Abstract
We present a novel Deep Learning (DL) stack for detecting Advanced Persistent threat (APT) attacks. This model is based on a theoretical approach where an APT is observed as a multi-vector multi-stage attack with a continuous strategic campaign. To capture these attacks, the entire network flow and particularly raw data must be used as an input for the detection process. By combining different types of tailored DL-methods, it is possible to capture certain types of anomalies and behaviour. Our method essentially breaks down a bigger problem into smaller tasks, tries to solve these sequentially and finally returns a conclusive result. This concept paper outlines, for example, the problems and possible solutions for the tasks. Additionally, we describe how we will be developing, implementing and testing the method in the near future.
Highlights
Due to the complexity and dynamical behaviour of Advanced Persistent threat (APT) attacks, we propose a system architecture for a novel prototype that takes into account the behaviour of these sophisticated attacks while detecting anomalies
Remote Desktop Protocol (RDP) can be used for legit tasks, by using it, an attack can communicate undetected for a long time, in the case the detection system falsely identifies it as false negative
Unknown attacks are a common problem for traditional detectors, such as intrusion detection systems (IDS), which are based on attack signatures [11]
Summary
Due to the complexity and dynamical behaviour of APT attacks, we propose a system architecture for a novel prototype that takes into account the behaviour of these sophisticated attacks while detecting anomalies. APT attack is a sophisticated network attack, with the purpose of long-term espionage or maximal destruction for target systems and networks. It has multiple functionalities, which are developed to avoid detection for as long as possible. Some of those functionalities include multiple simultaneous attack vectors with different phases, masquerading as communication data, random changes in execution time intervals, horizontal and vertical connections and mimicking legitimate traffic [1].
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have