Abstract
Advanced Persistent Threats (APTs) are the most critical menaces to modern organizations and the most challenging attacks to detect. They span over long periods of time, use encrypted connections and mimic normal behaviors in order to evade detection based on traditional defensive solutions. We propose an innovative approach that is able to analyze efficiently high volumes of network traffic to reveal weak signals related to data exfiltrations and other suspect APT activities. The final result is a ranking of the most suspicious internal hosts; this rank allows security specialists to focus their analyses on a small set of hosts out of the thousands of machines that typically characterize large organizations. Experimental evaluations in a network environment consisting of about 10K hosts show the feasibility and effectiveness of the proposed approach. Our proposal based on security analytics paves the way to novel forms of automatic defense aimed at early detection of APTs in large and continuously varying networked systems.
Highlights
Advanced Persistent Threats [1, 2] (APTs) represent the most critical menace to modern organizations
To the best of our knowledge, this paper presents the first proposal of models, algorithms and analyzers integrated in a real prototype that can support security analysts to detect the most suspicious hosts that may be involved in APT-related activities and in data exfiltrations
We propose a novel framework for ranking internal hosts that are likely to be involved in APT attacks by monitoring high volumes of network traffic efficiently and effectively
Summary
Advanced Persistent Threats [1, 2] (APTs) represent the most critical menace to modern organizations. Existing traffic analyzers are able to detect common types of attacks (e.g., distributed denial of service and worms [6, 7, 8, 9, 10]), but they are inadequate to identify APTs because an expert attacker mimics normal behavior and compromises a limited number of specific hosts avoiding spreading infections as typical automatic malware does. Another problem of present detection systems installed in large architectures is represented by the huge numbers of generated
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
