The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims
博士 === 國立中央大學 === 資訊管理學系 === 101 === Advanced persistent threats (APTs) are sophisticated and target-oriented cyber attacks which can evade most of the conventional prevention and detection mechanisms. The attackers leverage the victims as the stepping stone to intrude into the enterprise network fo...
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Others |
| Language: | en_US |
| Published: |
2013
|
| Online Access: | http://ndltd.ncl.edu.tw/handle/46856386636722628192 |
| id |
ndltd-TW-101NCU05396082 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-TW-101NCU053960822015-10-13T22:34:50Z http://ndltd.ncl.edu.tw/handle/46856386636722628192 The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims 以回溯式偵測方法發掘潛在APT受駭主機之研究 Shun-Te Liu 劉順德 博士 國立中央大學 資訊管理學系 101 Advanced persistent threats (APTs) are sophisticated and target-oriented cyber attacks which can evade most of the conventional prevention and detection mechanisms. The attackers leverage the victims as the stepping stone to intrude into the enterprise network for stealing valuable information. The more faster the victims are found, the lower the damages the APTs cause. However, the underlying malware of APT is customized; even if the malware is found, it is too unique to be used for detecting the other similar malware. Therefore, it requires incident investigations to play a role in uncovering the potential victims. Unfortunately, the investigations are often manual and take too much time to analyze the large volume incident data. In this dissertation, we propose both host-based and a network-based retrospective detection approaches, called MalPEFinder and N-Victims, respectively. These approaches start with a known malware-infected computer in order to determine the potential victims. To prove the practicability, we test our approaches by the real-world APT malware samples and a real APT case that happened in a large enterprise network, consisting of several thousand computers, which run a commercial anti-virus system. The experimental results of MalPEFinder indicate that the detection rate can improve by 17% as compared to Splunk, which is a famous retrospective search tool, and a lower false-positive rate can be achieved (3% vs. 25%). The experimental results of N-Victims show that N-Victims can find more malware-infected computers than N-Gram-based approach, which are general bot detection approaches. In the top 20 detected computers, N-Victims also had a higher detection rate than N-Gram-based approaches (100% vs. 5%, under N=2). Yi-Ming Chen 陳奕明 2013 學位論文 ; thesis 87 en_US |
| collection |
NDLTD |
| language |
en_US |
| format |
Others
|
| sources |
NDLTD |
| description |
博士 === 國立中央大學 === 資訊管理學系 === 101 === Advanced persistent threats (APTs) are sophisticated and target-oriented cyber attacks which can evade most of the conventional prevention and detection mechanisms. The attackers leverage the victims as the stepping stone to intrude into the enterprise network for stealing valuable information. The more faster the victims are found, the lower the damages the APTs cause. However, the underlying malware of APT is customized; even if the malware is found, it is too unique to be used for detecting the other similar malware. Therefore, it requires incident investigations to play a role in uncovering the potential victims. Unfortunately, the investigations are often manual and take too much time to analyze the large volume incident data.
In this dissertation, we propose both host-based and a network-based retrospective detection approaches, called MalPEFinder and N-Victims, respectively. These approaches start with a known malware-infected computer in order to determine the potential victims. To prove the practicability, we test our approaches by the real-world APT malware samples and a real APT case that happened in a large enterprise network, consisting of several thousand computers, which run a commercial anti-virus system. The experimental results of MalPEFinder indicate that the detection rate can improve by 17% as compared to Splunk, which is a famous retrospective search tool, and a lower false-positive rate can be achieved (3% vs. 25%). The experimental results of N-Victims show that N-Victims can find more malware-infected computers than N-Gram-based approach, which are general bot detection approaches. In the top 20 detected computers, N-Victims also had a higher detection rate than N-Gram-based approaches (100% vs. 5%, under N=2).
|
| author2 |
Yi-Ming Chen |
| author_facet |
Yi-Ming Chen Shun-Te Liu 劉順德 |
| author |
Shun-Te Liu 劉順德 |
| spellingShingle |
Shun-Te Liu 劉順德 The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims |
| author_sort |
Shun-Te Liu |
| title |
The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims |
| title_short |
The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims |
| title_full |
The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims |
| title_fullStr |
The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims |
| title_full_unstemmed |
The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims |
| title_sort |
study on retrospective detection approaches for uncovering potential apt victims |
| publishDate |
2013 |
| url |
http://ndltd.ncl.edu.tw/handle/46856386636722628192 |
| work_keys_str_mv |
AT shunteliu thestudyonretrospectivedetectionapproachesforuncoveringpotentialaptvictims AT liúshùndé thestudyonretrospectivedetectionapproachesforuncoveringpotentialaptvictims AT shunteliu yǐhuísùshìzhēncèfāngfǎfājuéqiánzàiaptshòuhàizhǔjīzhīyánjiū AT liúshùndé yǐhuísùshìzhēncèfāngfǎfājuéqiánzàiaptshòuhàizhǔjīzhīyánjiū AT shunteliu studyonretrospectivedetectionapproachesforuncoveringpotentialaptvictims AT liúshùndé studyonretrospectivedetectionapproachesforuncoveringpotentialaptvictims |
| _version_ |
1718078132567670784 |