A multi-layer approach for advanced persistent threat detection using machine learning based on network traffic

Abstract

Advanced Persistent Threat (APT) is a dangerous network attack method that is widely used by attackers nowadays. During the APT attack process, attackers often use advanced techniques and tools, thus, causing many difficulties for information security systems. In fact, to detect the APT attacks, intrusion detection systems cannot rely on one technique or method but often combine multiple techniques and methods. In addition, the approach for APT attack detection using behavior analysis and evaluation techniques is facing many difficulties due to the lack of characteristic data of attack campaigns. For the above reasons, in this paper, we propose a method for APT attack detection based on a multi-layer analysis. The multi-layer analysis technique in our proposal computes and analyzes various events in Network Traffic to detect and synthesize abnormal signs and behaviors in order to make conclusions about the existence of APT in the system. Specifically, in our proposal, we will use serial 3 main layers for the APT attack detection process including i) Detecting APT attacks based on analyzing abnormal connection; ii) Detecting APT attacks based on analyzing and evaluating Suricata log; iii) Detecting APT attacks based on analyzing behavior profiles that are compiled from layers (i) and (ii). To achieve these goals, the multi-layer analysis technique for APT attack detection will perform 2 main tasks: i) Analyzing and evaluating components of Network Traffic based on abnormal signs and behaviors. ii) building and classifying behavior profile based on each component of network traffic. In the experimental section, we will compare and evaluate the effectiveness of the APT attack detection process of each layer in the multi-layer analysis model using machine learning. Experimental results have shown that the APT attack detection method based on analyzing behavior profile has yielded better results than individual detection methods on all metrics. The research results shown in the paper not only demonstrate the effectiveness of the multilayer analysis model for APT attack detection but also provide a novel approach for detecting several other cyber-attack techniques.