No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
MAD: A Meta-Learning Approach to Detect Advanced Persistent Threats using Provenance Data in Industrial IoT
ResearchGate has not been able to resolve any citations for this publication.
Advanced Persistent Threat (APT) attacks are causing a lot of damage to critical organizations and institutions. Therefore, early detection and warning of APT attack campaigns are very necessary today. In this paper, we propose a new approach for APT attack detection based on the combination of Feature Intelligent Extraction (FIE) and Representation Learning (RL) techniques. In particular, the proposed FIE technique is a combination of the Bidirectional Long Short-Term Memory (BiLSTM) deep learning network and the Attention network. The FIE combined model has the function of aggregating and extracting unusual behaviors of APT IPs in network traffic. The RL method proposed in this study aims to optimize classifying APT IPs and normal IPs based on two main techniques: rebalancing data and contrastive learning. Specifically, the rebalancing data method supports the training process by rebalancing the experimental dataset. And the contrastive learning method learns APT IP’s important features based on finding and pulling similar features together as well as pushing contrasting data points away. The combination of FIE and RL (abbreviated as the FIERL model) is a novel proposal and innovation and has not been proposed and published by any research. The experimental results in the paper have proved that the proposed method in the paper is correct and reasonable when it has shown superior efficiency compared to some other studies and approaches over 5% on all measurements.
Advanced persistent threats (APTs) present a significant cybersecurity challenge, necessitating innovative detection methods. This study stands out by integrating advanced data preparation with strategies for handling data imbalances, tailored for the SCVIC-APT-2021 dataset. We employ a mix of resampling, cost-sensitive learning, and ensemble methods, alongside machine learning and deep learning models like XGBoost, LightGBM, and ANNs, to enhance APT detection. Our strategy, which draws from the MITRE ATT&CK framework, concentrates on each stage of APT attacks, which significantly increases detection accuracy. Notably, we achieved a Macro F1-score of 95.20% with XGBoost and 96.67% with LightGBM, and significant enhancements in the area under the precision–recall curve for both. Our study’s exploration of the SCVIC-APT-2021 dataset marks a progressive step in APT detection research, with vital implications for future cybersecurity developments.
The objective of Advanced Persistent Threat (APT) attacks is to exploit Cyber-Physical Systems (CPSs) in combination with the Industrial Internet of Things (I-IoT) by using fast attack methods. Machine learning (ML) techniques have shown potential in identifying APT attacks in autonomous and malware detection systems. However, detecting hidden APT attacks in the I-IoT-enabled CPS domain and achieving real-time accuracy in detection present significant challenges for these techniques. To overcome these issues, a new approach is suggested that is based on the Graph Attention Network (GAN), a multi-dimensional algorithm that captures behavioral features along with the relevant information that other methods do not deliver. This approach utilizes masked self-attentional layers to address the limitations of prior Deep Learning (DL) methods that rely on convolutions. Two datasets, the DAPT2020 malware, and Edge IIoT datasets are used to evaluate the approach, and it attains the highest detection accuracy of 96.97% and 95.97%, with prediction time of 20.56 seconds and 21.65 seconds, respectively. The GAN approach is compared to conventional ML algorithms, and simulation results demonstrate a significant performance improvement over these algorithms in the I-IoT-enabled CPS realm.
Industrial Internet of Things (IIoT) is vulnerable to Advanced Persistent Threat (APT). This paper studies a scenario in which APT is launched to attack IIoT devices. Considering the APT's lateral movement, a node-level state evolution model is established to calculate the probability of every device in an IIoT system to be compromised by APT. Based on this, a Stackelberg game model is proposed for the APT attacker and defender, which can accurately describe the gaming process. An effective computational approach is developed to obtain the potential Stackelberg equilibrium strategy pair of the game. Extensive case studies and comparison studies are conducted to validate the effectiveness of the proposed method.
The Industrial Internet of Things (IIoT) is bringing evolution with remote monitoring, intelligent analytics, and control of industrial processes. However, as the industrial world is currently in its initial stage of adopting full-stack development solutions with IIoT, there is a need to address the arising challenges. In this regard, researchers have proposed IIoT architectures based on different architectural layers and emerging technologies for the end-to-end integration of IIoT systems. In this paper, we review and compare three widely accepted IIoT reference architectures and present a state-of-the-art review of conceptual and experimental IIoT architectures from the literature. We identified scalability, interoperability, security, privacy, reliability, and low latency as the main IIoT architectural requirements and detailed how the current architectures address these challenges by using emerging technologies such as edge/fog computing, blockchain, SDN, 5G, Machine Learning, and Wireless Sensor Networks (WSN). Finally, we discuss the relation between the current challenges and emergent technologies and present some opportunities and directions for future research work.
Recently, devices in real-time systems, such as residential facilities, vehicles, factories, and social infrastructure, have been increasingly connected to communication networks. Although these devices provide administrative convenience and enable the development of more sophisticated control systems, critical cybersecurity concerns and challenges remain. In this paper, we propose a hybrid anomaly detection method that combines statistical filtering and a composite autoencoder to effectively detect anomalous behaviors possibly caused by malicious activity in order to mitigate the risk of cyberattacks. We used the SWaT dataset, which was collected from a real water treatment system, to conduct a case study of cyberattacks on industrial control systems to validate the performance of the proposed approach. We then evaluated the performance of the proposed hybrid detection method on a dataset with two time window settings for the composite autoencoder. According to the experimental results, the proposed method improved the precision, recall, and F1-score by up to 0.008, 0.067, and 0.039, respectively, compared to an autoencoder-only approach. Moreover, we evaluated the computational cost of the proposed method in terms of execution time. The execution time of the proposed method was reduced by up to 8.03% compared to that of an autoencoder-only approach. Through the experimental results, we show that the proposed method detected more anomalies than an autoencoder-only detection approach and it also operated significantly faster.
Ransomware is a program used by an attacker or hacker, that locks or encrypts target files or data. The user or the owner of data cannot access these without the explicit assistance of the attacker. After locking or encrypting, the attacker demands ransom generally in the form of cryptocurrencies to permit user to regain access to the locked data. However, there is no guarantee that the user can access seized data again even after that ransom has been paid. Researchers have proposed various tools and techniques to protect and fight against ransomware. Existing tools and methods are not sufficient to detect ransomware early because several new ransomware variants are being introduced every day. Machine learning techniques are used efficiently in various applications like ransomware detection, spam detection, text classification, pattern recognition, etc. Further, deep learning, a subfield of machine learning, eliminates the burden of re-engineering the features for the new types of malware or network attacks that may arise. In this paper, several machine learning-based detection techniques against ransomware are reviewed.
Cyber threat intelligence (CTI) is being used to search for indicators of attacks that might have compromised an enterprise network for a long time without being discovered. To have a more effective analysis, CTI open standards have incorporated descriptive relationships showing how the indicators or observables are related to each other. However, these relationships are either completely overlooked in information gathering or not used for threat hunting. In this paper, we propose a system, called POIROT, which uses these correlations to uncover the steps of a successful attack campaign. We use kernel audits as a reliable source that covers all causal relations and information flows among system entities and model threat hunting as an inexact graph pattern matching problem. Our technical approach is based on a novel similarity metric which assesses an alignment between a query graph constructed out of CTI correlations and a provenance graph constructed out of kernel audit log records. We evaluate POIROT on publicly released real-world incident reports as well as reports of an adversarial engagement designed by DARPA, including ten distinct attack campaigns against different OS platforms such as Linux, FreeBSD, and Windows. Our evaluation results show that POIROT is capable of searching inside graphs containing millions of nodes and pinpoint the attacks in a few minutes, and the results serve to illustrate that CTI correlations could be used as robust and reliable artifacts for threat hunting.
Threats that have been primarily targeting nation states and its associated entities, have long before expanded their target zone to include private and corporate sectors. These class of threats that every nation and organization wants to protect itself against are known as Advanced Persistent Threats. While nation sponsored attacks will always be marked for their sophistication, attacks that have become prominent in corporate sectors do not make it any less challenging for the organizations. The rate at which the attack tools and techniques are evolving is making any existing security measures, they have, inadequate. As defenders strive hard to secure every endpoint and every link with in their networked system, attackers are finding new ways to penetrate into their target systems. With each day bringing new forms of malware with new signatures and behavior that’s close to normal, a single traditional threat detection system would not suffice. These so called Advanced Persistent Threats are difficult to achieve as well as difficult to detect. While it requires time and patience to perform APT, solutions that adapt to the adapting behavior of APT attacker(s) are required. Several works have been published in detecting an APT attack at one or two of its stages, but very limited research exists in detecting APT as a whole from reconnaissance to clean-up as one such solution demands complex correlation and behavior analysis of every event, user, system with in the network and across the network. Through this survey paper, we intend to bring before you all those methods and techniques that could be used to detect different stages of APT attacks, learning methods that need to be applied and where, to make your threat detection framework smart and undecipherable for those adapting APT attackers. We also present you with different case studies of APT attacks, different monitoring methods and deception methods to be employed for a fine grained control of security of a networked system. We conclude our paper with different types of challenges that one would face in defending against APT, and the opportunities for further research ending with a note on what we learned during our writing of this paper.
Internet of Things (IoT) is an emerging domain that promises ubiquitous connection to the Internet, turning common objects into connected devices. The IoT paradigm is changing the way people interact with things around them. It paves the way to creating pervasively connected infrastructures to support innovative services and promises better flexibility and efficiency. Such advantages are attractive not only for consumer applications, but also for the industrial domain. Over the last few years, we have been witnessing the IoT paradigm making its way into the industry marketplace with purposely designed solutions. In this paper, we clarify the concepts of IoT, Industrial IoT, and Industry 4.0. We highlight the opportunities brought in by this paradigm shift as well as the challenges for its realization. In particular, we focus on the challenges associated with the need of energy efficiency, real-time performance, coexistence, interoperability, and security and privacy. We also provide a systematic overview of the state-of-the-art research efforts and potential research directions to solve Industrial IoT challenges.
Despite more than two decades of continuous development learning from imbalanced data is still a focus of intense research. Starting as a problem of skewed distributions of binary tasks, this topic evolved way beyond this conception. With the expansion of machine learning and data mining, combined with the arrival of big data era, we have gained a deeper insight into the nature of imbalanced learning, while at the same time facing new emerging challenges. Data-level and algorithm-level methods are constantly being improved and hybrid approaches gain increasing popularity. Recent trends focus on analyzing not only the disproportion between classes, but also other difficulties embedded in the nature of data. New real-life problems motivate researchers to focus on computationally efficient, adaptive and real-time methods. This paper aims at discussing open issues and challenges that need to be addressed to further develop the field of imbalanced learning. Seven vital areas of research in this topic are identified, covering the full spectrum of learning from imbalanced data: classification, regression, clustering, data streams, big data analytics and applications, e.g., in social media and computer vision. This paper provides a discussion and suggestions concerning lines of future research for each of them.
This paper presents a systematic analysis of twenty four performance measures used in the complete spectrum of Machine Learning classification tasks, i.e., binary, multi-class, multi-labelled, and hierarchical. For each classification task, the study relates a set of changes in a confusion matrix to specific characteristics of data. Then the analysis concentrates on the type of changes to a confusion matrix that do not change a measure, therefore, preserve a classifier’s evaluation (measure invariance). The result is the measure invariance taxonomy with respect to all relevant label distribution changes in a classification problem. This formal analysis is supported by examples of applications where invariance properties of measures lead to a more reliable evaluation of classifiers. Text classification supplements the discussion with several case studies.
In the present cyber landscape, the sophistication level of malware attacks is rising steadily. Advanced Persistent Threats (APT) and other sophisticated attacks employ complex and intelligent malware. Such malware integrates numerous malignant capabilities into a single complex form of malware, known as multipurpose malware. As attacks get more complicated, it is increasingly important to be aware of what the detected malware can do and comprehend the complete range of functionalities. Traditional malware analysis focuses on malware detection and family classification. The family classification provides insights about the dominant capability rather than the full range of capabilities present in the malware, which is insufficient. Hence, we propose MalXCap to extract multiple functionalities (named malware capabilities) hidden within a single malware sample. MalXCap employs dynamic analysis and captures malware capabilities by identifying patterns of API call sequences to achieve the goal. In the current workflow, there is no publicly available malware capability dataset. Therefore, we analyze 8k malware samples collected from the public domain, identify 12 different capabilities, and prepare a dataset. We use this dataset to train MalXCap and learn the patterns of API sequences to detect different malignant capabilities. MalXCap demonstrates its efficiency by achieving 97.02% accuracy score and 0.0025 hamming loss. Analyzing the capabilities of malware enables security professionals to understand the advanced techniques used in malware, summarize the attack, and develop better countermeasures.
Advanced Persistent Threat (APT) attack usually refers to the form of long-term, covert and sustained attack on specific targets, with an adversary using advanced attack techniques to destroy the key facilities of an organization. APT attacks have caused serious security threats and massive financial loss worldwide. Academics and industry thereby have proposed a series of solutions to detect APT attacks, such as dynamic/static code analysis, traffic detection, sandbox technology, endpoint detection and response (EDR), etc. However, existing defenses are failed to accurately and effectively defend against the current APT attacks that exhibit strong persistent, stealthy, diverse and dynamic characteristics due to the weak data source integrity, large data processing overhead and poor real-time performance in the process of real-world scenarios. To overcome these difficulties, in this paper we propose APTSHIELD, a stable, efficient and real-time APT detection system for Linux hosts. In the aspect of data collection, audit is selected to stably collect kernel data of the operating system so as to carry out a complete portrait of the attack based on comprehensive analysis and comparison of existing logging tools; In the aspect of data processing, redundant semantics skipping and non-viable node pruning are adopted to reduce the amount of data, so as to reduce the overhead of the detection system; In the aspect of attack detection, an APT attack detection framework based on ATT&CK model is designed to carry out real-time attack response and alarm through the transfer and aggregation of labels. Experimental results on both laboratory and Darpa Engagement show that our system can effectively detect web vulnerability attacks, file-less attacks and remote access trojan attacks, and has a low false positive rate, which adds far more value than the existing frontier work.
APTs (Advanced Persistent Threats) have caused serious security threats worldwide. Most existing APT detection systems are implemented based on sophisticated forensic analysis rules. However, the design of these rules requires in-depth domain knowledge and the rules lack generalization ability. On the other hand, deep learning technique could automatically create detection model from training samples with little domain knowledge. However, due to the persistence, stealth, and diversity of APT attacks, deep learning technique suffers from a series of problems including difficulties of capturing contextual information, low scalability, dynamic evolving of training samples, and scarcity of training samples. Aiming at these problems, this paper proposes APT-KGL, an intelligent APT detection system based on provenance data and graph neural networks. First, APT-KGL models the system entities and their contextual information in the provenance data by a HPG (Heterogeneous Provenance Graph), and learns a semantic vector representation for each system entity in the HPG in an offline way. Then, APT-KGL performs online APT detection by sampling a small local graph from the HPG and classifying the key system entities as malicious or benign. In addition, to conquer the difficulty of collecting training samples of APT attacks, APT-KGL creates virtual APT training samples from open threat knowledge in a semi-automatic way. We conducted a series of experiments on two provenance datasets with simulated APT attacks. The experiment results show that APT-KGL outperforms other current deep learning based models, and has competitive performance against state-of-the-art rule-based APT detection systems.
Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nation-states and sophisticated corporations to obtain high-profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and common benign tools. Furthermore, these attack campaigns are often prolonged to evade detection. We leverage an approach that uses a provenance graph to obtain execution traces of host nodes in order to detect anomalous behavior. By using the provenance graph, we extract features that are then used to train an online adaptive metric learning. Online metric learning is a deep learning method that learns a function to minimize the separation between similar classes and maximizes the separation between dis-similar instances. We compare our approach with baseline models and we show our method outperforms the baseline models by increasing detection accuracy on average by 11.3% and increases True positive rate (TPR) on average by 18.3%. We also show that our method outperforms several state-of-the-art models performances in comprehensive attack datasets in both binary and multi-class settings.
Despite its technological benefits, Internet of Things (IoT) has cyber weaknesses due to the vulnerabilities in the wireless medium. Machine learning (ML)-based methods are widely used against cyber threats in IoT networks with promising performance. Advanced persistent threat (APT) is prominent for cybercriminals to compromise networks, and it is crucial to long-term and harmful characteristics. However, it is difficult to apply ML-based approaches to identify APT attacks to obtain a promising detection performance due to an extremely small percentage among normal traffic. There are limited surveys to fully investigate APT attacks in IoT networks due to the lack of public datasets with all types of APT attacks. It is worth to bridge the state-of-the-art in network attack detection with APT attack detection in a comprehensive review article. This survey article reviews the security challenges in IoT networks and presents the well-known attacks, APT attacks, and threat models in IoT systems. Meanwhile, signature-based, anomaly-based, and hybrid IDSs are summarized for IoT networks. The article highlights statistical insights regarding frequently applied ML-based methods against network intrusion. Finally, open issues and challenges for common network intrusion and APT attacks are presented for future research.
The Industrial Internet of Things (IIoT) is a physical information system developed based on traditional industrial control networks. As one of the most critical infrastructure systems, IIoT is also a preferred target for adversaries engaged in advanced persistent threats (APTs). To address this issue, we explore a deep-learning-based proactive APT detection scheme in IIoT. In this scheme, considering the characteristics of long attack sequences and long-term continuous APT attacks, our solution adopts a well-known deep learning model, bidirectional encoder representations from transformers (BERT), to detect APT attack sequences. The APT attack sequence is also optimized to ensure the model's long-term sequence judgment effectiveness. The experimental results not only show that the proposed deep learning method has feasibility and effectiveness for APT detection, but also certify that the BERT model has better accuracy and a lower false alarm rate when detecting APT attack sequences than other time series models.
Advanced Persistent Threat (APT) attacks have caused serious security threats and financial losses worldwide. Various real-time detection mechanisms that combine context information and provenance graphs have been proposed to defend against APT attacks. However, existing real-time APT detection mechanisms suffer from accuracy and efficiency issues due to inaccurate detection models and the growing size of provenance graphs. To address the accuracy issue, we propose a novel and accurate APT detection model that removes unnecessary phases and focuses on the remaining ones with improved definitions. To address the efficiency issue, we propose a state-based framework in which events are consumed as streams and each entity is represented in an FSA-like structure without storing historic data. Additionally, we reconstruct attack scenarios by storing just one in a thousand events in a database. Finally, we implement our design, called CONAN, on Windows and conduct comprehensive experiments under real-world scenarios to show that CONAN can accurately and efficiently detect all attacks within our evaluation. The memory usage and CPU efficiency of CONAN remain constant over time (1-10 MB of memory and hundreds of times faster than data generation), making CONAN a practical design for detecting both known and unknown APT attacks in real-world scenarios.
Manufacturing industry, electricity networks, supply chain, food production and water treatment plants have been heavily depended on Industrial Automation and Control (IAC) Systems. Integration of Information and Communication Technology (ICT) played a significant role in the evolution of these systems. New emerging trends and technologies, such as Internet-of-Things (IoT) interact with traditional, isolated IAC systems. Sectors such as manufacturing, electric grids, pharmaceuticals, and water treatment facilities incorporate part of these “smart” technologies in order to increase efficiency, performance and reduce production costs. But despite of its benefits, interconnectivity between smart and legacy IAC systems also creates complex interdependencies, which in turn, make imperative the need for more safety and security countermeasures. This rapid evolution has also affected greatly the threat landscape. In order to comprehend this radical change we present and analyze recent, well documented attacks that target mission critical IAC systems, which incorporate Industrial IoT technologies. In particular, we focus on highly profiled, sophisticated attacks against interconnected automation and monitoring field devices, related software platforms and systems (e.g., Programmable Logical Controllers – PLCs, industrial robots) installed on industrial facilities and smart grid generation, transmission and distribution networks and systems.
Resilience against apts: A provenance-based dataset and attack detection framework
- E Ghiasvand
Cicapt-iiot: A provenance-based apt attack dataset for iiot environment
- Ghiasvand
Chasing the shadows: Ttps in action to attribute advanced persistent threats
- Rani
Caldera: A red-blue cyber operations automation platform
- R Alford
- D Lawrence
- M Kouremetis
Chasing the shadows: Ttps in action to attribute advanced persistent threats
- N Rani
- B Saha
- V Maurya
- S K Shukla
A comprehensive survey of advanced persistent threat attribution: Taxonomy, methods, challenges and open research problems
Cicapt-iiot: A provenance-based apt attack dataset for iiot environment
- E Ghiasvand
- S Ray
- S Iqbal
- S Dadkhah
- A A Ghorbani