Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
- URL: http://arxiv.org/abs/2502.08830v1
- Date: Wed, 12 Feb 2025 22:38:50 GMT
- Title: Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
- Authors: Almuthanna Alageel, Sergio Maffeis, Imperial College London,
- Abstract summary: This study examines the evolution of Advanced Persistent Threats (APTs) over 22 years.<n>We focus on their evasion techniques and how they stay undetected for months or years.<n>The most popular protocol to deploy evasion techniques is using HTTP(S) with 81% of APT campaigns.
- Score: 1.0787328610467801
- License: http://creativecommons.org/licenses/by-nc-sa/4.0/
- Abstract: The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques. To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to take into account the specific context of the attack explained in this paper. In this study, we select 33 APT campaigns based on the fair distribution over the past 22 years to observe the evolution of APTs over time. We focus on their evasion techniques and how they stay undetected for months or years. We found that APTs cannot continue their operations without C&C servers, which are mostly addressed by Domain Name System (DNS). We identify several TTPs used for DNS, such as Dynamic DNS, typosquatting, and TLD squatting. The next step for APT operators is to start communicating with a victim. We found that the most popular protocol to deploy evasion techniques is using HTTP(S) with 81% of APT campaigns. HTTP(S) can evade firewall filtering and pose as legitimate web-based traffic. DNS protocol is also widely used by 45% of APTs for DNS resolution and tunneling. We identify and analyze the TTPs associated with using HTTP(S) based on real artifacts.
Related papers
- Detecting APT Malware Command and Control over HTTP(S) Using Contextual Summaries [1.0787328610467801]
We present EarlyCrow, an approach to detect APT malware command and control over HTTP(S) using contextual summaries.<n>The design of EarlyCrow is informed by a novel threat model focused on TTPs present in traffic generated by tools recently used in APT campaigns.<n>EarlyCrow defines a novel multipurpose network flow format called PairFlow, which is leveraged to build the contextual summary of a PCAP capture.
arXiv Detail & Related papers (2025-02-07T22:38:39Z) - AdvQDet: Detecting Query-Based Adversarial Attacks with Adversarial Contrastive Prompt Tuning [93.77763753231338]
Adversarial Contrastive Prompt Tuning (ACPT) is proposed to fine-tune the CLIP image encoder to extract similar embeddings for any two intermediate adversarial queries.
We show that ACPT can detect 7 state-of-the-art query-based attacks with $>99%$ detection rate within 5 shots.
We also show that ACPT is robust to 3 types of adaptive attacks.
arXiv Detail & Related papers (2024-08-04T09:53:50Z) - Reflected Search Poisoning for Illicit Promotion [2.0355793807035094]
We conduct the first security study on RSP-based illicit promotion.
IPTs distributed via RSP are found to be large-scale, continuously growing, and diverse in both illicit categories and natural languages.
We have identified over 11 million distinct IPTs belonging to 14 different illicit categories.
arXiv Detail & Related papers (2024-04-08T09:10:02Z) - TREC: APT Tactic / Technique Recognition via Few-Shot Provenance Subgraph Learning [31.959092032106472]
We propose TREC, the first attempt to recognize APT tactics from provenance graphs by exploiting deep learning techniques.
To address the "needle in a haystack" problem, TREC segments small and compact subgraphs from a large provenance graph.
We evaluate TREC based on a customized dataset collected and made public by our team.
arXiv Detail & Related papers (2024-02-23T07:05:32Z) - NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation [15.803901489811318]
NodLink is the first online detection system that maintains high detection accuracy without sacrificing detection granularity.
We propose a novel design of in-memory cache, an efficient attack screening method, and a new approximation algorithm that is more efficient than the conventional one in APT attack detection.
arXiv Detail & Related papers (2023-11-04T05:36:59Z) - The Key to Deobfuscation is Pattern of Life, not Overcoming Encryption [0.7124736158080939]
We present a novel methodology that is effective at deobfuscating sources by synthesizing measurements from key locations along protocol transaction paths.
Our approach links online personas with their origin IP addresses based on a Pattern of Life (PoL) analysis.
We show that, when monitoring in the correct places on the Internet, DNS over HTTPS (DoH) and DNS over TLS (DoT) can be deobfuscated with up to 100% accuracy.
arXiv Detail & Related papers (2023-10-04T02:34:29Z) - DPTDR: Deep Prompt Tuning for Dense Passage Retrieval [53.217524851268216]
Deep prompt tuning (DPT) has gained great success in most natural language processing(NLP) tasks.
However, it is not well-investigated in dense retrieval where fine-tuning(FT) still dominates.
We propose two model-agnostic and task-agnostic strategies for DPT-based retrievers, namely retrieval-oriented intermediate pretraining and unified negative mining.
arXiv Detail & Related papers (2022-08-24T12:55:00Z) - Illusory Attacks: Information-Theoretic Detectability Matters in Adversarial Attacks [76.35478518372692]
We introduce epsilon-illusory, a novel form of adversarial attack on sequential decision-makers.
Compared to existing attacks, we empirically find epsilon-illusory to be significantly harder to detect with automated methods.
Our findings suggest the need for better anomaly detectors, as well as effective hardware- and system-level defenses.
arXiv Detail & Related papers (2022-07-20T19:49:09Z) - Towards Automated Classification of Attackers' TTPs by combining NLP
with ML Techniques [77.34726150561087]
We evaluate and compare different Natural Language Processing (NLP) and machine learning techniques used for security information extraction in research.
Based on our investigations we propose a data processing pipeline that automatically classifies unstructured text according to attackers' tactics and techniques.
arXiv Detail & Related papers (2022-07-18T09:59:21Z) - Adversarial Attacks and Defense for Non-Parametric Two-Sample Tests [73.32304304788838]
This paper systematically uncovers the failure mode of non-parametric TSTs through adversarial attacks.
To enable TST-agnostic attacks, we propose an ensemble attack framework that jointly minimizes the different types of test criteria.
To robustify TSTs, we propose a max-min optimization that iteratively generates adversarial pairs to train the deep kernels.
arXiv Detail & Related papers (2022-02-07T11:18:04Z) - Certifiers Make Neural Networks Vulnerable to Availability Attacks [70.69104148250614]
We show for the first time that fallback strategies can be deliberately triggered by an adversary.
In addition to naturally occurring abstains for some inputs and perturbations, the adversary can use training-time attacks to deliberately trigger the fallback.
We design two novel availability attacks, which show the practical relevance of these threats.
arXiv Detail & Related papers (2021-08-25T15:49:10Z) - TANTRA: Timing-Based Adversarial Network Traffic Reshaping Attack [46.79557381882643]
We present TANTRA, a novel end-to-end Timing-based Adversarial Network Traffic Reshaping Attack.
Our evasion attack utilizes a long short-term memory (LSTM) deep neural network (DNN) which is trained to learn the time differences between the target network's benign packets.
TANTRA achieves an average success rate of 99.99% in network intrusion detection system evasion.
arXiv Detail & Related papers (2021-03-10T19:03:38Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.