SR2APT: : A Detection and Strategic Alert Response Model against Multistage APT Attacks
Authors: 
Fan Shen, Levi Perigo, James H. Curry Academic Editor: Yuanyuan HuangAuthors Info & Claims
Abstract
Advanced persistent threats are an emerging cyber threat to cyber-physical systems (CPS), especially those comprising mission-critical physical assets. However, defense against such attacks is challenging, due to their sophistication, stealthiness, and zero-day exploitation. Existing works in this area mainly focus on the detection of APT, but it might be too late or too costly to impede APT when it is detected with high confidence. Therefore, this work focuses on CPS intrusion detection and prevention against APT attacks and aims at preventing such attacks in earlier stages through a strategic response policy to imperfect APT alerts by leveraging the multistage characteristic of APT and a deep reinforcement learning formulation. A novel host-based APT detection and response model called SR2APT is proposed, which consists of a detection engine and a decision engine. The detection engine is based on graph convolutional network, which classifies a stream of system log provenance subgraphs as an APT stage or benign. Then, the detection results are transmitted to the decision engine sequentially, which is trained based on deep reinforcement learning and outputs the optimal response actions to APT alerts. Experimental results show that the GCN-based detection engine obtains 94% classification accuracy on a semisynthetic dataset of system logs and outperforms classification models based on SVM, CNN, and LSTM. The strategic alert response policy from the decision engine is compared with two baseline fixed response policies, and it achieves the best trade-off between preventing APT attacks and minimizing the impediments of mistaken active defense actions to benign activities that generate false alerts, thus obtaining the highest total rewards in the defense against APT attacks.
References
[1]
S. Han, M. Xie, H. Chen, and Y. Ling, “Intrusion detection in cyber-physical systems: techniques and challenges,” IEEE Systems Journal, vol. 8, no. 4, pp. 1052–1062, 2014.
[2]
L. Huang and Q. Zhu, “A dynamic games approach to proactive defense strategies against Advanced Persistent Threats in cyber-physical systems,” Computers & Security, vol. 89, 2020.
[3]
R. Langner, “Stuxnet: dissecting a cyberwarfare weapon,” IEEE Security and Privacy Magazine, vol. 9, no. 3, pp. 49–51, 2011.
[4]
A. Alshamrani, S. Myneni, A. Chowdhary, and D. Huang, “A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities,” IEEE Communications Surveys & Tutorials, vol. 21, no. 2, pp. 1851–1877, 2019.
[5]
A. Juels and T. Yen, “Sherlock Holmes and the case of the advanced persistent threat,” in Proceedings of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 12), San Jose, CA, USA, Apr. 2012.
[6]
A. Rot and B. Olszewski, “Advanced persistent threats attacks in cyberspace. Threats, vulnerabilities, methods of protection,” in Proc. FedCSIS (Position Papers), pp. 113–117, Czech Republic, Prague, 2017.
[7]
D. Gonzales, J. M. Kaplan, E. Saltzman, Z. Winkelman, and D. Woods, “Cloud-Trust: a security assessment model for infrastructure as a service (IaaS) clouds,” IEEE Transactions on Cloud Computing, vol. 5, no. 3, pp. 523–536, 2017.
[8]
R. Mitchell and I. R. Chen, “A survey of intrusion detection techniques for cyber-physical systems,” ACM Computing Surveys, vol. 46, no. 4, pp. 1–29, Apr. 2014.
[9]
P. N. Bahrami, “Cyber kill chain-based taxonomy of advanced persistent threat actors: analogy of tactics, techniques, and procedures,” Journal of Information Processing Systems, vol. 15, no. 4, pp. 865–889, Aug. 2019.
[10]
T. M. Chen and S. Abu-Nimeh, “Lessons from Stuxnet,” Computer, vol. 44, no. 4, pp. 91–93, 2011.
[11]
N. Villeneuve and J. Bennett, “Detecting APT activity with network traffic analysis,” Trend Micro Inc, vol. 547, p. 78, 2012, Available at: http://www.trendmicro.com/cloud-content/us/pdfs/securityintelligence/.
[12]
X. Wang, “Detection of command and control in advanced persistent threat based on independent access,” in Proc. IEEE Int. Conf. Commun. (ICC), pp. 1–6, Kuala Lumpur, Malaysia, May 2016.
[13]
M. Marchetti, F. Pierazzi, M. Colajanni, and A. Guido, “Analysis of high volumes of network traffic for advanced persistent threat detection,” Computer Networks, vol. 109, pp. 127–141, Nov. 2016.
[14]
N. Nissim, A. Cohen, C. Glezer, and Y. Elovici, “Detection of malicious PDF files and directions for enhancements: a state-of-the art survey,” Computers & Security, vol. 48, pp. 246–266, Feb. 2015.
[15]
J. V. Chandra, N. Challa, and S. K. Pasupuleti, “A practical approach to E-mail spam filters to protect data from advanced persistent threat,” in Proc. 2016 International Conference on Circuit, Power and Computing Technologies (ICCPCT), pp. 1–5, Nagercoil, India, Mar2016.
[16]
S. Chandran, P. Hrudya, and P. Poornachandran, “An efficient classification model for detecting advanced persistent threat,” in Proc. 2015 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 2001–2009, Kochi, India, Aug. 2015.
[17]
N. Mohamed and B. Belaton, “SBI model for the detection of advanced persistent threat based on strange behavior of using credential dumping technique,” IEEE Access, vol. 9, pp. 42919–42932, 2021.
[18]
M. AbuOdeh, “A novel AI-based methodology for identifying cyber attacks in honey pots,” in Proc. AAAI Conference on Artificial Intelligence, pp. 15224–15231, Feb. 2021.
[19]
J. Sexton, C. Storlie, and J. Neil, “Attack chain detection,” Statistical Analysis and Data Mining: The ASA Data Science Journal, vol. 8, no. 5-6, pp. 353–363, Aug. 2015.
[20]
P. Giura and W. Wang, “A context-based detection framework for advanced persistent threats,” in Proceedings of the 2012 International Conference on Cyber Security, pp. 69–74, Alexandria, VA, USA, Dec. 2012.
[21]
M. M. Sadegh, “Holmes: real-time apt detection through correlation of suspicious information flows,” in Proceedings of the 2019 IEEE Symposium on Security and Privacy, pp. 1137–1152, San Francisco, CA, USA, May 2019.
[22]
H. Studiawan, F. Sohel, and C. Payne, “A survey on forensic investigation of operating system logs,” Digital Investigation, vol. 29, pp. 1–20, Jun. 2019.
[23]
A. Awad, “Data leakage detection using system call provenance,” in Proceedings of the 2016 International Conference on Intelligent Networking and Collaborative Systems (INCoS), pp. 486–491, Ostrava, Czech Republic, September 2016.
[24]
S. A. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion detection using sequences of system calls,” Journal of Computer Security, vol. 6, no. 3, pp. 151–180, 1998.
[25]
Y. Liao and V. R. Vemuri, “Using text categorization techniques for intrusion detection,” in Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, Aug. 2002.
[26]
B. Subba, S. Biswas, and S. Karmakar, “Host based intrusion detection system using frequency analysis of n-gram terms,” in Proceedings of the 2017 IEEE Region Ten Conference (TENCON), pp. 2006–2011, Penang, Malaysia, Nov. 2017.
[27]
M. Anjum, S. Iqbal, and B. Hamelin, “ANUBIS: a provenance graph-based framework for advanced persistent threat detection,” Dec. 2021, Available at: https://arxiv.org/abs/2112.11032.
[28]
X. Han, “Unicorn: runtime provenance-based detector for advanced persistent threats,” in Proceedings of the 27th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, Feb. 2020.
[29]
G. Ayoade, “Evolving advanced persistent threat detection using provenance graph and metric learning,” in Proceedings of the 2020 IEEE Conference on Communications and Network Security (CNS), pp. 1–9, Avignon, France, Feb 2020.
[30]
V. Jyothsna, V. Rama Prasad, and K. Munivara Prasad, “A review of anomaly based intrusion detection systems,” International Journal of Computer Application, vol. 28, no. 7, pp. 26–35, Aug. 2011.
[31]
T. N. Kipf and M. Welling, “Semi-supervised classification with graph convolutional networks,” in Proceedings of the 2017 International Conference on Learning Representations, pp. 1–14, Toulon, France, Apr. 2017.
[32]
J. Bruna, “Spectral networks and locally connected networks on graphs,” in Proceedings of the 2nd International Conference on Learning Representations, Banff, Canada, Apr. 2014.
[33]
T. Pasquier, “Practical whole-system provenance capture,” in Proceedings of the 2017 Symposium on Cloud Computing, pp. 405–418, 2017.
[34]
O. Setayeshfar, C. Adkins, M. Jones, K. H. Lee, and P. Doshi, “Graalf: supporting graphical analysis of audit logs for forensics,” Software Impacts, vol. 8, 2021.
[35]
R. S. Sutton and A. G. Barto, Reinforcement Learning: An Introduction, MIT press, Cambridge, MA, USA, 2018.
[36]
V. Mnih, K. Kavukcuoglu, D. Silver, A. A. Rusu, J. Veness, M. G. Bellemare, A. Graves, M. Riedmiller, A. K. Fidjeland, G. Ostrovski, S. Petersen, C. Beattie, A. Sadik, I. Antonoglou, H. King, D. Kumaran, D. Wierstra, S. Legg, and D. Hassabis, “Human-level control through deep reinforcement learning,” Nature, vol. 518, no. 7540, pp. 529–533, Feb. 2015.
Recommendations
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
A Survey on Intrusion Detection and Prevention Systems
AbstractIn the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2023 Fan Shen et al.
This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Publisher
John Wiley & Sons, Inc.
United States
Publication History
Published: 01 January 2023
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 28 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in