Abstract
Advanced Persistent Threats (APT) are sophisticated and target-oriented cyber attacks which often leverage customized malware and bot control techniques to control the victims for remotely accessing valuable information. As the APT malware samples are specific and few, the signature-based or learning-based approaches are weak to detect them. In this paper, we take a more flexible strategy: developing a search engine for APT investigators to quickly uncover the potential victims based on the attributes of a known APT victim. We test our approach in a real APT case happened in a large enterprise network consisting of several thousands of computers which run a commercial antivirus system. In our best effort to prove, the search engine can uncover the other unknown 33 victims which are infected by the APT malware. Finally, the search engine is implemented on Hadoop platform. In the case of 440GB data, it can return the queries in 2 seconds.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Daly, M.K.: The Advanced Persistent Threat. In: USENIX (ed.) 23rd Large Installation System Administration Conference. USENIX, Baltimore (2009)
http://www.damballa.com/knowledge/advanced-persistent-threats.php
HPGary, inc., http://www.issa-sac.org/info_resources/ISSA_20100219_HBGary_Advanced_Persistent_Threat.pdf
Juels, A., Yen, T.F.: Sherlock Holmes and The Case of the Advanced Persistent Threat. In: Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, p. 2. USENIX Association, San Jose (2012)
Winder, D.: Persistent and Evasive Attacks Uncovered. Infosecurity 8, 40–43 (2011)
Liu, S.-T., Chen, Y.-M., Hung, H.-C.: N-Victims: An Approach to Determine N-Victims for APT Investigations. In: Lee, D.H., Yung, M. (eds.) WISA 2012. LNCS, vol. 7690, pp. 226–240. Springer, Heidelberg (2012)
Li, F., Lai, A., Ddl, D.: Evidence of Advanced Persistent Threat: A case study of malware for political espionage. In: 2011 6th International Conference on Malicious and Unwanted Software, pp. 102–109. IEEE, Fajardo (2011)
Liu, S.T., Chen, Y.M.: Retrospective Detection of Malware Attacks by Cloud Computing. In: 2010 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 510–517. IEEE, Huangshan (2010)
Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by IRC nickname evaluation. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, p. 8. USENIX Association, Cambridge (2007)
Brustoloni, J., Farnan, N., Villamarin-Salomon, R., Kyle, D.: Efficient Detection of Bots in Subscribers’ Computers. In: IEEE International Conference on Communications, pp. 1–6. IEEE, Dresden (2009)
Rieck, K., Schwenk, G., Limmer, T., Holz, T., Laskov, P.: Botzilla: detecting the “phoning home” of malicious software. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1978–1984. ACM, Sierre (2010)
Warmer, M.: Detection of web based command & control channels. Mathematics and Computer Science. University of Twente (2011)
Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation, p. 26. USENIX Association, San Jose (2010)
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA (2008)
Larson, R.E.: CCSP: Cisco Certified Security Professional Certification All-in-One Exam Guide. McGraw Hill, New York (2003)
Thonnard, O., Bilge, L., O’Gorman, G., Kiernan, S., Lee, M.: Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 64–85. Springer, Heidelberg (2012)
Sood, A., Enbody, R.: Targeted Cyber Attacks - A Superset of Advanced Persistent Threats. IEEE Security & Privacy 99, 1–3 (2012)
Sood, A., Enbody, R., Bansal, R.: Cybercrime: Dissecting the State of Underground Enterprise. IEEE Internet Computing 99, 1 (2012)
Baize, E.: Developing Secure Products in the Age of Advanced Persistent Threats. IEEE Security & Privacy 10, 88–92 (2012)
Tankard, C.: Advanced Persistent threats and how to monitor and deter them. Network Security, 16–19 (2011)
Gordon, T.: APTs: a poorly understood challenge. Network Security, 9–11 (2011)
Dempsey, K., Chawla, N.S., Johnson, A., Johnston, R., Jones, A.C., Orebaugh, A., Scholl, M., Stine, K.: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. National Institute of Standards and Technology U.S. Department of Commerce, U.S.A. (2011)
Jost, L.: Entropy and diversity. Oikos 113, 363–375 (2006)
Dean, J., Ghemawat, S.: MapReduce: Simplified data processing on large clusters. Communications of the ACM 51, 107–113 (2008)
SANS Technology Institute, https://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Liu, ST., Chen, YM., Lin, SJ. (2013). A Novel Search Engine to Uncover Potential Victims for APT Investigations. In: Hsu, CH., Li, X., Shi, X., Zheng, R. (eds) Network and Parallel Computing. NPC 2013. Lecture Notes in Computer Science, vol 8147. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40820-5_34
Download citation
DOI: https://doi.org/10.1007/978-3-642-40820-5_34
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40819-9
Online ISBN: 978-3-642-40820-5
eBook Packages: Computer ScienceComputer Science (R0)