• Title/Summary/Keyword: APT Attack

Search Result 76, Processing Time 0.023 seconds

Host based Feature Description Method for Detecting APT Attack (APT 공격 탐지를 위한 호스트 기반 특징 표현 방법)

  • Moon, Daesung;Lee, Hansung;Kim, Ikkyun
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.5
    • /
    • pp.839-850
    • /
    • 2014
  • As the social and financial damages caused by APT attack such as 3.20 cyber terror are increased, the technical solution against APT attack is required. It is, however, difficult to protect APT attack with existing security equipments because the attack use a zero-day malware persistingly. In this paper, we propose a host based anomaly detection method to overcome the limitation of the conventional signature-based intrusion detection system. First, we defined 39 features to identify between normal and abnormal behavior, and then collected 8.7 million feature data set that are occurred during running both malware and normal executable file. Further, each process is represented as 83-dimensional vector that profiles the frequency of appearance of features. the vector also includes the frequency of features generated in the child processes of each process. Therefore, it is possible to represent the whole behavior information of the process while the process is running. In the experimental results which is applying C4.5 decision tree algorithm, we have confirmed 2.0% and 5.8% for the false positive and the false negative, respectively.

The Analysis of the APT Prelude by Big Data Analytics (빅데이터 분석을 통한 APT공격 전조 현상 분석)

  • Choi, Chan-young;Park, Dea-woo
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.20 no.6
    • /
    • pp.1129-1135
    • /
    • 2016
  • The NH-NongHyup network and servers were paralyzed in 2011, in the 2013 3.20 cyber attack happened and classified documents of Korea Hydro & Nuclear Power Co. Ltd were leaked on december in 2015. All of them were conducted by a foreign country. These attacks were planned for a long time compared to the script kids attacks and the techniques used were very complex and sophisticated. However, no successful solution has been implemented to defend an APT attacks(Advanced Persistent Threat Attacks) thus far. We will use big data analytics to analyze whether or not APT attacks has occurred. This research is based on the data collected through ISAC monitoring among 3 hierarchical Korean Defense System. First, we will introduce related research about big data analytics and machine learning. Then, we design two big data analytics models to detect an APT attacks. Lastly, we will present an effective response method to address a detected APT attacks.

An APT Malicious Traffic Detection Method with Considering of Trust Model (신뢰모형을 고려한 APT 악성 트래픽 탐지 기법)

  • Yun, Kyung-mi;Cho, Gi-hwan
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2014.10a
    • /
    • pp.937-939
    • /
    • 2014
  • Recently, an intelligent APT(Advanced Persistent Threat) attack which aims to a special target is getting to be greatly increased. It is very hard to protect with existing intrusion detection methods because of the difficulties to protect the initial intrusion of malicious code. In this paper, we analyze out-bound traffics to prevent call-back step after malicious code intrusion, and propose an APT malicious traffic detection method with considering of trust. The proposed method is expected to provide a basement to improve the detection rate in comparing with that of existing detection methods.

  • PDF

Security Frameworks for Industrial Technology Leakage Prevention (산업기술 유출 방지를 위한 보안 프레임워크 연구)

  • YangKyu Lim;WonHyung Park;Hwansoo Lee
    • Convergence Security Journal
    • /
    • v.23 no.4
    • /
    • pp.33-41
    • /
    • 2023
  • In recent years, advanced persistent threat (APT) attack organizations have exploited various vulnerabilities and attack techniques to target companies and institutions with national core technologies, distributing ransomware and demanding payment, stealing nationally important industrial secrets and distributing them on the black market (dark web), selling them to third countries, or using them to close the technology gap, requiring national-level security preparations. In this paper, we analyze the attack methods of attack organizations such as Kimsuky and Lazarus that caused industrial secrets leakage damage through APT attacks in Korea using the MITRE ATT&CK framework, and derive 26 cybersecurity-related administrative, physical, and technical security requirements that a company's security system should be equipped with. We also proposed a security framework and system configuration plan to utilize the security requirements in actual field. The security requirements presented in this paper provide practical methods and frameworks for security system developers and operators to utilize in security work to prevent leakage of corporate industrial secrets. In the future, it is necessary to analyze the advanced and intelligent attacks of various APT attack groups based on this paper and further research on related security measures.

A Study on Anomaly Signal Detection and Management Model using Big Data (빅데이터를 활용한 이상 징후 탐지 및 관리 모델 연구)

  • Kwon, Young-baek;Kim, In-seok
    • The Journal of the Institute of Internet, Broadcasting and Communication
    • /
    • v.16 no.6
    • /
    • pp.287-294
    • /
    • 2016
  • APT attack aimed at the interruption of information and communication facilities and important information leakage of companies. it performs an attack using zero-day vulnerabilities, social engineering base on collected information, such as IT infra, business environment, information of employee, for a long period of time. Fragmentary response to cyber threats such as malware signature detection methods can not respond to sophisticated cyber-attacks, such as APT attacks. In this paper, we propose a cyber intrusion detection model for countermeasure of APT attack by utilizing heterogeneous system log into big-data. And it also utilizes that merging pattern-based detection methods and abnormality detection method.

A Study on the Countermeasures against APT Attacks in Industrial Management Environment (산업경영환경에서 지속적 APT 공격에 대한 대응방안 연구)

  • Hong, Sunghyuck
    • Journal of Industrial Convergence
    • /
    • v.16 no.2
    • /
    • pp.25-31
    • /
    • 2018
  • An APT attack is a new hacking technique that continuously attacks specific targets and is called an APT attack in which a hacker exploits various security threats to continually attack a company or organization's network. Protect employees in a specific organization and access their internal servers or databases until they acquire significant assets of the company or organization, such as personal information leaks or critical data breaches. Also, APT attacks are not attacked at once, and it is difficult to detect hacking over the years. This white paper examines ongoing APT attacks and identifies, educates, and proposes measures to build a security management system, from the executives of each organization to the general staff. It also provides security updates and up-to-date antivirus software to prevent malicious code from infiltrating your company or organization, which can exploit vulnerabilities in your organization that could infect malicious code. And provides an environment to respond to APT attacks.

Cyber Kill Chain-Based Taxonomy of Advanced Persistent Threat Actors: Analogy of Tactics, Techniques, and Procedures

  • Bahrami, Pooneh Nikkhah;Dehghantanha, Ali;Dargahi, Tooska;Parizi, Reza M.;Choo, Kim-Kwang Raymond;Javadi, Hamid H.S.
    • Journal of Information Processing Systems
    • /
    • v.15 no.4
    • /
    • pp.865-889
    • /
    • 2019
  • The need for cyber resilience is increasingly important in our technology-dependent society where computing devices and data have been, and will continue to be, the target of cyber-attackers, particularly advanced persistent threat (APT) and nation-state/sponsored actors. APT and nation-state/sponsored actors tend to be more sophisticated, having access to significantly more resources and time to facilitate their attacks, which in most cases are not financially driven (unlike typical cyber-criminals). For example, such threat actors often utilize a broad range of attack vectors, cyber and/or physical, and constantly evolve their attack tactics. Thus, having up-to-date and detailed information of APT's tactics, techniques, and procedures (TTPs) facilitates the design of effective defense strategies as the focus of this paper. Specifically, we posit the importance of taxonomies in categorizing cyber-attacks. Note, however, that existing information about APT attack campaigns is fragmented across practitioner, government (including intelligence/classified), and academic publications, and existing taxonomies generally have a narrow scope (e.g., to a limited number of APT campaigns). Therefore, in this paper, we leverage the Cyber Kill Chain (CKC) model to "decompose" any complex attack and identify the relevant characteristics of such attacks. We then comprehensively analyze more than 40 APT campaigns disclosed before 2018 to build our taxonomy. Such taxonomy can facilitate incident response and cyber threat hunting by aiding in understanding of the potential attacks to organizations as well as which attacks may surface. In addition, the taxonomy can allow national security and intelligence agencies and businesses to share their analysis of ongoing, sensitive APT campaigns without the need to disclose detailed information about the campaigns. It can also notify future security policies and mitigation strategy formulation.

DGA-DNS Similarity Analysis and APT Attack Detection Using N-gram (N-gram을 활용한 DGA-DNS 유사도 분석 및 APT 공격 탐지)

  • Kim, Donghyeon;Kim, Kangseok
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.5
    • /
    • pp.1141-1151
    • /
    • 2018
  • In an APT attack, the communication stage between infected hosts and C&C(Command and Control) server is the key stage for intrusion into the attack target. Attackers can control multiple infected hosts by the C&C Server and direct intrusion and exploitation. If the C&C Server is exposed at this stage, the attack will fail. Therefore, in recent years, the Domain Generation Algorithm (DGA) has replaced DNS in C&C Server with a short time interval for making detection difficult. In particular, it is very difficult to verify and detect all the newly registered DNS more than 5 million times a day. To solve these problems, this paper proposes a model to judge DGA-DNS detection by the morphological similarity analysis of normal DNS and DGA-DNS, and to determine the sign of APT attack through it, then we verify its validity.

A Improvement of Server Diffusion Prevention of APT Attack through the END-POINT Detection and Blocking (END-POINT에서의 탐지 및 차단을 통한 APT 공격의 서버 확산방지 개선)

  • Kim, Woo Geun;Lee, Sang-Gon
    • Proceedings of the Korean Society of Computer Information Conference
    • /
    • 2017.01a
    • /
    • pp.133-134
    • /
    • 2017
  • 본 논문에서는 APT 공격의 공격 시나리오와 그에 따른 방어 시나리오를 구상하여 기존 방어법의 문제점을 찾고 방어대책을 제시하고 솔루션을 구축하였다. 제안된 방어 프로세스는 기존의 방식과 달리 END-POINT에서 침투에 대해 모니터링을 통하여 APT공격에 대응하는 방식이다. 공격 툴 넷버스, 백오리피스, 서브세븐, 스쿨버스를 이용해서 공격을 시도 한 뒤 본 논문에서 구축한 방어 프로세스를 이용하여 방어 실험을 실시하였다.

  • PDF

A Study Of Mining ESM based on Data-Mining (데이터 마이닝 기반 보안관제 시스템)

  • Kim, Min-Jun;Kim, Kui-Nam
    • Convergence Security Journal
    • /
    • v.11 no.6
    • /
    • pp.3-8
    • /
    • 2011
  • Advanced Persistent Threat (APT), aims a specific business or political targets, is rapidly growing due to fast technological advancement in hacking, malicious code, and social engineering techniques. One of the most important characteristics of APT is persistence. Attackers constantly collect information by remaining inside of the targets. Enterprise Security Management (EMS) system can misidentify APT as normal pattern of an access or an entry of a normal user as an attack. In order to analyze this misidentification, a new system development and a research are required. This study suggests the way of forecasting APT and the effective countermeasures against APT attacks by categorizing misidentified data in data-mining through threshold ratings. This proposed technique can improve the detection of future APT attacks by categorizing the data of long-term attack attempts.