Loading...
| Friend's email | |
| Your name | |
| Your email | |
| enter code | |
This page was sent successfuly
A semantic-based correlation approach for detecting hybrid and low-level APTs
Lajevardi, A. M ; Sharif University of Technology | 2019
430
Viewed
- Type of Document: Article
- DOI: 10.1016/j.future.2019.01.056
- Publisher: Elsevier B.V , 2019
- Abstract:
- Sophisticated and targeted malwares, which today are known as Advanced Persistent Threats (APTs), use multi-step, distributed, hybrid and low-level patterns to leak and exfiltrate information, manipulate data, or prevent progression of a program or mission. Since current intrusion detection systems (IDSs) and alert correlation systems do not correlate low-level operating system events with network events and use alert correlation instead of event correlation, the intruders use low and hybrid events in order to distribute the attack vector, hide malwares behaviors, and therefore make detection difficult for such detection systems. In this paper, a new approach for detecting hybrid and low-level attacks, which are prevalent in APTs, is proposed. The proposed approach uses low-level interception and correlates operating system events with network events based on the semantic relationships that are defined between the entities in system ontology. In this scheme, malicious events, especially the events implicitly violate the security policies, are deduced and detected based on the event relations and defined security policies. Also, the proposed approach can track information flows between the existing subjects using a memory transition/manipulation model to reconstruct distributed attack vectors. Evaluation of the proposed approach on a computer network which contains many APTs scenarios shows the effectiveness of our detection approach. © 2019 Elsevier B.V
- Keywords:
- Advanced persistent threat ; Low-level attack ; Malware ; Ontology ; Semantic-based correlation ; Computer crime ; Intrusion detection ; Security systems ; Semantics ; Alert correlation ; Detection approach ; Distributed attack ; Information flows ; Intrusion Detection Systems ; Semantic relationships
- Source: Future Generation Computer Systems ; Volume 96 , 2019 , Pages 64-88 ; 0167739X (ISSN)
- URL: https://www.sciencedirect.com/science/article/abs/pii/S0167739X18314924