Cluster Computing

, Volume 22, Supplement 3, pp 7347–7358 | Cite as

A temporal correlation and traffic analysis approach for APT attacks detection

  • Jiazhong Lu
  • Kai Chen
  • Zhongliu Zhuo
  • XiaoSong ZhangEmail author


Advanced persist threat (APT for short) is an emerging attack on the Internet. Such attack patterns leave their footprints spatio-temporally dispersed across many different type traffics in victim machines. However, existing traffic analysis systems typically target only a single type of traffic to discover evidence of an attack and therefore fail to exploit fundamental inter-traffic connections. The output of such single-traffic analysis can hardly detect the complete APT attack story for complex, multi-stage attacks. Additionally, some existing approaches require heavyweight system instrumentation, which makes them impractical to deploy in real production environments. To address these problems, we present an automated temporal correlation traffic detection system (ATCTDS). Inspired by anomaly traffic analytics research in big data network analysis, we model multi-type traffic analysis as a detection problem. Our evaluation with 36 well-known APT attack dataset demonstrates that our system can detect attack behaviors from a spectrum of cyber attacks that involve multiple types with high accuracy and low false positive rates.


APT Temporal correlation Traffic analysis Detection 



Our thanks go first Network Security Technology Laboratory, UESTC, to give us an experiment to help; Secondly, thanks Sichuan province major basic research project “support big data applications innovative data security ecosystem of key technologies (major forefront)” Number: 2016JY0007, given funding; Finally, thanks to the National Natural Science Foundation of “targeting complex network modeling and behavioral analysis of the research”, No. 61572115, the help given.


  1. 1.
    de Vries, J., Hoogstraaten, H., van den Berg, J.., Daskapan, S.: Systems for Detecting Advanced Persistent Threats. In: Proceedings of the 2012 International Conference on Cyber Security (2012)Google Scholar
  2. 2.
    Cole, E.: Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Waltham, Syngress (2013)Google Scholar
  3. 3.
    Virvilis, N., Gritzalis, D.: Trusted computing vs. advanced persistent threats: can a defender win this game? In: Proceedings of the 10th IEEE International Conference on Autonomous and Trusted Computing, pp. 396–403. IEEE Press, Italy, (2013)Google Scholar
  4. 4.
    Virvilis, N., Gritzalis, D.: The big four—what we did wrong in Advanced Persistent Threat detection? In: Proceedings Of the 8th International Conference on Availability, Reliability and Security, pp. 248–254, IEEE, Germany (2013)Google Scholar
  5. 5.
    Beuhring, A., Salous, K.: Beyond blacklisting: cyber defense in the era of advanced persistent threats. Secur. Priv. IEEE 12(5), 90–93 (2014)CrossRefGoogle Scholar
  6. 6.
    Wang, X., Zheng, K.F., Niu, X.X., Wu, B., Wu, C.H.: Detection of command and control in advanced persistent threat based on independent access. In: Proceedingsof the IEEE ICC 2016 Communication and Information Systems Security Symposium, (2016)Google Scholar
  7. 7.
    Zhao, G.D., Xu, K., Xu, B.: Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access 3, 1132–1142 (2015)CrossRefGoogle Scholar
  8. 8.
    Gu, Z., Pei, K., Wang, Q., Si, L., Zhang, X., Xu,D.: Leaps: detecting camouflaged attacks with statistical learning guided by program analysis. In: Proceedings of the 45th IEEE/IFIP International Conference on Dependable Systems and Networks (2015)Google Scholar
  9. 9.
    Wang, Y., Wang, Y.G., Liu, J., Huang, J.Z.: A network gene-based framework for detecting advanced persistent Threats. In: Proceedings of the 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (2014)Google Scholar
  10. 10.
    Jiang, X., Walters, A., Xu, D., Spafford, E.H., Buchholz, F., Wang, Y.M.: Provenance-aware tracing of worm break-in and contaminations: a process coloring approach. In: Proceedings of the 26th IEEE International Conference on Distributed Computing Systems (2006)Google Scholar
  11. 11.
    Kang, M.G., McCamant, S., Poosankam, P., Song,D.: Dta++: Dynamic taint analysis with targeted control-flow propagation. In: Proceedings of the 18th Network and Distributed System Security Symposium (2011)Google Scholar
  12. 12.
    Kim, T., Wang, X., Zeldovich, N., and Kaashoek, M.F.: Intrusion recovery using selective re-execution. In: Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (2010)Google Scholar
  13. 13.
    King, S.T., Mao, Z.M., Lucchetti, D.G., Chen, P.M.: Enriching intrusion alerts through multi-host causality. In: Proceedings of the 12th Network and Distributed System Security Symposium (2005)Google Scholar
  14. 14.
    Lee, K.H., Zhang, X., and Xu,D.: High accuracy attack provenance via binary-based execution partition. In: Proceedings of the 20th Network and Distributed System Security Symposium (2013)Google Scholar
  15. 15.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Network and Distributed System Security Symposium (2005)Google Scholar
  16. 16.
    Wang, K.C., Huang, C.Y., Lin, S.J., Lin, Y.D.: A fuzzy pattern-based filtering algorithm for botnet detection. Comput. Netw. 55, 3275–3286 (2011)CrossRefGoogle Scholar
  17. 17.
    Lu, J.Z., Zhang, X.S., Wang, J.F., Ying, L.Y.: APT Traffic Detection Based on time transform [C]. In: Proceedings of the International Conference on ICITBS (2016)Google Scholar
  18. 18.
    Friedberg, I., Skopik, F., Settanni, G., Fiedler, R.: Combating advanced persistent threats: from network event correlation to incident detection. Comput. Secur. 48, 35–57 (2015)CrossRefGoogle Scholar
  19. 19.
    Skopik, F., Friedberg, I., Fiedler, R.: Dealing with advanced persistent threats in smart grid ICT networks. In: Proceedings of the 5th IEEE Innovative Smart Grid Technologies Conference (2014a)Google Scholar
  20. 20.
    Skopik, F., Settanni, G., Fiedler, R., Friedberg, I.: Semi-synthetic data set generation for security software evaluation. In: Proceedings of the 12th Annual Conference on Privacy, Security and Trust (2014b)Google Scholar
  21. 21.
    Hong, K.F., Chen, C.C., Chiu, Y.T., and Chou, K.S.: Ctracer: uncover C&C in advanced persistent threats based on scalable Framework for Enterprise Log Data[J]. In: Proceedings of the 2015 IEEE International Congress on Big Data (2015)Google Scholar
  22. 22.
    Wang, K.C., Huang, C.Y., Lin, S.J., Lin, Y.D.: A fuzzy pattern-based filtering algorithm for botnet detection. Comput. Netw. 55, 3275–3286 (2011)CrossRefGoogle Scholar
  23. 23.
  24. 24.
    Siddiqui, S., Khan, M.S., Ferens, K., Kinsner, W.: Detecting advanced persistent threats using fractal dimension based machine learning classification. In: Proceedings of the 2016 ACM on International Workshop on Security and Privacy analytics (2016)Google Scholar
  25. 25.
    McAfee Inc.: Combating Advanced Persistent Threats—How to prevent, detect, and remediate APTs (2011)Google Scholar
  26. 26.
    Chen, T.M., Abu-Nimeh, S.: Lessons from stuxnet. Computer 44(4), 91–93 (2011)CrossRefGoogle Scholar
  27. 27.
    Bencsáth,B., Pék, G., Buttyán, L., Félegyházi, M.: Duqu: Analysis, detection, and lessons learned. In: Proceedings of the ACM European Workshop on System Security (EuroSec) (2012)Google Scholar
  28. 28.
    Bencsáth, B., Pék, G., Buttyán, L., Felegyhazi, M.: The cousins of stuxnet: duqu, flame, and gauss. Fut. Intern. 4(4), 971–1003 (2012)CrossRefGoogle Scholar
  29. 29.
    Koutroumbas, K., Theodoridis, S.: Pattern Recognition. Encyclopedia of Information Systems, pp. 459–479. Academic Press, Cambridge (2003)Google Scholar
  30. 30.
    Malware Domains List.:
  31. 31.
    Sourcefire.: Snort Network Intrusion Detection SystemWeb Site. (2015)
  32. 32.
    Kaspersky Lab.: Targeted Cyberattacks. (2015)

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  • Jiazhong Lu
    • 1
  • Kai Chen
    • 2
    • 3
  • Zhongliu Zhuo
    • 1
  • XiaoSong Zhang
    • 1
    Email author
  1. 1.Center for Cyber SecurityUniversity of Electronic Science and Technology of ChinaChengduChina
  2. 2.State Key Laboratory of Information SecurityInstitute of Information Engineering, CASBeijingChina
  3. 3.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations