Abstract
With the emergence of the Advanced Persistent Threat (APT) attacks, many Internet of Things (IoT) systems have faced large numbers of potential threats with the characteristics of concealment, permeability, and pertinence. However, existing methods and technologies cannot provide comprehensive and prompt recognition of latent APT attack activities in the IoT systems. To address this problem, we propose an APT Alerts and Logs Correlation Method, named APTALCM and a framework of deploying APTALCM on the IoT system, where an edge computing architecture was used to achieve cyber situation comprehension without too much data transmission cost. Specifically, we firstly present a cyber situation ontology for modeling the concepts and properties to formalize APT attack activities in the IoT systems. Then, we introduce a cyber situation instance similarity measurement method based on the SimRank mechanism for APT alerts and logs Correlation. Combining with instance similarity, we further propose an APT alert instances correlation method to reconstruct APT attack scenarios and an APT log instances correlation method to detect log instance communities. Through the coalescence of these methods, APTALCM can accomplish the cyber situation comprehension effectively by recognizing the APT attack intentions in the IoT systems. The exhaustive experimental results demonstrate that the two kernel modules, i.e., Alert Instance Correlation Module (AICM) and Log Instance Correlation Module (LICM) in our APTALCM, can achieve both high true-positive rate and low false-positive rate.
Highlights
With the rapid advancement of the Internet of Things (IoT) infrastructure and the widely emerging networking applications, IoT security management has faced several significant challenges [1]: (a) Invisibility: it is hard to convince users to keep the software updated in IoT equipment that stops looking like traditional computers; (b) Lifetimes: since IoT devices will likely live much longer than traditional computers, unpatched software will persist much longer in IoT devices; (c) Patchability: as long-term communications were required between remote IoT devices and public networking servers, updating patches became harder than conventional information systems; (d) Consequences of Compromise: the intimate connection of IoT devices to physical infrastructure will increase the damage from successful compromise
The experiment aims to verify whether the Alert Instance Correlation Module (AICM) module can reconstruct the Advanced Persistent Threat (APT) scenarios hidden in the constructed data set
The results shown in Figure 12; we can see that module work well on the typical scenarios are shown in Figure 12; we can see that true-positive rate (TPR) of Log Instance Correlation Module (LICM) module work well on the 7 typical APT
Summary
With the rapid advancement of the Internet of Things (IoT) infrastructure and the widely emerging networking applications, IoT security management has faced several significant challenges [1]:. The biggest shortcoming of these methods is that they cannot provide real-time recognition of the real threats from a comprehensive scope, which limits the ability of IoT security administrators to make responsive decisions. To solve this problem, the concept of Cyber Situation Awareness (CSA) [7] has emerged. The main idea of CSA in the large-scale IoT systems is recognizing the attack activities scattering among a large amount of noised data in IoT systems and grasping the whole IoT system security situation macroscopically In this way, IoT system managers can make the responses appropriately and effectively reduce the damage caused by the various attacks as possible.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
