Global ETD Search

1	Understanding DNS-based criminal infrastructure for informing takedowns Nadji, Yacin Ibrahim 07 January 2016 (has links) Botnets are a pervasive threat to the Internet and its inhabitants. A botnet is a collection of infected machines that receive commands from the botmaster, a person, group or nation- state, to perform malicious actions. Instead of “cleaning” individual infections, one can sever the method of communication between a botmaster and her zombies by attempting a botnet takedown, which contains the botnet and its malicious actions. Unfortunately, takedowns are currently performed without technical rigor nor are there automated and independent means to measure success or assist in performing them. This dissertation focuses on understanding the criminal infrastructure that enables communication between a botmaster and her zombies in order to measure attempts at, and to perform, successful takedowns. We show that by interrogating malware and performing large-scale analysis of passively collected network data, we can measure if a past botnet takedown was successful and use the same techniques to perform more comprehensive takedowns in the future. Botnet takedown Advanced persistent threat Network security DNS
2	Comparison of adversary emulation tools for reproducing behavior in cyber attacks / : Jämförelse av verktyg för motståndaremulering vid återskapande av beteenden i cyberattacker Elgh, Joakim January 2022 (has links) As cyber criminals can find many different ways of gaining unauthorized access to systems without being detected, it is of high importance for organizations to monitor what is happening inside their systems. Adversary emulation is a way to mimic behavior of advanced adversaries within cyber security, which can be used to test detection capabilities of malicious behavior within a system of an organization. The emulated behavior can be based on what have been observed in real cyber attacks - open source knowledge bases such as MITRE ATT&CK collect this kind of intelligence. Many organizations have in recent years developed tools to simplify emulating the behavior of known adversaries. These tools are referred to as adversary emulation tools in this thesis. The purpose of this thesis was to evaluate how noisy different adversary emulation tools are. This was done through measurements on the amount of event logs generated by Sysmon when performing emulations against a Windows system. The goal was to find out which tool was the least noisy. The different adversary emulation tools included in this thesis were Invoke-AtomicRedTeam, CALDERA, ATTPwn and Red Team Automation. To make sure the correlation between the adversary emulation tools and the generated event logs could be identified, a controlled experiment was selected as the method for the study. Five experiments were designed including one emulation scenario each, executed by the different adversary emulation tools included in each experiment. After each emulation, event logs were collected, filtered, and measured for use in the comparison. Three experiments were conducted which compared Invoke-AtomicRedTeam, CALDERA, and a manual emulation. The results of the first three experiments indicated that Invoke-AtomicRedTeam team was the noisiest, followed by CALDERA, and the manual emulation was the least noisy. On average, the manual emulation generated 83,9% fewer logs than Invoke-AtomicRedTeam and 78,4% fewer logs than CALDERA in experiments 1-3. A fourth experiment compared Red Team Automation and Invoke-AtomicRedTeam, where Red Team Automation was the least noisy tool. The final fifth experiment compared ATTPwn and CALDERA, and the results indicated that these were similarly noisy but in different ways. It was also concluded that a main difference between the adversary emulation tools was that the number of techniques available differed between the tools which could limit the ability to emulate the behavior of real adversaries. However, as the emulation tools were implemented in different ways, this thesis could be one starting point for future development of silent adversary emulation tools or to assist in selecting an existing adversary emulation tool. Adversary emulation Adversary emulation tools Behavior Event logs APT Advanced Persistent Threat Computer Sciences Datavetenskap (datalogi)
3	Machine Learning and Knowledge-Based Integrated Intrusion Detection Schemes Shen, Yu 06 July 2022 (has links) As electronic computer technology advances, files and data are kept in computers and exchanged through networks. The computer is a physically closed system for users, making it harder for others to steal data via direct touch. Computer networks, on the other hand, can be used by hackers to gain access to user accounts and steal sensitive data. The academics are concentrating their efforts on preventing network attacks and assuring data security. The Intrusion Detection System (IDS) relies on network traffic and host logs to detect and protect against network threats. They all, however, necessitate a lot of data analysis and quick reaction tactics, which puts a lot of pressure on network managers. The advancement of AI allows computers to take over difficult and time-consuming data processing activities, resulting in more intelligent network attack protection techniques and timely alerts of suspected network attacks. The SCVIC-APT-2021 dataset which is specific to the APT attacks is generated to serve as a benchmark for APT detection. A Virtual Private Network (VPN) connects two network domains to form the basic network environment for creating the dataset. Kali Linux is used as a hacker to launch multiple rounds of APT attacks and compromise two network domains from the external network. The generated dataset contains six APT stages, each of which includes different attack techniques. Following that, a knowledge-based machine learning model is proposed to detect APT attacks on the developed SCVIC-APT-2021 dataset. The macro average F1-score increases by 11.01% and reach up to 81.92% when compared to the supervised baseline model. NSL-KDD and UNSW-NB15 are then utilized as benchmarks to verify the performance of the proposed model. The weighted average F1-score on both datasets can reach 76.42% and 79.20%, respectively. Since some network attacks leave host-based information such as system logs on the network devices, the detection scheme that integrates network-based features and host-based features are used to boost the network attack detection capabilities of IDS. The raw data of CSE-CIC-IDS2018 is utilized to create the SCIVC-CIDS-2021 dataset which includes both network-based features and host-based features. To ensure precise classification results, the SCVIC-CIDS-2021 is labelled with the attacking techniques. Due to the high dimensionalities of the features in the produced dataset, Autoencoder (AE) and Gated Recurrent Unit (GRU) are employed to reduce the dimensionality of network-based and host-based features, respectively. Finally, classification of the data points is performed using knowledge-based PKI and PKI Difference (PKID) models. Among these, the PKID model performs better with a macro average F1-score of 96.60%, which is 7.62% higher than the results only utilizing network-based features. Network Security Machine Learning Advanced Persistent Threat Prior Knowledge Input Intrusion Detection System
4	Hidden Markov models and alert correlations for the prediction of advanced persistent threats Ghafir, Ibrahim, Kyriakopoulos, K.G., Lambotharan, S., Aparicio-Navarro, F.J., Assadhan, B., Binsalleeh, H., Diab, D.M. 24 January 2020 (has links) Yes / Cyber security has become a matter of a global interest, and several attacks target industrial companies and governmental organizations. The advanced persistent threats (APTs) have emerged as a new and complex version of multi-stage attacks (MSAs), targeting selected companies and organizations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker's strategies and aims. This paper proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases; the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts that are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilizes the hidden Markov model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91.80%. In addition, it predicts the next step of the APT campaign with an accuracy of 66.50%, 92.70%, and 100% based on two, three, and four correlated alerts, respectively. / The Gulf Science, Innovation and Knowledge Economy Programme of the U.K. Government under UK-Gulf Institutional Link Grant IL 279339985 and in part by the Engineering and Physical Sciences Research Council (EPSRC), U.K., under Grant EP/R006385/1. Advanced persistent threat Intrusion detection system Alert correlation Hidden Markov model Attack prediction
5	Detection of advanced persistent threat using machine-learning correlation analysis Ghafir, Ibrahim, Hammoudeh, M., Prenosil, V., Han, L., Hegarty, R., Rabie, K., Aparicio-Navarro, F.J. 24 January 2020 (has links) Yes / As one of the most serious types of cyber attack, Advanced Persistent Threats (APT) have caused major concerns on a global scale. APT refers to a persistent, multi-stage attack with the intention to compromise the system and gain information from the targeted system, which has the potential to cause significant damage and substantial financial loss. The accurate detection and prediction of APT is an ongoing challenge. This work proposes a novel machine learning-based system entitled MLAPT, which can accurately and rapidly detect and predict APT attacks in a systematic way. The MLAPT runs through three main phases: (1) Threat detection, in which eight methods have been developed to detect different techniques used during the various APT steps. The implementation and validation of these methods with real traffic is a significant contribution to the current body of research; (2) Alert correlation, in which a correlation framework is designed to link the outputs of the detection methods, aims to identify alerts that could be related and belong to a single APT scenario; and (3) Attack prediction, in which a machine learning-based prediction module is proposed based on the correlation framework output, to be used by the network security team to determine the probability of the early alerts to develop a complete APT attack. MLAPT is experimentally evaluated and the presented system is able to predict APT in its early steps with a prediction accuracy of 84.8%. Cyber attacks Advanced persistent threat Malware Intrusion detection system Alert correlation Machine learning
6	Real-time detection of Advanced Persistent Threats using Information Flow Tracking and Hidden Markov Models / Détection temps réel de menaces persistantes avancées par suivi de flux d'information et modèles de Markov cachés Brogi, Guillaume 04 April 2018 (has links) Dans cette thèse, nous présentons les risques posés par les Menaces Persistentes Avancées (APTs) et proposons une approche en deux temps pour distinguer les attaques qui en font partie. Ce travail fait partie d'Akheros, un Système de Détection d'Intrusion (IDS) autonome développé par trois doctorants. L'idée est d'utiliser l'apprentissage machine pour détecté des évènements inattendus et vérifier s'ils posent un risque de sécurité. La dernière étape, et le sujet de cette thèse, est de mettre en évidence les APT. Les campagnes d'APT sont particulièrement dangereuses car les attaquants sont compétents et ont un but précis ainsi que du temps et de l'argent. Nous partons des résultats des parties précédentes d'Akheros: une liste d'évènements traduisible en flux d'information et qui indique quand des attaques sont détectées. Nous faisons ressortir les liens entre attaques en utilisant le Suivi de Flux d'Information: nous ajoutons une nouvelle teinte pour chaque attaque. Lors de la propagation, si une teinte se trouve en amont d'un flux qui fait partie d'une attaque, alors les deux attaques sont liés. Certaines attaques se trouvent liées par erreur car les évènements que nous utilisons ne sont pas assez précis, d'où l'approche en deux temps. Dans le cas où certaines attaques ne sont pas détectées, la teinte de cette attaque n'est pas créée, cependant, les autres teintes sont propagées normalement, et l'attaque précédent l'attaque non détectée sera liée à l'attaque lui faisant suite. Le deuxième temps de l'approche est de retirer les liens erronés. Nous utilisons un Modèle de Markov Caché pour représenter les APTs et retirons les campagnes qui ne suivent pas le modèle. Ceci fonctionne car les APTs, quoique toutes différentes, passent par les mêmes phases. Ces phases sont les états cachés du modèle. Les observations sont les types d'attaques effectuées pendant ces phases. De plus, les actions futures des attaquants dépendent des résultats de l'action en cours, ce qui satisfait l'hypothèse de Markov. Le score utilisé pour classer les campagnes potentielles de la plus proche d'une APT à la plus éloigné est basé sur un algorithme de Viterbi modifié pour prendre en compte les attaques non détectées potentielles. / In this thesis, we present the risks posed by Advanced Persitent Threats (APTs) and propose a two-step approach for recognising when detected attacks are part of one. This is part of the Akheros solution, a fully autonomous Intrusion Detection System (IDS) being developed in collaboration by three PhD students. The idea is to use machine learning to detect unexpected events and check if they present a security risk. The last part, and the subject of this thesis, is the highlighting of APT. APTs campaigns are particularly dangerous because they are performed by skilled attackers with a precise goal and time and money on their side.We start with the results from the previous part of the Akheros IDS: a list of events, which can be translated to flows of information, with an indication for events found to be attacks. We find links between attacks using Information Flow Tracking. To do so, we create a new taint for each detected attack and propagate it. Whenever a taint is on the input of an event that is part of another attack, then the two attacks are linked. However, the links are only potential because the events used are not precise enough, which leads to erroneously propagated taints. In the case of an undetected attack, no taint is created for that attack, but the other taints are still propagated as normal so that previous attack is still linked to the next attack, only skipping the undetected one. The second step of the approach is to filter out the erroneous links. To do so, we use a Hidden Markov Model to represent APTs and remove potential attack campaign that do not fit the model. This is possible because, while each APT is different, they all go through the same phases, which form the hidden states of our model. The visible observations are the kind of attacks performed during these phases. In addition, the results in one phase dictate what the attackers do next, which fits the Markov hypothesis. The score used to rank potential attack campaign from most likely an APT to least likely so is based on a customised Viterbi algorithm in order to take into account potentially undetected attacks. Apprentissage machine Système de détection d'intrusion Menace persistente avancée Suivi de flux d'information Machine learning Intrusion detection system Advanced persistent threat Information Flow Tracking 005.8
7	Software-defined Situation-aware Cloud Security January 2020 (has links) abstract: The use of reactive security mechanisms in enterprise networks can, at times, provide an asymmetric advantage to the attacker. Similarly, the use of a proactive security mechanism like Moving Target Defense (MTD), if performed without analyzing the effects of security countermeasures, can lead to security policy and service level agreement violations. In this thesis, I explore the research questions 1) how to model attacker-defender interactions for multi-stage attacks? 2) how to efficiently deploy proactive (MTD) security countermeasures in a software-defined environment for single and multi-stage attacks? 3) how to verify the effects of security and management policies on the network and take corrective actions? I propose a Software-defined Situation-aware Cloud Security framework, that, 1) analyzes the attacker-defender interactions using an Software-defined Networking (SDN) based scalable attack graph. This research investigates Advanced Persistent Threat (APT) attacks using a scalable attack graph. The framework utilizes a parallel graph partitioning algorithm to generate an attack graph quickly and efficiently. 2) models single-stage and multi-stage attacks (APTs) using the game-theoretic model and provides SDN-based MTD countermeasures. I propose a Markov Game for modeling multi-stage attacks. 3) introduces a multi-stage policy conflict checking framework at the SDN network's application plane. I present INTPOL, a new intent-driven security policy enforcement solution. INTPOL provides a unified language and INTPOL grammar that abstracts the network administrator from the underlying network controller's lexical rules. INTPOL develops a bounded formal model for network service compliance checking, which significantly reduces the number of countermeasures that needs to be deployed. Once the application-layer policy conflicts are resolved, I utilize an Object-Oriented Policy Conflict checking (OOPC) framework that identifies and resolves rule-order dependencies and conflicts between security policies. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2020 Computer science Advanced Persistent Threat (APT) Attack Graph Bounded Model Checking Markov Game Moving Target Defense (MTD) Software-defined Networking (SDN)
8	Detecting Lateral Movement in Microsoft Active Directory Log Files : A supervised machine learning approach Uppströmer, Viktor, Råberg, Henning January 2019 (has links) Cyberattacker utgör ett stort hot för dagens företag och organisationer, med engenomsnittlig kostnad för ett intrång på ca 3,86 miljoner USD. För att minimera kostnaden av ett intrång är det viktigt att detektera intrånget i ett så tidigt stadium som möjligt. Avancerande långvariga hot (APT) är en sofistikerad cyberattack som har en lång närvaro i offrets nätverk. Efter attackerarens första intrång kommer fokuset av attacken skifta till att få kontroll över så många enheter som möjligt på nätverket. Detta steg kallas för lateral rörelse och är ett av de mest kritiska stegen i en APT. Syftet med denna uppsats är att undersöka hur och hur väl lateral rörelse kan upptäckas med hjälp av en maskininlärningsmetod. I undersökningen jämförs och utvärderas fem maskininlärningsalgoritmer med upprepad korsvalidering följt av statistisk testning för att bestämma vilken av algoritmerna som är bäst. Undersökningen konkluderar även vilka attributer i det undersökta datasetet som är väsentliga för att detektera laterala rörelser. Datasetet kommer från en Active Directory domänkontrollant där datasetets attributer är skapade av korrelerade loggar med hjälp av datornamn, IP-adress och användarnamn. Datasetet består av en syntetisk, samt, en verklig del vilket skapar ett semi-syntetiskt dataset som innehåller ett multiklass klassifierings problem. Experimentet konkluderar att all fem algoritmer klassificerar rätt med en pricksäkerhet (accuracy) på 0.998. Algoritmen RF presterar med den högsta f-measure (0.88) samt recall (0.858), SVM är bäst gällande precision (0.972) och DT har denlägsta inlärningstiden (1237ms). Baserat på resultaten indikerar undersökningenatt algoritmerna RF, SVM och DT presterar bäst i olika scenarier. Till exempel kan SVM användas om en låg mängd falsk positiva larm är viktigt. Om en balanserad prestation av de olika prestanda mätningarna är viktigast ska RF användas. Undersökningen konkluderar även att en stor mängd utav de undersökta attributerna av datasetet kan bortses i framtida experiment, då det inte påverkade prestandan på någon av algoritmerna. / Cyber attacks raise a high threat for companies and organisations worldwide. With the cost of a data breach reaching $3.86million on average, the demand is high fora rapid solution to detect cyber attacks as early as possible. Advanced persistent threats (APT) are sophisticated cyber attacks which have long persistence inside the network. During an APT, the attacker will spread its foothold over the network. This stage, which is one of the most critical steps in an APT, is called lateral movement. The purpose of the thesis is to investigate lateral movement detection with a machine learning approach. Five machine learning algorithms are compared using repeated cross-validation followed statistical testing to determine the best performing algorithm and feature importance. Features used for learning the classifiers are extracted from Active Directory log entries that relate to each other, with a similar workstation, IP, or account name. These features are the basis of a semi-synthetic dataset, which consists of a multiclass classification problem. The experiment concludes that all five algorithms perform with an accuracy of 0.998. RF displays the highest f1-score (0.88) and recall (0.858), SVM performs the best with the performance metric precision (0.972), and DT has the lowest computational cost (1237ms). Based on these results, the thesis concludes that the algorithms RF, SVM, and DT perform best in different scenarios. For instance, SVM should be used if a low amount of false positives is favoured. If the general and balanced performance of multiple metrics is preferred, then RF will perform best. The results also conclude that a significant amount of the examined features can be disregarded in future experiments, as they do not impact the performance of either classifier. Advanced Persistent Threat Lateral Movement Active Directory Multiclass Classification Intrusion Detection System Avancerade långvariga hot Lateral rörelse Active Directory Multiklassklassificering Intrångsdetektering Computer Systems Datorsystem

Search results