• PDF / 3,975,802 Bytes
• 17 Pages / 595.224 x 790.955 pts Page_size
• 71 Downloads / 292 Views

DOWNLOAD

REPORT

Decepticon: a Theoretical Framework to Counter Advanced Persistent Threats Rudra P. Baksi1 · Shambhu J. Upadhyaya1 Accepted: 27 October 2020 © Springer Science+Business Media, LLC, part of Springer Nature 2020

Abstract Deception has been proposed in the literature as an effective defense mechanism to address Advanced Persistent Threats (APT). However, administering deception in a cost-effective manner requires a good understanding of the attack landscape. The attacks mounted by APT groups are highly diverse and sophisticated in nature and can render traditional signature based intrusion detection systems useless. This necessitates the development of behavior oriented defense mechanisms. In this paper, we develop Decepticon (Deception-based countermeasure), a Hidden Markov Model based framework where the indicators of compromise (IoC) are used as the observable features to aid in detection. This theoretical framework also includes several models to represent the spread of APTs in a computer system. The presented framework can be used to select an appropriate deception script when faced with APTs or other similar malware and trigger an appropriate defensive response. The effectiveness of the models in a networked system is illustrated by considering a real APT type ransomware. Keywords Advanced Persistent Threats (APT) · Computer security · Cyber-security · Hidden Markov Model (HMM) · Ransomware

1 Introduction Advanced Persistent Threats (APT) are a form of quiet invaders (Mehresh 2013b) and are a lingering nuisance to industries and government organizations. They silently perform reconnaissance, quietly invade, and keep a communication channel open in order to communicate with the command and control (C&C) centers. The attackers control the behavior of the malware from the C&C centers. APTs carry out targeted attacks to achieve their goal. They are quite persistent in their efforts of achieving the goals and in doing so they might come with a contingency plan to which they may resort to upon discovery (Baksi and Upadhyaya 2018). Such a type of attack has become prevalent and frequent, owing to the fact that malware-as-a-service (MaaS) are readily available, which provide the attackers  Rudra P. Baksi

[email protected] Shambhu J. Upadhyaya [email protected] 1

Department of Computer Science and Engineering, University at Buffalo, SUNY, Buffalo, NY 14260, USA

with the necessary framework and infrastructure to create attacks (Leonard 2015; Messaoud et al. 2016). APTs come in different forms and formats. In this paper we focus on the detection and mitigation of a ransomware that qualifies as an APT (Baksi and Upadhyaya 2018). According to FireEye, 4,192 attacks were detected in 2013, which were mounted by groups that can confidently be classified as APT groups (Bennett et al. 2013). They were also able to detect 17,995 different infections by APT groups. The attacks thereafter have been increasing by leaps-and-bounds. RSA Security LLC suffered financial losses of about $66.3 Million when it became a victim of

Recommend Documents

Advanced Persistent Threats(APT) or Sophisticated Attacks

172 38 49MB

Attribution of Advanced Persistent Threats How to Identify the Actor

858 106 4MB

DAPT 2020 - Constructing a Benchmark Dataset for Advanced Persistent Threats

325 18 20MB

Systematic Mapping of Detection Techniques for Advanced Persistent Threats

195 107 38MB

Biophysics and Structure to Counter Threats and Challenges

176 76 443KB

Persistent Genital Arousal Disorder: a Biopsychosocial Framework

189 53 332KB

Theoretical Framework

173 74 2MB

Theoretical Framework

165 41 5MB

Theoretical Framework

185 3 8MB

Theoretical Framework

172 14 10MB

Cyber Denial, Deception and Counter Deception A Framework for Suppor

155 71 4MB

Theoretical Numerical Analysis A Functional Analysis Framework

198 44 4MB