Biblio
Advanced Persistent Threat (APT) attacks, which have become prevalent in recent years, are classified into four phases. These are initial compromise phase, attacking infrastructure building phase, penetration and exploration phase, and mission execution phase. The malware on infected terminals attempts various communications on and after the attacking infrastructure building phase. In this research, using OpenFlow technology for virtual networks, we developed a system of identifying infected terminals by detecting communication events of malware communications in APT attacks. In addition, we prevent information fraud by using OpenFlow, which works as real-time path control. To evaluate our system, we executed malware infection experiments with a simulation tool for APT attacks and malware samples. In these experiments, an existing network using only entry control measures was prepared. As a result, we confirm the developed system is effective.
What you see is not definitely believable is not a rare case in the cyber security monitoring. However, due to various tricks of camouflages, such as packing or virutal private network (VPN), detecting "advanced persistent threat"(APT) by only signature based malware detection system becomes more and more intractable. On the other hand, by carefully modeling users' subsequent behaviors of daily routines, probability for one account to generate certain operations can be estimated and used in anomaly detection. To the best of our knowledge so far, a novel behavioral analytic framework, which is dedicated to analyze Active Directory domain service logs and to monitor potential inside threat, is now first proposed in this project. Experiments on real dataset not only show that the proposed idea indeed explores a new feasible direction for cyber security monitoring, but also gives a guideline on how to deploy this framework to various environments.