N-Victims: An Approach to Determine N-Victims for APT Investigations

  • Shun-Te Liu
  • Yi-Ming Chen
  • Hui-Ching Hung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7690)


The advanced Persistent Threat (APT) is a sophisticated and target-oriented cyber attack for accessing valuable information. The attacker leverages the customized malware as the stepping stone to intrude into the enterprise network. For enterprises and forensic analysts, finding the victims and investigating them to evaluate the damages are critical, but the investigation is often limited by resources and time. In this paper, we propose an N-Victims approach that starts from a known malware-infected computer to determine the top N most likely victims. We test our approach in a real APT case that happened in a large enterprise network consisting of several thousand computers, which run a commercial antivirus system. N-Victims can find more malware-infected computers than N-Gram based approaches. In the top 20 detected computers, N-Victims also had a higher detection rate and a lower false positive rate than N-Gram based approaches.


advanced persistent threat incident investigation malware detection botnet detection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Daly, M. K.: The Advanced Persistent Threat (2009),
  2. 2.
    Damballa. Advanced Persistent Threats (APT) (2010),
  3. 3.
  4. 4.
    Juels, A., Yen, T.F.: Sherlock Holmes and The Case of the Advanced Persistent Threat. In: 5th USENIX Workshop on Large-Scale Exxploits and Emergent Threats (2012)Google Scholar
  5. 5.
    Winder, D.: Persistent and Evasive Attacks Uncovered. Infosecurity 8(5), 40–43 (2011)CrossRefGoogle Scholar
  6. 6.
    Tankard, C.: Advanced Persistent threats and how to monitor and deter them. Network Security 2011(8), 16–19 (2011)CrossRefGoogle Scholar
  7. 7.
    Li, F., Lai, A., Ddl, D.: Evidence of Advanced Persistent Threat: A case study of malware for political espionage. In: 6th International Conference on Malicious and Unwanted Software, MALWARE (2011)Google Scholar
  8. 8.
    Frankie Li, A.A.: A Detailed Analysis of an Advanced Persistent Threat Malware. SANS Institute InfoSec Reading Room (2011)Google Scholar
  9. 9.
    Alperovitch, D., McAfee: Revealed: operation shady RAT (2011),
  10. 10.
    Rieck, K., et al.: Botzilla: detecting the ”phoning home” of malicious software. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1978–1984. ACM, Sierre (2010)CrossRefGoogle Scholar
  11. 11.
    Warmer, M.: Detection of web based command & control channels (2011),
  12. 12.
    Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, p. 26. USENIX Association, San Jose (2010)Google Scholar
  13. 13.
    Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)Google Scholar
  14. 14.
    Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by IRC nickname evaluation. In: roceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p. 8. USENIX Association, Cambridge (2007)Google Scholar
  15. 15.
    Brustoloni, J., et al.: Efficient Detection of Bots in Subscribers’ Computers. In: IEEE International Conference on Communications, ICC 2009 (2009)Google Scholar
  16. 16.
    Liu, S.T., Chen, Y.M.: Retrospective Detection of Malware Attacks by Cloud Computing. In: 2010 IEEE International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (2010)Google Scholar
  17. 17.
    Oberheide, J., Cooke, E., Jahanian, F.: Cloudav: N-version antivirus in the network cloud. In: The Proceedings of 17th USENIX Security Symposium (2008)Google Scholar
  18. 18.
    Brian Grow, K.E., Tschang, C.-C.: The New E-spionage Threat (2008),
  19. 19.
  20. 20.
    Gordon, T.: APTs: a poorly understood challenge. Network Security 11, 9–11 (2011)Google Scholar
  21. 21.
    Zhaosheng, Z., et al.: Botnet Research Survey. In: Proceedings of the 32th Annual IEEE International Computer Software and Applications Conference (2008)Google Scholar
  22. 22.
    Yadav, S., et al.: Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis. IEEE/ACM Transactions on Networking 99, 1 (2012)Google Scholar
  23. 23.
    Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting malware’s failover C&C strategies with squeeze. In: Proceedings of the 27th Annual Computer Security Applications Conference, Orlando, Florida, pp. 21–30 (2011)Google Scholar
  24. 24.
    Ma, J., et al.: Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1245–1254. ACM, Paris (2009)CrossRefGoogle Scholar
  25. 25.
    Kantardzic, M.: Data mining: concepts, models, methods, and algorithms. Wiley-IEEE Press (2011)Google Scholar
  26. 26.
  27. 27.
    Binde, B., McRee, R., O’Connor, T.J.: Assessing Outbound Traffic to Uncover Advanced Persistent Threat. Sans Institute (2011),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Shun-Te Liu
    • 1
    • 2
  • Yi-Ming Chen
    • 1
  • Hui-Ching Hung
    • 2
  1. 1.Department of Information ManagementNational Central UniversityTaoyuanTaiwan(R.O.C.)
  2. 2.Information & Communication Security Lab, TLChunghwa Telecom co., Ltd.TaoyuanTaiwan(R.O.C.)

Personalised recommendations