Forensic Analysis of APT Attacks based on Unsupervised Machine Learning

Abstract

Advanced Persistent Threat (APT) has become the concern of many enterprise networks. APT can remain unde- tected for a long time span and lead to undesirable consequences such as stealing of sensitive data, broken workflow, and so on. APTs often use evasion techniques to avoid being detected by security systems like Intrusion Detection System (IDS), Security Event Information Management (SIEMs) or firewalls. Also, it makes it difficult to detect the root cause with forensic analysis. Therefore, companies try to identify APTs by defining rules on their IDS. However, besides the time and effort needed to iteratively refine those rules, new attacks cannot be detected. In this paper, we propose a framework to detect and conduct forensic analysis for APTs in HTTP and SMTP traffic. At the heart of the proposed framework is the detection algorithm that is driven by unsupervised machine learning. Experimental results on public datasets demonstrate the effectiveness of the proposed framework with more than 80% detection rate and with less than 5% false-positive rate.