Browse > Article
http://dx.doi.org/10.13089/JKIISC.2014.24.5.839

Host based Feature Description Method for Detecting APT Attack  

Moon, Daesung (ETRI, Network Security Research Team)
Lee, Hansung (ETRI, Network Security Research Team)
Kim, Ikkyun (ETRI, Network Security Research Team)
Abstract
As the social and financial damages caused by APT attack such as 3.20 cyber terror are increased, the technical solution against APT attack is required. It is, however, difficult to protect APT attack with existing security equipments because the attack use a zero-day malware persistingly. In this paper, we propose a host based anomaly detection method to overcome the limitation of the conventional signature-based intrusion detection system. First, we defined 39 features to identify between normal and abnormal behavior, and then collected 8.7 million feature data set that are occurred during running both malware and normal executable file. Further, each process is represented as 83-dimensional vector that profiles the frequency of appearance of features. the vector also includes the frequency of features generated in the child processes of each process. Therefore, it is possible to represent the whole behavior information of the process while the process is running. In the experimental results which is applying C4.5 decision tree algorithm, we have confirmed 2.0% and 5.8% for the false positive and the false negative, respectively.
Keywords
Advanced Persistent Threat; APT; Anomaly Detection; HIDS;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 NSHC, "3.20 South Korea Cyber Attack, Red Alert Research Report," http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf, 2013
2 Command Five. "SK Hack by an Advanced Persistent Threat," http://www.commandfive.com/papers/C5_APT_SKHack.pdf
3 C. Tankard, "Persistent threats and how to monitor and deter them," Network security, Vol. 2011, No. 8, pp. 16-19, Aug. 2011.
4 Symantec, "Symantec Internet Security Threat Report," Symantec, Vol. 17, Apr. 2011.
5 A. W. Coviello. Open letter to RSA customers. www.rsa.com/node.aspx?id=3872, 2011.
6 Jiankun Hu, "Host-Based Anomaly Intrusion Detection," Handbook of Information and Communication Security, Springer, pp 235-255, 2010.
7 A. S. Ashoor and S. Gore, "Intrusion Detection System: Case study," Proc. of International Conference on Advanced Materials Engineering, vol. 15, Singapore, pp. 6-9, Oct. 2011.
8 Kyungho Son, Taijin Lee, Dongho Won, "Design for Zombie PCs and APT Attack Detection based on traffic analysis," Journal of The Korea Institute of Information Security & Cryptology, Vol.24, No.3, pp. 491-498, Jun. 2014   과학기술학회마을   DOI
9 NIST, Special Publication 800-30 Revision 1, "Guide for Conducting Risk Assessments," http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
10 "Advanced Persistent Threat", Wikipedia, http://en.wikipedia.org/wiki/Advanced_persistent_threat
11 Verizon, "Threats on the horizon - the rise of the advanced persistent threat."
12 G. Tandon, "Machine Learning for Host-based Anomaly Detection," Florida Institue of Technology, Melbourne, Florida, USA, Ph.D. thesis, 2008.
13 W. Wang, X. H. Guan, and X. L. Zhang, "Modeling program behaviors by hidden Markov models for intrusion detection," Proc. of International Conference on Machine Learning and Cybernetics, pp. 2830-2835, Aug. 2004.
14 C. Warrender, S. Forrest, and B. Pearlmutter, "Detecting intrusions using system calls: alternative data models," Proc. of IEEE Symposium on Security and Privacy, Oakland, USA, pp. 133-145, May. 1999.
15 S. S. Murtaza, et al., Mario Couture, "A host-based anomaly detection approach by representing system calls as states of kernel modules," Proc. of 24th Intl. Symposium on Software Reliability Engineering(ISSRE), pp. 431-440, Nov. 2013.
16 H. Kaur and N. Gill. "Host based Anomaly Detection using Fuzzy Genetic Approach (FGA)," International Journal of Computer Applications, Vol. 74, No. 20, pp.5-9, Jul. 2013.
17 I. Santos, et al., "Idea: Opcode-sequence- based malware detection," Proc. of the 2nd International Symposium on Engineering Secure Software and Systems (ESSoS 2010), Lecture Notes in Computer Science, Vol. 5965, pp. 35-43, Feb. 2010.
18 Cuckoo sandbox, www.cuckoosandbox.org
19 Malshare, http://malshare.com/
20 Process monitor, http://technet.microsoft.com/ko-kr/sysinternals/bb896645
21 WEKA Open Sources tools for Data Mining, http://www.cs.waikato.ac.nz/ml/weka/