Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats
Abstract Targeted cyber attacks, which today are known as Advanced Persistent Threats (APTs), use low and slow patterns to bypass intrusion detection and alert correlation systems. Since most of the attack detection approaches use a short time-window, the slow APTs abuse this weakness to escape from...
Guardado en:
| Autores principales: | , |
|---|---|
| Formato: | article |
| Lenguaje: | EN |
| Publicado: |
SpringerOpen
2021
|
| Materias: | |
| Acceso en línea: | https://doaj.org/article/b2351d12c981481ab9da03e70a252204 |
| Etiquetas: |
Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
|
| id |
oai:doaj.org-article:b2351d12c981481ab9da03e70a252204 |
|---|---|
| record_format |
dspace |
| spelling |
oai:doaj.org-article:b2351d12c981481ab9da03e70a2522042021-11-28T12:03:19ZBig knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats10.1186/s40537-021-00532-92196-1115https://doaj.org/article/b2351d12c981481ab9da03e70a2522042021-11-01T00:00:00Zhttps://doi.org/10.1186/s40537-021-00532-9https://doaj.org/toc/2196-1115Abstract Targeted cyber attacks, which today are known as Advanced Persistent Threats (APTs), use low and slow patterns to bypass intrusion detection and alert correlation systems. Since most of the attack detection approaches use a short time-window, the slow APTs abuse this weakness to escape from the detection systems. In these situations, the intruders increase the time of attacks and move as slowly as possible by some tricks such as using sleeper and wake up functions and make detection difficult for such detection systems. In addition, low APTs use trusted subjects or agents to conceal any footprint and abnormalities in the victim system by some tricks such as code injection and stealing digital certificates. In this paper, a new solution is proposed for detecting both low and slow APTs. The proposed approach uses low-level interception, knowledge-based system, system ontology, and semantic correlation to detect low-level attacks. Since using semantic-based correlation is not applicable for detecting slow attacks due to its significant processing overhead, we propose a scalable knowledge-based system that uses three different concepts and approaches to reduce the time complexity including (1) flexible sliding window called Vermiform window to analyze and correlate system events instead of using fixed-size time-window, (2) effective inference using a scalable inference engine called SANSA, and (3) data reduction by ontology-based data abstraction. We can detect the slow APTs whose attack duration is about several months. Evaluation of the proposed approach on a dataset containing many APT scenarios shows 84.21% of sensitivity and 82.16% of specificity.Amir Mohammadzade LajevardiMorteza AminiSpringerOpenarticleAdvanced persistent threatBig semantic correlationOntologyIntrusion detectionComputer engineering. Computer hardwareTK7885-7895Information technologyT58.5-58.64Electronic computers. Computer scienceQA75.5-76.95ENJournal of Big Data, Vol 8, Iss 1, Pp 1-40 (2021) |
| institution |
DOAJ |
| collection |
DOAJ |
| language |
EN |
| topic |
Advanced persistent threat Big semantic correlation Ontology Intrusion detection Computer engineering. Computer hardware TK7885-7895 Information technology T58.5-58.64 Electronic computers. Computer science QA75.5-76.95 |
| spellingShingle |
Advanced persistent threat Big semantic correlation Ontology Intrusion detection Computer engineering. Computer hardware TK7885-7895 Information technology T58.5-58.64 Electronic computers. Computer science QA75.5-76.95 Amir Mohammadzade Lajevardi Morteza Amini Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats |
| description |
Abstract Targeted cyber attacks, which today are known as Advanced Persistent Threats (APTs), use low and slow patterns to bypass intrusion detection and alert correlation systems. Since most of the attack detection approaches use a short time-window, the slow APTs abuse this weakness to escape from the detection systems. In these situations, the intruders increase the time of attacks and move as slowly as possible by some tricks such as using sleeper and wake up functions and make detection difficult for such detection systems. In addition, low APTs use trusted subjects or agents to conceal any footprint and abnormalities in the victim system by some tricks such as code injection and stealing digital certificates. In this paper, a new solution is proposed for detecting both low and slow APTs. The proposed approach uses low-level interception, knowledge-based system, system ontology, and semantic correlation to detect low-level attacks. Since using semantic-based correlation is not applicable for detecting slow attacks due to its significant processing overhead, we propose a scalable knowledge-based system that uses three different concepts and approaches to reduce the time complexity including (1) flexible sliding window called Vermiform window to analyze and correlate system events instead of using fixed-size time-window, (2) effective inference using a scalable inference engine called SANSA, and (3) data reduction by ontology-based data abstraction. We can detect the slow APTs whose attack duration is about several months. Evaluation of the proposed approach on a dataset containing many APT scenarios shows 84.21% of sensitivity and 82.16% of specificity. |
| format |
article |
| author |
Amir Mohammadzade Lajevardi Morteza Amini |
| author_facet |
Amir Mohammadzade Lajevardi Morteza Amini |
| author_sort |
Amir Mohammadzade Lajevardi |
| title |
Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats |
| title_short |
Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats |
| title_full |
Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats |
| title_fullStr |
Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats |
| title_full_unstemmed |
Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats |
| title_sort |
big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats |
| publisher |
SpringerOpen |
| publishDate |
2021 |
| url |
https://doaj.org/article/b2351d12c981481ab9da03e70a252204 |
| work_keys_str_mv |
AT amirmohammadzadelajevardi bigknowledgebasedsemanticcorrelationfordetectingslowandlowleveladvancedpersistentthreats AT mortezaamini bigknowledgebasedsemanticcorrelationfordetectingslowandlowleveladvancedpersistentthreats |
| _version_ |
1718408278600318976 |