Abstract
For years governments, organizations and companies have made great efforts to keep hackers, malware, cyber attacks at bay with different degrees of success. On the other hand, cyber criminals and miscreants produced more advanced techniques to compromise Internet infrastructure. Targeted attack or advanced persistent threat (APT) attack is a new challenge and aims to accomplish a specific goal, most often espionage. APTs are presently the biggest threat to governments and organizations. This paper states research questions and propose a novel approach to intrusion detection system processes network traffic and able to detect potential APT attack. This detection of APT attack is based on the correlation between the events which we get as outputs of our detection methods. Each detection method aims to detect one technique used in one of APT attack steps.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Kshetri, N.: The global cybercrime industry: economic, institutional and strategic perspectives. Springer, Berlin (2010)
Wood, P., Nisbet, M., Egan, G., Johnston, N., Haley, K., Krishnappa, B., Tran, T. K., Asrar, I., Cox, O., Hittel, S., et al.: Symantec Internet Security Threat Report Trends for 2011, vol. XVII (2012)
Tankard, C.: Advanced persistent threats and how to monitor and deter them. Netw. Secur. 2011(8), 16–19 (2011)
Kaspersky Lab ZAO. Red October diplomatic cyber attacks investigation. http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation. Accessed 10-11-2014
Mandiant Intelligence Center. Apt1: Exposing one of china’s cyber espionage units. Technical report, Mandiant, Tech. Rep (2013)
Rakes, T. R., Deane, J. K., Rees, L. P.: It security planning under uncertainty for high-impact events. Omega 40(1), 79–88 (2012)
Ronald, D., Rafal R.: Tracking ghostnet: Investigating a cyber espionage network. Inf. Warf. Monitor, p. 6 (2009)
Liu, S.T., Chen, Y. M., Lin, S. J.: A novel search engine to uncover potential victims for apt investigations. In: Network and Parallel Computing, pp. 405–416. Springer, Berlin (2013)
Thonnard, O., Bilge, L., O’Gorman, G., Kiernan, S., Lee, M.: Industrial espionage and targeted attacks: Understanding the characteristics of an escalating threat. In Research in Attacks, Intrusions, and Defenses, pp. 64–85. Springer, Berlin (2012)
Lee, M, Lewis, D.: Clustering disparate attacks: mapping the activities of the advanced persistent threat. In: Proceedings of the 21st Virus Bulletin International Conference, pp. 122–127 (October 2011)
Marco Balduzzi, Vincenzo Ciangaglini, and Robert McArdle. Targeted attacks detection with spunge (2013)
Bencsath, B., Pek, G., Buttyan, L., Felegyhazi, M.: Duqu: Analysis, detection, and lessons learned. In ACM European Workshop on System Security (EuroSec), vol. 2012 (2012)
Paxson, Vern: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23), 2435–2463 (1999)
Bro Project. The bro network security monitor. http://bro.org/. Accessed 10-11-2014
Trend Micro white paper. The custom defense against targeted attacks. http://www.trendmicro.fr/media/wp/custom-defense-against-targeted-attacks-whitepaper-en.pdf. Accessed: 10-11-2014
Blade defender. http://www.blade-defender.org/eval-lab/blade.csv. Accessed 10-11-2014
Malware domain list. http://www.malwaredomainlist.com/hostslist/hosts.txt. Accessed 10-11-2014
Malware domains. http://www.malware-domains.com/files/. Accessed 10-11-2014
Abuse.ch. Palevo domain blocklist. https://palevotracker.abuse.ch/blocklists.php?download= domainblocklist. Accessed 10-11-2014
Abuse.ch. Spyeye domain blocklist. https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist. Accessed 10-11-2014
Abuse.ch. Zeus domain blocklist. https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist. Accessed 10-11-2014
Abuse.ch. SSL blacklist a new weapon to fight malware and botnet. http://securityaffairs.co/wordpress/26672/cyber-crime/ssl-blacklist-new-weapon-fight-malware-botnet.html. Accessed 10-11-2014
Mandiant. Mandiant apt1 report appendix f update: SSL certificate hashes. https://www.mandiant.com/blog/md5-sha1/. Accessed 10-11-2014
Malware domain list. http://www.malwaredomainlist.com/hostslist/ip.txt. Accessed 10-11-2014
Abuse.ch. Palevo C&C ip blocklist. https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist. Accessed 10-11-2014
Abuse.ch. Spyeye ip blocklist. https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist. Accessed 10-11-2014
Abuse.ch. Zeus ip blocklist. https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist. Accessed: 10-11-2014
Yadav, S., Reddy, A.K.K., Narasimha Reddy, A.L., Ranjan, S.: Detecting algorithmically generated domain flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20(5), 1663–1677 (2012)
Tor Network Status. CSV list of all current tor server ip addresses. http://torstatus.blutmagie.de/. Accessed 10-11-2014
Acknowledgments
This work has been supported by the project “CYBER-2” funded by the Ministry of Defence of the Czech Republic under contract No. 1201 4 7110.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Ghafir, I., Prenosil, V. (2016). Proposed Approach for Targeted Attacks Detection. In: Sulaiman, H., Othman, M., Othman, M., Rahim, Y., Pee, N. (eds) Advanced Computer and Communication Engineering Technology. Lecture Notes in Electrical Engineering, vol 362. Springer, Cham. https://doi.org/10.1007/978-3-319-24584-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-24584-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-24582-9
Online ISBN: 978-3-319-24584-3
eBook Packages: EngineeringEngineering (R0)