"Ctracer: Uncover C amp;amp;C in Advanced Persistent Threats Based on Scalable Framework for Enterprise Log Data"
Title | "Ctracer: Uncover C amp;amp;C in Advanced Persistent Threats Based on Scalable Framework for Enterprise Log Data" |
Publication Type | Conference Paper |
Year of Publication | 2015 |
Authors | K. F. Hong, C. C. Chen, Y. T. Chiu, K. S. Chou |
Conference Name | 2015 IEEE International Congress on Big Data |
Date Published | June |
Publisher | IEEE |
ISBN Number | 978-1-4673-7278-7 |
Accession Number | 15411664 |
Keywords | advanced persistent threat, Advanced Persistent Threat (APT), APT attack, business data processing, C), C&C channel, C&C sessions, Command and Control (C&, command and control systems, Computer crime, Computers, Ctracer, digital forensics, digital signatures, Electronic mail, enterprise log data, forensic report, hackers, Internet, invasive software, Itemsets, Malware, MapReduce, network signature, networking logs, pubcrawl170101, scalable framework, Security Operations Center, Servers, SoC, stealthy activities detection, stealthy command and control channel detection, targeted attacks, traffic data |
Abstract | Advanced Persistent Threat (APT), unlike traditional hacking attempts, carries out specific attacks on a specific target to illegally collect information and data from it. These targeted attacks use special-crafted malware and infrequent activity to avoid detection, so that hackers can retain control over target systems unnoticed for long periods of time. In order to detect these stealthy activities, a large-volume of traffic data generated in a period of time has to be analyzed. We proposed a scalable solution, Ctracer to detect stealthy command and control channel in a large-volume of traffic data. APT uses multiple command and control (C&C) channel and change them frequently to avoid detection, but there are common signatures in those C&C sessions. By identifying common network signature, Ctracer is able to group the C&C sessions. Therefore, we can detect an APT and all the C&C session used in an APT attack. The Ctracer is evaluated in a large enterprise for four months, twenty C&C servers, three APT attacks are reported. After investigated by the enterprise's Security Operations Center (SOC), the forensic report shows that there is specific enterprise targeted APT cases and not ever discovered for over 120 days. |
URL | http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7207270&isnumber=7207183 |
DOI | 10.1109/BigDataCongress.2015.86 |
Citation Key | 7207270 |
- scalable framework
- internet
- invasive software
- Itemsets
- malware
- MapReduce
- network signature
- networking logs
- pubcrawl170101
- hackers
- Security Operations Center
- Servers
- SoC
- stealthy activities detection
- stealthy command and control channel detection
- targeted attacks
- traffic data
- Computer crime
- Advanced Persistent Threat (APT)
- APT attack
- business data processing
- C&C channel
- C&C sessions
- C)
- Command and Control (C&
- command and control systems
- advanced persistent threat
- Computers
- Ctracer
- Digital Forensics
- digital signatures
- Electronic mail
- enterprise log data
- forensic report