MLDS: Multi-Layer Defense System for Preventing Advanced Persistent Threats

Moon, Daesung; Im, Hyungjin; Lee, Jae Dong; Park, Jong Hyuk

doi:10.3390/sym6040997

Cited by 36 publications

(27 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…What's more, we find that it is almost impossible to completely defend against attackers that enter the network through network penetration. [18] However, when an APT invades the system, it will quickly establish a backdoor in the system, so it is inevitable for the APT to try to communicate with the command and control server (C&C server). C&C communication is a bridge between C&C server and the infected user inside the system.…”

Section: B Observation 1) Observation1mentioning

confidence: 99%

Discovering Suspicious APT Families Through a Large-Scale Domain Graph in Information-Centric IoT

Meng

2019

IEEE Access

View full text Add to dashboard Cite

In recent years, a type of cyberattacks, known as advanced persistent threats, has resulted in very serious losses to various organizations such as governments and enterprises. The APT has the characteristics of long duration, complex attack means, and strong ability to conceal themselves, which make it difficult to detect them. Due to the lack of proper means to protect the Information-centric IoT (ICIoT), the ICIoT devices are extremely vulnerable to APT attacks. Moreover, among the existing APT detection methods, most researchers adopt those that extract the features of different APT attacks, and most of the features extracted are local, which leads to the fact that the related methods have poor scalability, thus reducing the accuracy. Furthermore, the attackers can easily avoid the detection by changing the local features. In this paper, we find that it is inevitable that the infected host will generate C&C communication with the command and control server (C&C server), during the process of APT attacks, and the C&C domain names are the bridge connecting the internal infection with the C&C server. Moreover, a certain APT attack of one attack family, which is the assembly of the same APT attacks, tends to map the C&C domain names to the same IP subnet. Under the assumption that the APT attackers have limited attack resources, the relationship between C&C domain names of APT and IP subnet is inevitable for the APT attackers to get higher attack efficiency, which leads to the effective tracking of APT attack behavior. Therefore, we construct a detection method based on the domain names' graph structure. This detection method can improve the detection efficiency in the information-centric internet, especially for the IoT devices. And, at the same time, we employ an appropriate pruning strategy and a preprocessing method to reduce the size of data to be processed and improve the computational efficiency. This detection method can also reduce the detection range, increase the detection accuracy, and improve the robustness and scalability of the detection system. In the actual experiment, the data size we process is 257535071 DNS requests and 73136 domain names. The experiment shows that the C&C domain names can be effectively detected even with a small-scale seed domain names. INDEX TERMS APT, malicious domain, graph, ICIoT, C&C server.

show abstract

Section: B Observation 1) Observation1mentioning

confidence: 99%

Discovering Suspicious APT Families Through a Large-Scale Domain Graph in Information-Centric IoT

Meng

2019

IEEE Access

View full text Add to dashboard Cite

show abstract

“…The Audit expert system is currently widely used [21]. In support of Audit expert systems, Moon et al [22] presented Multi-Layer Defense System (MLDS) that applies a reinforced defense system by collecting and analyzing log information and various information from network infrastructure. Heo et al [23] suggested a system design that helps to maintain a certain level of quality of service and quality of security service in threatening environments.…”

Section: Review Of Related Workmentioning

confidence: 99%

Logical filter approach for early stage cyber-attack detection

et al. 2019

View full text Add to dashboard Cite

The planned in advance cyber-attacks cause the most damage for the users of the information systems. Such attacks can take a very long time, require considerable financial and human resources, and therefore, they can only be organized by large interest groups. Furthermore, current intrusion detection systems, intrusion prevention systems and intrusion response systems used to protect against cyber-attacks have several shortcomings. Such systems respond only to the attack itself when it is too late to take a preventive action and they are not suitable for detecting an attack in early stages when it is possible to block the attack and minimize the losses. Early detection requires detailed monitoring of network and system parameters to be able to accurately identify the early stages of the attack when it is still possible to kill the attack chain. In this paper, we propose to consider an attack chain consisting of nine stages. The method to detect early stage cyberattack based on the attack chain analysis using hardware implementation of logical filters is suggested. The performed experiment acknowledges the possibility to detect the attack in the early stages.

show abstract

“…Matsuda et al, (2018) proposed a new method based on outlier detection and machine learning for detecting attacks that utilize legitimate accounts. A Multi-Layer Defense System which attempts to prevent APTs by analyzing information of network, servers, end-users, and logs, has been proposed by (Moon et al, 2014). Meanwhile, a random forest algorithm has been proposed as a method to detect the presence of APT in infected machines (Chandran et al, 2015).…”

Section: Research On Apt Countermeasuresmentioning

confidence: 99%

Modelling Technical Countermeasures of Advanced Persistent Threats

Nicho¹,

McDermott²

2019

Proceedings of the 16th International Conference on Applied Computing 2019

View full text Add to dashboard Cite

An advanced persistent threat (APT) is a highly targeted and sophisticated attack directed at the internetworked computer user at the workplace. They typically employ zero-day malware, stealth, and multiple advanced techniques to gain entry and maintain presence undetected inside the network. As a result, preventing their ingress at the network perimeter and detection once infiltration occurs, continues to be a challenge. In this respect, the major objective of this research is to propose a classification schema for the APT technical countermeasures. We interviewed senior managers working in government and private organizations in the United Arab Emirates over a period of four years (2014 to 2017) to gain their perspective of the threat and elicit technical countermeasures. We anticipate the proposed methods and practices can assist organizations, not only in the UAE but also in the wider global context, to implement an appropriate mix of countermeasures for APT threats from a multi-dimensional perspective.

show abstract

MLDS: Multi-Layer Defense System for Preventing Advanced Persistent Threats

Cited by 36 publications

References 18 publications

Discovering Suspicious APT Families Through a Large-Scale Domain Graph in Information-Centric IoT

Discovering Suspicious APT Families Through a Large-Scale Domain Graph in Information-Centric IoT

Logical filter approach for early stage cyber-attack detection

Modelling Technical Countermeasures of Advanced Persistent Threats

Contact Info

Product

Resources

About