Advanced Persistent Threat Attacks Research Articles

Method for detecting core malware sites related to biomedical information systems.

Most advanced persistent threat attacks target web users through malicious code within landing (exploit) or distribution sites. There is an urgent need to block the affected websites. Attacks on biomedical information systems are no exception to this issue. In this paper, we present a method for locating malicious websites that attempt to attack biomedical information systems. Our approach uses malicious code crawling to rearrange websites in the order of their risk index by analyzing the centrality between malware sites and proactively eliminates the root of these sites by finding the core-hub node, thereby reducing unnecessary security policies. In particular, we dynamically estimate the risk index of the affected websites by analyzing various centrality measures and converting them into a single quantified vector. On average, the proactive elimination of core malicious websites results in an average improvement in zero-day attack detection of more than 20%.

MLDS: Multi-Layer Defense System for Preventing Advanced Persistent Threats

Here we report on the issue of Advanced Persistent Threats (APT), which use malware for the purpose of leaking the data of large corporations and government agencies. APT attacks target systems continuously by utilizing intelligent and complex technologies. To overthrow the elaborate security network of target systems, it conducts an attack after undergoing a pre-reconnaissance phase. An APT attack causes financial loss, information leakage, etc. They can easily bypass the antivirus system of a target system. In this paper, we propose a Multi-Layer Defense System (MLDS) that can defend against APT. This system applies a reinforced defense system by collecting and analyzing log information and various information from devices, by installing the agent on the network appliance, server and end-user. It also discusses how to detect an APT attack when one cannot block the initial intrusion while continuing to conduct other activities. Thus, this system is able to minimize the possibility of initial intrusion and damages of the system by promptly responding through rapid detection of an attack when the target system is attacked.

A Scenario-Based Information Security Risk Evaluation Method

Risk evaluation is the core process of information security risk management. An effective risk evaluation can protect organizations and maintain their abilities to carry out missions and activities against threats as well as helping to implement controls and safeguards that are actually needed. While the traditional information security risk evaluation approaches are lack of granular analysis and clear expression of security characteristics of risk, such as the possibility, attack path, and business impact. This paper presents the scenario-based information security risk evaluation method, based on the thought of Advanced Persistent Threat (APT) attack, by constructing risk scenario, evaluate information system security risk status. The separation analysis of the technical impact and business impact contribute to the technicians and business decision makers to grasp system risk status from their respective responsibilities. In the end of the paper, we propose a practical risk scenario construction example, which provides scientific and effective guidance for the preparation of a risk evaluation report.

트래픽 분석을 통한 악성코드 감염PC 및 APT 공격탐지 방안

최근, 지능화된 공격기법을 통한 사이버테러가 지속적으로 발생하고 있으며 특히, 알려지지 않은 신종 악성코드를 사용하기에 탐지 및 대응이 매우 어렵다. 본 논문에서는 대용량 데이터 분석을 통해, 악성코드 침투단계 이후에, 좀비PC와 공격자와 통신을 사전탐지, 대응하는 알고리즘 개발 및 상용환경에서 검증하였다. 향후, 알고리즘의 고도화, 대용량 데이터 처리기술 적용을 통해, APT 공격의 탐지성능이 향상될 것으로 예상한다. Recently, cyber terror has been occurred frequently based on advanced persistent threat(APT) and it is very difficult to detect these attacks because of new malwares which cannot be detected by anti-virus softwares. This paper proposes and verifies the algorithms to detect the advanced persistent threat previously through real-time network monitoring and combinatorial analysis of big data log. In the future, APT attacks can be detected more easily by enhancing these algorithms and adapting big data platform.

Design and Load Map of the Next Generation Convergence Security Framework for Advanced Persistent Threat Attacks

An overall responding security-centered framework is necessary required for infringement accidents, failures, and cyber threats. On the other hand, the correspondence structures of existing administrative, technical, physical security have weakness in a system responding to complex attacks because each step is performed independently. This study will recognize all internal and external users as a potentially threatening element. To perform connectivity analysis regarding an action, an intelligent convergence security framework and road map is suggested. A suggested convergence security framework was constructed to be independent of an automatic framework, such as the conventional single solution for the priority defense system of APT of the latest attack type, which makes continuous reputational attacks to achieve its goals. This study suggested the next generation convergence security framework to have preemptive responses, possibly against an APT attack, consisting of the following five hierarchical layers: domain security, domain connection, action visibility, action control, and convergence correspondence. In the domain, the connection layer suggests a security instruction and direction in the domains of administrative, physical and technical security. The domain security layer has consistency of status information among the security domain. A visibility layer of an intelligent attack action consists of data gathering, comparison and decision cycle. The action control layer is a layer that controls the visibility action. Finally, the convergence corresponding layer suggests a corresponding system of before and after an APT attack. The administrative security domain had a security design based on organization, rule, process, and paper information. The physical security domain is designed to separate into a control layer and facility according to the threats of the control impossible and control possible. Each domain action executes visible and control steps, and is designed to have flexibility regarding security environmental changes. In this study, the framework to address an APT attack and load map will be used as an infrastructure corresponding to the next generation security.

An unknown Trojan detection method based on software network behavior

Aiming at the difficulty of unknown Trojan detection in the APT flooding situation, an improved detecting method has been proposed. The basic idea of this method originates from advanced persistent threat (APT) attack intents: besides dealing with damaging or destroying facilities, the more essential purpose of APT attacks is to gather confidential data from target hosts by planting Trojans. Inspired by this idea and some in-depth analyses on recently happened APT attacks, five typical communication characteristics are adopted to describe application’s network behavior, with which a fine-grained classifier based on Decision Tree and Naive Bayes is modeled. Finally, with the training of supervised machine learning approaches, the classification detection method is implemented. Compared with general methods, this method is capable of enhancing the detection and awareness capability of unknown Trojans with less resource consumption.

Life's certainties: death, taxes and APTs

Advanced Persistent Threat (APT) attacks are becoming more prevalent and invariably cost businesses not only in terms of cash but also loss of intellectual property and reputation. IT managers and CIOs are well aware that in today's environment it's not a matter of if their company is going to be compromised by cyber-criminals, but when. According to the 2012 Information Security Breaches Survey (ISBS) written by PwC, one in seven large businesses has been subject to hacking attacks in the past year and the Cabinet Office estimated the cybercrime cost to the UK economy at £27 billion in 2011. 1

Spear-phishing: how to spot and mitigate the menace

Spear-phishing is increasingly being used to penetrate systems as the preliminary stage of an Advanced Persistent Threat (APT) attack, to create a point of entry into the organisation. Employees are targeted with emails containing information personal to them. The unsuspecting employee opens an attachment within the email, or downloads a linked file, which executes and silently installs an APT on a network node within the enterprise. With recent findings that 91% of APT attacks begin with spear-phishing emails and that, increasingly, cyber-criminals are targeting mobile devices using personal data gleaned from social networks, organisations need to work hard to make their employees aware of the threat, reports Tracey Caldwell.

A study on cyber threat prediction based on intrusion detection event for APT attack detection

A number of APT(Advanced Persistent Threat) attack malwares are being detected as of late together with attempts by the state and enterprises to leak personal information. To detect and respond to them, malwares must first be detected by security monitoring system. In particular, availability of a method to detect and predict such malwares in advance will lead to preventing security incidents. This study will propose a method of prediction based on intrusion detection event and a functional configuration to realize the method and will assess the prediction model based on intrusion detection events proposed through a test consisting of the stages of learning, prediction and evaluation.

A practical approach on clustering malicious PDF documents

Starting with 2009, the number of advanced persistent threat attacks has increased. In all of the researched cases, this kind of attacks use a zero-day exploit usually found in a frequently used application. Most of the times, the user has to visit a malicious page or open an infected document sent via e-mail. Even though the attack vector can be found in many forms, this paper addresses the case in which the attack relies on PDF files to deliver the payload. We chose PDF format both because of the high number of attacks it was used in and the key advantages it offers to the attacker. From an attackers perspective, the advantage of this attack is clear in that the PDF-files can be opened by an application on the users computer or in a browser, as most of the browsers support plug-ins that can render PDF files. The use of JavaScript inside PDF files offers two further advantages. The first is that code can be executed on the victims computer while the attack avoids different protection methods. The second benefit is that the JavaScript code can be polymorphic in that two files with the same functionality may look very different. This paper unveils a clustering method based on tokenization of the JavaScript code inside PDF files resistant to most of the obfuscation techniques used in script-based malware pieces. Our clustering method is based on the fact that most of the infected PDF-files (over 93 %) are using JavaScript code. By tokenizing the JavaScript code, describing it in an abstract manner and eliminating different operators used in polymorphism, we are able to obtain classes of files, very similar syntax-wise that can be easily clustered using different methods. Given the fact that virus analysts would likely analyse classes of files rather than isolated files, their work will be significantly reduced. The method of abstraction can be taken one step further and used as a detection mechanism--a technique to evaluate prevalent data or to obtain a subset from a large set without losing data variability.

APTs: a poorly understood challenge

The first half of 2011 witnessed a seemingly non-stop array of data breaches directed at companies, and sometimes individuals, across many sectors. Equally as diverse as the targets were the motivations behind the attacks. In many of the breach incidents, customer data was stolen and publicly published. In some of those cases, the attackers claimed the motive was to shed light on security issues. But in other cases of stolen and published customer data, attackers claimed to be doing it for the simple pleasure of mayhem – for the ‘lulz’. Advanced Persistent Threat (APT) attacks have been the subject of much debate, but there's no escaping the fact that they're real and widespread. Organisations are at extremely high risk and need advanced detection capabilities. The state-of-the-art response to APTs does not involve new magic software or hardware solutions divining for APT, but relies more on asking the right questions and being able to effectively use the existing detection tools, according to Gordon Thomson of Cisco Security EMEA.