|
Modeling Advanced Persistent Threats Department
of Computer Science, University of Oxford, UK firstname.lastname@cs.ox.ac.uk Abstract The Advanced Persistent Threats (APTs) are characterized by their complexity and ability to stay relatively dormant and undetected on a computer system before launching a devastating attack. Numerous unsuccessful attempts have utilized machine learning techniques and rule-based technologies to try and detect these sophisticated attacks. In this paper, we opt for a more theoretical approach to identify unique APT characteristics, distinguishable from other multi-stage attacks. We model four well-known APTs, based on the kill chain framework, and we identify common behavior to create abstract models which describe generalized APT behavior. We find that attributes from the Command and Control phase of these attacks provide unique features that can be used by any anomaly detection systems. We further validate how expressive our abstract models are by formalizing a fifth APT and examining the behavior that was not captured. Keywords: Advanced Persistent Threats, Modeling,
Cybersecurity, Anomaly Detection +: Corresponding author: Cheyenne Atapour Vol. 9, No. 4,
pp. 71-102, December 2018 [pdf] |