{"title":"基于无监督机器学习的APT攻击取证分析","authors":"Mohammed ADNAN, Dima Bshara, Ahmed Awad","doi":"10.31590/ejosat.1265586","DOIUrl":null,"url":null,"abstract":"Advanced Persistent Threat (APT) has become the concern of many enterprise networks. APT can remain unde- tected for a long time span and lead to undesirable consequences such as stealing of sensitive data, broken workflow, and so on. APTs often use evasion techniques to avoid being detected by security systems like Intrusion Detection System (IDS), Security Event Information Management (SIEMs) or firewalls. Also, it makes it difficult to detect the root cause with forensic analysis. Therefore, companies try to identify APTs by defining rules on their IDS. However, besides the time and effort needed to iteratively refine those rules, new attacks cannot be detected. In this paper, we propose a framework to detect and conduct forensic analysis for APTs in HTTP and SMTP traffic. At the heart of the proposed framework is the detection algorithm that is driven by unsupervised machine learning. Experimental results on public datasets demonstrate the effectiveness of the proposed framework with more than 80% detection rate and with less than 5% false-positive rate.","PeriodicalId":12068,"journal":{"name":"European Journal of Science and Technology","volume":"22 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2023-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Forensic Analysis of APT Attacks based on Unsupervised Machine Learning\",\"authors\":\"Mohammed ADNAN, Dima Bshara, Ahmed Awad\",\"doi\":\"10.31590/ejosat.1265586\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Advanced Persistent Threat (APT) has become the concern of many enterprise networks. APT can remain unde- tected for a long time span and lead to undesirable consequences such as stealing of sensitive data, broken workflow, and so on. APTs often use evasion techniques to avoid being detected by security systems like Intrusion Detection System (IDS), Security Event Information Management (SIEMs) or firewalls. Also, it makes it difficult to detect the root cause with forensic analysis. Therefore, companies try to identify APTs by defining rules on their IDS. However, besides the time and effort needed to iteratively refine those rules, new attacks cannot be detected. In this paper, we propose a framework to detect and conduct forensic analysis for APTs in HTTP and SMTP traffic. At the heart of the proposed framework is the detection algorithm that is driven by unsupervised machine learning. Experimental results on public datasets demonstrate the effectiveness of the proposed framework with more than 80% detection rate and with less than 5% false-positive rate.\",\"PeriodicalId\":12068,\"journal\":{\"name\":\"European Journal of Science and Technology\",\"volume\":\"22 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-03-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"European Journal of Science and Technology\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.31590/ejosat.1265586\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"European Journal of Science and Technology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.31590/ejosat.1265586","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Forensic Analysis of APT Attacks based on Unsupervised Machine Learning
Advanced Persistent Threat (APT) has become the concern of many enterprise networks. APT can remain unde- tected for a long time span and lead to undesirable consequences such as stealing of sensitive data, broken workflow, and so on. APTs often use evasion techniques to avoid being detected by security systems like Intrusion Detection System (IDS), Security Event Information Management (SIEMs) or firewalls. Also, it makes it difficult to detect the root cause with forensic analysis. Therefore, companies try to identify APTs by defining rules on their IDS. However, besides the time and effort needed to iteratively refine those rules, new attacks cannot be detected. In this paper, we propose a framework to detect and conduct forensic analysis for APTs in HTTP and SMTP traffic. At the heart of the proposed framework is the detection algorithm that is driven by unsupervised machine learning. Experimental results on public datasets demonstrate the effectiveness of the proposed framework with more than 80% detection rate and with less than 5% false-positive rate.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
