Skip to main content
— Presentation at RAID2015 —
December 10, 2015
RAID2015 (The 18th International Symposium on Research in Attacks, Intrusions and Defenses), which is a premier international conference on cyber security such as malware countermeasure and targeted attacks, was held from November 2nd to 4th in Kyoto. The authors gave a presentation about a technology for detecting advanced persistent threat (APT) activities titled "On the Detection of Targeted Attacks by Constructing Lateral Movement Graphs" at the poster session in the conference (Fig. 1).
With a purpose of stealing valuable data and causing damage in the network, the number of APT targeting government agencies, private companies, and major infrastructures has increased dramatically in recent years. In addition, the methods of intrusion attacks have become more sophisticated, for example, stealth malware*1 are leveraged in intrusion attacks. Moreover, there is a trend to abuse the OS built-in commands that are for surveying network status and the free-ware that are not developed for a use of APT. This type of sophisticated attacks does not present obvious malicious activities in each infected host, and which has made them undetectable through the conventional anti-virus software or the existing technologies that perform analysis in each host using the common features from the experienced attacks.
Fig. 1 Poster Slide on the Proposed Technology
Therefore, we consider that a new analysis approach to correlate activities among multiple hosts instead of individual host is required to detect this type of sophisticated attacks. Thus, a detection technology is developed to show warning signs when multiple hosts present suspicious activities. The developed technology is capable of (1) identifying suspicious hosts that may have undergone APT using machine-learning, and then (2) visualizing the correlation between the suspicious hosts by analyzing the access-timing between them. This technology allows the security administrator to detect attacks that cannot be identified by only analyzing each host individually.
(1) Identifying suspicious hosts that may have undergone APT using machine-learning
The purpose of attack is to steal valuable data and cause damage in the network that is different from the original usage of computers and servers such as document generation, web browsing, or network services. Thus, when an intrusion occurs, the host will frequently activate uncommon activities and present suspicious activities. The six types of sensors are developed to identify the suspicious activities such as executing uncommon programs or communicating to hosts that are not accessed commonly by modeling the features of regular activities in host using machine-learning. Based on the number of the suspicious activities reported from those sensors, the analysis server installed in the company's network identifies the suspicious hosts.
(2) Visualizing the correlation of infected hosts by analyzing their access-timing
The intrusion attack can conduct another attack to other networks by using vulnerability exploits or illegal remote-login. We developed a technology that visualizes the correlation between the two hosts into a graph representing the attack routes based on whether the suspicious host identified by machine-learning has been accessed from any suspicious host over a period of time. If the number of hosts with the correlation reaches a certain level, the malicious activities will be determined. Due to the ability of analyzing the attack tactics and routes in each hosts based on the suspicious activities and correlation, this technology is capable of contributing to attack investigation and countermeasure planning.
To measure the performance of this technology, we conduct experiments in one of our local networks with a simulation of typical APTs based on the case studies, reports from security vendors, and academic researches. The experiment results show that our technology achieves the detection rate of 97%, and reduces the number of false alerts to 10% in a whitelisting technique*2. This technology achieves both the high detection rate and low false alerts to offer the efficient and effective countermeasures against APTs.
The importance of developing APT incident response technology is not to be restricted in IT systems, but to be expanded to IoT systems and industrial systems. We will utilize this technology to the major infrastructures in order to contribute to the realization of safe and secure society.
(By KAWAGUCHI Nobutaka)