning achieved the highest accuracy of 88.15% in the context of centralized learning. CNN_FL has demonstrated an accuracy of 90.18% in detecting various attacks of APTs while maintaining a low false alarm rate.

show abstract

APT-Attack Detection Based on Multi-Stage Autoencoders

Cited by 20 publications

References 32 publications

A quantitative method to evaluate covertness of APT attack

A quantitative method to evaluate covertness of APT attack

The Missing Link in Network Intrusion Detection: Taking AI/ML Research Efforts to Users

Collaborative Federated Learning-Based Model for Alert Correlation and Attack Scenario Recognition

Contact Info

Product

Resources

About