Abstract
Information security is an important part of Internet security. As more and more industries rely on the Internet, it has become urgent to protect information security of these industries, spawned local area networks (LANs), intranets and so on. With the development of information sensor technology, the Internet of Things (IoT) that interconnects physical devices has emerged. As a unity of computing process and physical process, the Cyber-physical systems (CPS) is the next generation intelligent system which integrates computing, communication and controlling capabilities. CPS covers a wide range of applications and critical infrastructures, including intelligent transportation systems, telemedicine, smart grids, aerospace, and many other fields. The APT attacks are typically conducted directly against these critical infrastructures around the world, which would incur severe consequences. It is meaningful to protect these information by detecting the APT attacks timely and accurately, and effective defensive measures could be adopted. Although the APT attacks seem destructive, the attack process are complex and changeable. In essence, the attack process usually follows certain rules. In this chapter, we introduce a distributed framework for detecting the APT attacks. Cyber security knowledge graph stores existing knowledge and the attack rules, which plays an important role in analyzing the attacks. We first analyze potential attack events by the proposed distributed framework on Spark, then we mine the attack chains from massive data with the spatial and temporal characteristics. These steps could help identify complicated attacks. We also conduct extensive experiments, the results show that the analysis accuracy depends on the completeness of the cyber security knowledge graph and the precision of the detection results from security equipments. With the rational expectation about more exposure of attacks and faster upgrade of security equipments, it is sufficient and necessary to improve the cyber security knowledge graph constantly for better performance.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Grey, D.F.: Knowledge mapping: a practical overview. SWS J., March 1999
Shan, L.: Overview of researches on ontology. J. Comput. Res. Dev. 7, 1041–1052 (2004)
Studer, R., Benjamins, V.R., Fensel, D.: Knowledge engineering: principles and methods. Data Knowl. Eng. 25(1–2), 161–197 (1998)
Pérez, A.G., Benjamins, V.R.: Overview of knowledge sharing and reuse components: ontologies and problem-solving methods. In: Proceedings of the IJCAI-99 workshop on Ontologies and Problem-Solving methods (KRR5), pp. 1–15. Stockholm, Sweden (1999)
Guarino, N.: Semantic matching: formal ontological distinctions for information organization, extraction, and integration. In: Pazienza, M.T. (ed.) SCIE 1997. LNCS, vol. 1299, pp. 139–170. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-63438-X_8
Tong, W., Zhong-Liang, A.I., Xian-Guo, S.: Knowledge graph construction of threat intelligence based on deep learning. Comput. Mod. 12, 21 (2018)
Feng, N., Wang, H.J., Li, M.: A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 256, 57–73 (2014)
Wang, W., Jiang, R., Jia, Y., Li, A., Chen, Y.: KGBIAC: knowledge graph based intelligent alert correlation framework. In: Wen, S., Wu, W., Castiglione, A. (eds.) CSS 2017. LNCS, vol. 10581, pp. 523–530. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69471-9_41
An-Kang, U., Yuan-Bo, G., Tai-Ming, Z., Tong, W.: Survey on network security event correlation analysis methods and tools. Computer Science (2017)
Mastani, S.A.: Reduced merge\(\_\)fsm pattern matching algorithm for network intrusion detection. Int. J. Recent Trends Eng. Technol. 10(2), 117 (2014)
Forgy, C.: Rete: a fast algorithm for the many patterns/many objects match problem. Artif. Intell. 19(1), 17–37 (1982)
Liu, D., Gu, T., Xue, J.-P.: Rule engine based on improvement rete algorithm. In: The 2010 International Conference on Apperceiving Computing and Intelligence Analysis Proceeding, pp. 346–349 IEEE (2010)
Esmaili, M., Balachandran, B., Safavi-Naini, R., Pieprzyk, J.: Case-based reasoning for intrusion detection. In: 12th Annual Computer Security Applications Conference (ACSAC 1996), 9–13 December 1996, San Diego, CA, USA, pp. 214–223. IEEE Computer Society (1996)
Bo, C., Ling, Y.U., Jun-Mo, X.: An application of simulated annealing algorithm in model-based reasoning intrusion detection. J. Univ. Electron. Sci. Technol. China 34(1), 36–39 (2005)
Rubin, D.E., Mital, V., Beckman, B.C., Katzenberger, G.S.: Dependency graph in data-driven model, 8 January 2013. US Patent 8,352,397
Hansen, S.E., Atkins, E.T.: Automated system monitoring and notification with swatch. In: Proceedings of the 7th Conference on Systems Administration (LISA 1993), Monterey, California, USA, 1–5 November 1993. USENIX (1993)
Rouillard, J.P.: Real-time log file analysis using the simple event correlator (SEC). In: Damon, L. (ed.) Proceedings of the 18th Conference on Systems Administration (LISA 2004), Atlanta, USA, 14–19 November 2004, pp. 133–150. USENIX (2004
Timofte, J., et al.: Intrusion detection using open source tools. Inform. Economica J. ISSN 14531305, 75–79 (2008)
Nguyen, G., Fischer, M., Strufe, T.: Ossim: a generic simulation framework for overlay streaming. In: Bruzzone, A.G., Kropf, P.G., Riley, L.A., Davoudpour, M., Solis, A.O. (eds.) 2013 Summer Simulation Multiconference, SummerSim 2013, Toronto, Canada, 07–10 July 2013, p. 30. Society for Computer Simulation International/ACM DL (2013)
Proctor, M.: Drools: a rule engine for complex event processing. In: Schürr, A., Varró, D., Varró, G. (eds.) AGTIVE 2011. LNCS, vol. 7233, p. 2. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34176-2_2
EsperTech. Esper. http://www.espertech.com
Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Atluri, V. (ed.) Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, 18–22 November 2002, pp. 245–254. ACM (2002)
Zhang, J., Li, X., Wang, H.: Real-time alert correlation approach based on attack planning graph. J Comput. Appl. 36(6), 1538–1543 (2016)
Jia, Y., Qi, Y., Shang, H., Jiang, R., Li, A.: A practical approach to constructing a knowledge graph for cybersecurity. Engineering 4(1), 53–60 (2018). Cybersecurity
Gupta, S., Dutt, N., Gupta, R., Nicolau, A.: Spark: a high-level synthesis framework for applying parallelizing compiler transformations. In: 2003 16th International Conference on VLSI Design, Proceedings, pp. 461–466 (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Qi, Y., Jiang, R., Li, A., Gu, Z., Jia, Y. (2021). A Distributed Framework for APT Attack Analysis. In: Jia, Y., Gu, Z., Li, A. (eds) MDATA: A New Knowledge Representation Model. Lecture Notes in Computer Science(), vol 12647. Springer, Cham. https://doi.org/10.1007/978-3-030-71590-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-71590-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-71589-2
Online ISBN: 978-3-030-71590-8
eBook Packages: Computer ScienceComputer Science (R0)