CAPTAIN: Community-based Advanced Persistent Threat Analysis in IT Networks

IF 4.1 3区工程技术 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

International Journal of Critical Infrastructure Protection Pub Date : 2023-09-01 DOI:10.1016/j.ijcip.2023.100620

Ali Ahmadian Ramaki , Abbas Ghaemi-Bafghi , Abbas Rasoolzadegan

{"title":"CAPTAIN: Community-based Advanced Persistent Threat Analysis in IT Networks","authors":"Ali Ahmadian Ramaki , Abbas Ghaemi-Bafghi , Abbas Rasoolzadegan","doi":"10.1016/j.ijcip.2023.100620","DOIUrl":null,"url":null,"abstract":"<div><p>Organizations that possess valuable information assets and critical infrastructure are prone to Advanced Persistent Threats<span> (APTs). The life cycle of this type of modern attack consists of multiple stages called Intrusion Kill Chain (IKC). As one of the most common approaches to deal with these attacks, organizations’ security staff use various heterogeneous security and non-security sensors in different lines of defense (Network, Host, and Application) as the primary detection levels in the monitored IT network to log the attacker’s intrusive activities. They then model their behaviors by using logged events to detect the IKC of APT attacks. However, numerous methods proposed in the literature have three primary drawbacks: 1) the inability to use both security and non-security sensors of the three mentioned detection levels in event correlation analysis, 2) high dependence on expert knowledge in setting up and maintaining common attack patterns, and 3) incapability to provide a visual representation of the attack path for security administrators to better track on-the-fly attacks in a monitored network. This paper presents a system for Community-based Advanced Persistent Threat Analysis in IT Networks (CAPTAIN) to address the aforementioned issues and challenges. The CAPTAIN framework comprises two distinct phases (including 12 different activities) that receive raw events logged by heterogeneous sensors as input and detect possible IKCs of the APT attacks as output. This system implements a novel graph-based attackers’ behavior modeling technique for detecting the IKC of APT attacks by correlating analysis of logged events and leveraging knowledge discovery on the graph. Our evaluation of the two publicly available standard datasets, Bryant and DARPA Transparent Computing, indicates that the CAPTAIN is robust, reliable against high volume events, and can detect the IKC of APT attacks with high accuracy and low false positive rates.</span></p></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"42 ","pages":"Article 100620"},"PeriodicalIF":4.1000,"publicationDate":"2023-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Critical Infrastructure Protection","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1874548223000331","RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Organizations that possess valuable information assets and critical infrastructure are prone to Advanced Persistent Threats (APTs). The life cycle of this type of modern attack consists of multiple stages called Intrusion Kill Chain (IKC). As one of the most common approaches to deal with these attacks, organizations’ security staff use various heterogeneous security and non-security sensors in different lines of defense (Network, Host, and Application) as the primary detection levels in the monitored IT network to log the attacker’s intrusive activities. They then model their behaviors by using logged events to detect the IKC of APT attacks. However, numerous methods proposed in the literature have three primary drawbacks: 1) the inability to use both security and non-security sensors of the three mentioned detection levels in event correlation analysis, 2) high dependence on expert knowledge in setting up and maintaining common attack patterns, and 3) incapability to provide a visual representation of the attack path for security administrators to better track on-the-fly attacks in a monitored network. This paper presents a system for Community-based Advanced Persistent Threat Analysis in IT Networks (CAPTAIN) to address the aforementioned issues and challenges. The CAPTAIN framework comprises two distinct phases (including 12 different activities) that receive raw events logged by heterogeneous sensors as input and detect possible IKCs of the APT attacks as output. This system implements a novel graph-based attackers’ behavior modeling technique for detecting the IKC of APT attacks by correlating analysis of logged events and leveraging knowledge discovery on the graph. Our evaluation of the two publicly available standard datasets, Bryant and DARPA Transparent Computing, indicates that the CAPTAIN is robust, reliable against high volume events, and can detect the IKC of APT attacks with high accuracy and low false positive rates.

Abstract Image

查看原文本刊更多论文

CAPTAIN：基于社区的IT网络高级持续威胁分析

拥有宝贵信息资产和关键基础架构的组织容易受到高级持续威胁（APT）的影响。这种类型的现代攻击的生命周期由多个阶段组成，称为入侵杀死链（IKC）。作为应对这些攻击的最常见方法之一，组织的安全人员使用不同防御线（网络、主机和应用程序）中的各种异构安全和非安全传感器作为受监控IT网络中的主要检测级别，以记录攻击者的侵入活动。然后，他们通过使用记录的事件来检测APT攻击的IKC，从而对自己的行为进行建模。然而，文献中提出的许多方法有三个主要缺点：1）在事件相关性分析中无法同时使用上述三种检测级别的安全和非安全传感器，2）在建立和维护常见攻击模式时高度依赖专家知识，以及3）不能为安全管理员提供攻击路径的视觉表示，以更好地跟踪被监控网络中的动态攻击。本文提出了一个基于社区的IT网络高级持久威胁分析系统（CAPTAIN），以解决上述问题和挑战。CAPTAIN框架包括两个不同的阶段（包括12个不同的活动），它们接收由异构传感器记录的原始事件作为输入，并检测APT攻击的可能IKC作为输出。该系统实现了一种新的基于图的攻击者行为建模技术，通过对记录事件的关联分析和利用图上的知识发现来检测APT攻击的IKC。我们对Bryant和DARPA Transparent Computing这两个公开可用的标准数据集的评估表明，CAPTAIN对大量事件具有鲁棒性和可靠性，并且可以高精度和低误报率检测APT攻击的IKC。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Critical Infrastructure Protection COMPUTER SCIENCE, INFORMATION SYSTEMS-ENGINEERING, MULTIDISCIPLINARY

CiteScore

8.90

自引率

5.60%

发文量

审稿时长

>12 weeks

期刊介绍： The International Journal of Critical Infrastructure Protection (IJCIP) was launched in 2008, with the primary aim of publishing scholarly papers of the highest quality in all areas of critical infrastructure protection. Of particular interest are articles that weave science, technology, law and policy to craft sophisticated yet practical solutions for securing assets in the various critical infrastructure sectors. These critical infrastructure sectors include: information technology, telecommunications, energy, banking and finance, transportation systems, chemicals, critical manufacturing, agriculture and food, defense industrial base, public health and health care, national monuments and icons, drinking water and water treatment systems, commercial facilities, dams, emergency services, nuclear reactors, materials and waste, postal and shipping, and government facilities. Protecting and ensuring the continuity of operation of critical infrastructure assets are vital to national security, public health and safety, economic vitality, and societal wellbeing. The scope of the journal includes, but is not limited to: 1. Analysis of security challenges that are unique or common to the various infrastructure sectors. 2. Identification of core security principles and techniques that can be applied to critical infrastructure protection. 3. Elucidation of the dependencies and interdependencies existing between infrastructure sectors and techniques for mitigating the devastating effects of cascading failures. 4. Creation of sophisticated, yet practical, solutions, for critical infrastructure protection that involve mathematical, scientific and engineering techniques, economic and social science methods, and/or legal and public policy constructs.