• International Journal of Computer Science & Network Security
• /
• v.24 no.1
• /
• pp.52-60
• /
• 2024

APT (Advanced Persistent Threat) attack is a dangerous, targeted attack form with clear targets. APT attack campaigns have huge consequences. Therefore, the problem of researching and developing the APT attack detection solution is very urgent and necessary nowadays. On the other hand, no matter how advanced the APT attack, it has clear processes and lifecycles. Taking advantage of this point, security experts recommend that could develop APT attack detection solutions for each of their life cycles and processes. In APT attacks, hackers often use phishing techniques to perform attacks and steal data. If this attack and phishing phase is detected, the entire APT attack campaign will be crash. Therefore, it is necessary to research and deploy technology and solutions that could detect early the APT attack when it is in the stages of attacking and stealing data. This paper proposes an APT attack detection framework based on the Network traffic analysis technique using open-source tools and deep learning models. This research focuses on analyzing Network traffic into different components, then finds ways to extract abnormal behaviors on those components, and finally uses deep learning algorithms to classify Network traffic based on the extracted abnormal behaviors. The abnormal behavior analysis process is presented in detail in section III.A of the paper. The APT attack detection method based on Network traffic is presented in section III.B of this paper. Finally, the experimental process of the proposal is performed in section IV of the paper.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2014.10a
• /
• pp.937-939
• /
• 2014

Recently, an intelligent APT(Advanced Persistent Threat) attack which aims to a special target is getting to be greatly increased. It is very hard to protect with existing intrusion detection methods because of the difficulties to protect the initial intrusion of malicious code. In this paper, we analyze out-bound traffics to prevent call-back step after malicious code intrusion, and propose an APT malicious traffic detection method with considering of trust. The proposed method is expected to provide a basement to improve the detection rate in comparing with that of existing detection methods.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.6
• /
• pp.287-294
• /
• 2016

APT attack aimed at the interruption of information and communication facilities and important information leakage of companies. it performs an attack using zero-day vulnerabilities, social engineering base on collected information, such as IT infra, business environment, information of employee, for a long period of time. Fragmentary response to cyber threats such as malware signature detection methods can not respond to sophisticated cyber-attacks, such as APT attacks. In this paper, we propose a cyber intrusion detection model for countermeasure of APT attack by utilizing heterogeneous system log into big-data. And it also utilizes that merging pattern-based detection methods and abnormality detection method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1027-1041
• /
• 2015

Recently, there are rapidly increasing cases of APT (Advanced Persistent Threat) attacks such as Verizon(2010), Nonghyup(2011), SK Communications(2011), and 3.20 Cyber Terror(2013), which cause leak of confidential information and tremendous damage to valuable assets without being noticed. Several anomaly detection technologies were studied to defend the APT attacks, mostly focusing on detection of obvious anomalies based on known malicious codes' signature. However, they are limited in detecting APT attacks and suffering from high false-negative detection accuracy because APT attacks consistently use zero-day vulnerabilities and have long latent period. Detecting APT attacks requires long-term analysis of data from a diverse set of sources collected over the long time, real-time analysis of the ingested data, and correlation analysis of individual attacks. However, traditional security systems lack sophisticated analytic capabilities, compute power, and agility. In this paper, we propose a Fast Data based real-time abnormal behavior detection system to overcome the traditional systems' real-time processing and analysis limitation.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2021.10a
• /
• pp.449-451
• /
• 2021

Cyber-attacks targeting endpoints have developed sophisticatedly into targeted and intelligent attacks, Advanced Persistent Threat (APT) targeting the Industrial Internet of Things (IIoT) has increased accordingly. Machine learning-based Endpoint Detection and Response (EDR) solutions combine and complement rule-based conventional security tools to effectively defend against APT attacks are gaining attention. However, universal EDR solutions have a high false positive rate, and needs high-level analysts to monitor and analyze a tremendous amount of alerts. Therefore, the process of optimizing machine learning-based EDR solutions that consider the characteristics and vulnerabilities of IIoT environment is essential. In this study, we analyze the flow and impact of IIoT targeted APT cases and compare the method of machine learning-based APT detection EDR solutions.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.5
• /
• pp.2610-2628
• /
• 2019

Advanced persistent threats (APTs) are constant attacks of specific targets by hackers using intelligent methods. All current internal infrastructures are constantly subject to APT attacks created by external and unknown malware. Therefore, information security officers require a framework that can assess whether information security systems are capable of detecting and blocking APT attacks. Furthermore, an on-line evaluation of information security systems is required to cope with various malicious code attacks. A regular evaluation of the information security system is thus essential. In this paper, we propose a dynamic updated evaluation framework to improve the detection rate of internal information systems for malware that is unknown to most (over 60 %) existing static information security system evaluation methodologies using non-updated unknown malware.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.16 no.1
• /
• pp.67-78
• /
• 2020

Typical security solutions such as intrusion detection system are not suitable for detecting advanced persistent attack(APT), because they cannot draw the big picture from trivial events of security solutions. Researches on techniques for detecting multiple stage attacks by analyzing the correlations between security events or alerts are being actively conducted in academic field. However, these studies still use events from existing security system, and there is insufficient research on the structure of the entire security system suitable for advanced persistent attacks. In this paper, we propose an attack path and intention recognition system suitable for multiple stage attacks like advanced persistent attack detection. The proposed system defines the trace format and overall structure of the system that detects APT attacks based on the correlation and behavior analysis, and is designed with a structure of detection system using deep learning and big data technology, etc.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2017.01a
• /
• pp.133-134
• /
• 2017

본 논문에서는 APT 공격의 공격 시나리오와 그에 따른 방어 시나리오를 구상하여 기존 방어법의 문제점을 찾고 방어대책을 제시하고 솔루션을 구축하였다. 제안된 방어 프로세스는 기존의 방식과 달리 END-POINT에서 침투에 대해 모니터링을 통하여 APT공격에 대응하는 방식이다. 공격 툴 넷버스, 백오리피스, 서브세븐, 스쿨버스를 이용해서 공격을 시도 한 뒤 본 논문에서 구축한 방어 프로세스를 이용하여 방어 실험을 실시하였다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.5
• /
• pp.939-946
• /
• 2013

This paper proposes normal behavior profiling methods for anomaly detection in IEC 61850 based substation network. Signature based security solutions, currently used primarily, are inadequate for APT attack using zero-day vulnerabilities. Recently, some researches about anomaly detection in control network are ongoing. However, there are no published result for IEC 61850 substation network. Our proposed methods includes 3-phase preprocessing for MMS/GOOSE packets and normal behavior profiling using one-class SVM algorithm. These approaches are beneficial to detect APT attacks on IEC 61850 substation network.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.839-850
• /
• 2014

As the social and financial damages caused by APT attack such as 3.20 cyber terror are increased, the technical solution against APT attack is required. It is, however, difficult to protect APT attack with existing security equipments because the attack use a zero-day malware persistingly. In this paper, we propose a host based anomaly detection method to overcome the limitation of the conventional signature-based intrusion detection system. First, we defined 39 features to identify between normal and abnormal behavior, and then collected 8.7 million feature data set that are occurred during running both malware and normal executable file. Further, each process is represented as 83-dimensional vector that profiles the frequency of appearance of features. the vector also includes the frequency of features generated in the child processes of each process. Therefore, it is possible to represent the whole behavior information of the process while the process is running. In the experimental results which is applying C4.5 decision tree algorithm, we have confirmed 2.0% and 5.8% for the false positive and the false negative, respectively.