Paper Abstract and Keywords |
Presentation |
2017-03-14 11:20
Graph based Detection of Advanced Persistent Threat on LAN Hiroki Nagayama, Bo Hu, Takaaki Koyama, Jun Miyoshi (NTT) ICSS2016-65 |
Abstract |
(in Japanese) |
(See Japanese page) |
(in English) |
Recently the countermeasures against continuously increasing Advanced Persistent Threats(APT) are urgently necessary.
In APT, the attacker remotely controls the infected enterprise host and operate stealthily for network reconnaissance, further intrusion on others and data exfiltration.
It is difficult to prevent APT during initial intrusion phase because attackers usually apply unknown malwares. Therefore, it is important to detect attackers' reconnaissance activities and specify infected hosts in early stage accepting the possibility of initial intrusion.
Most of conventional techniques for APT detection require data from packet capture and network flow, and not reliable enough due to setup operation cost, huge traffic volume and so on.
Therefore, we focus on ARP request traffic which can be obtained more easily and has small traffic volume.
Conventional methods using ARP traffic only can detect reconnaissance activities that have distinctive features such as connecting to
a large number of destinations, to a destination with high frequency or to a unused IP address.
However, in the case of APT, due to stealthy operation of the attacker, it is difficult to extract required features for applying those method.
In our research, we propose an anomaly detection method which 1) represents observed communication between hosts as a graph by using ARP request traffic, 2) extracts normal pattern between different hosts as a set of sub-graphs, 3) and detect unknown traffic across different sub-graphs as anomaly pattern.
The proposed method realizes detection of reconnaissance activities of APT in early stage. |
Keyword |
(in Japanese) |
(See Japanese page) |
(in English) |
advanced persistent threat / reconnaissance activities / ARP / graph mining / anomaly detection / / / |
Reference Info. |
IEICE Tech. Rep., vol. 116, no. 522, ICSS2016-65, pp. 153-158, March 2017. |
Paper # |
ICSS2016-65 |
Date of Issue |
2017-03-06 (ICSS) |
ISSN |
Print edition: ISSN 0913-5685 Online edition: ISSN 2432-6380 |
Copyright and reproduction |
All rights are reserved and no part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system, without permission in writing from the publisher. Notwithstanding, instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. (License No.: 10GA0019/12GB0052/13GB0056/17GB0034/18GB0034) |
Download PDF |
ICSS2016-65 |
Conference Information |
Committee |
ICSS IPSJ-SPT |
Conference Date |
2017-03-13 - 2017-03-14 |
Place (in Japanese) |
(See Japanese page) |
Place (in English) |
University of Nagasaki |
Topics (in Japanese) |
(See Japanese page) |
Topics (in English) |
System Security, etc. |
Paper Information |
Registration To |
ICSS |
Conference Code |
2017-03-ICSS-SPT |
Language |
Japanese |
Title (in Japanese) |
(See Japanese page) |
Sub Title (in Japanese) |
(See Japanese page) |
Title (in English) |
Graph based Detection of Advanced Persistent Threat on LAN |
Sub Title (in English) |
|
Keyword(1) |
advanced persistent threat |
Keyword(2) |
reconnaissance activities |
Keyword(3) |
ARP |
Keyword(4) |
graph mining |
Keyword(5) |
anomaly detection |
Keyword(6) |
|
Keyword(7) |
|
Keyword(8) |
|
1st Author's Name |
Hiroki Nagayama |
1st Author's Affiliation |
NIPPON TELEGRAPH AND TELEPHONE CORPORATION (NTT) |
2nd Author's Name |
Bo Hu |
2nd Author's Affiliation |
NIPPON TELEGRAPH AND TELEPHONE CORPORATION (NTT) |
3rd Author's Name |
Takaaki Koyama |
3rd Author's Affiliation |
NIPPON TELEGRAPH AND TELEPHONE CORPORATION (NTT) |
4th Author's Name |
Jun Miyoshi |
4th Author's Affiliation |
NIPPON TELEGRAPH AND TELEPHONE CORPORATION (NTT) |
5th Author's Name |
|
5th Author's Affiliation |
() |
6th Author's Name |
|
6th Author's Affiliation |
() |
7th Author's Name |
|
7th Author's Affiliation |
() |
8th Author's Name |
|
8th Author's Affiliation |
() |
9th Author's Name |
|
9th Author's Affiliation |
() |
10th Author's Name |
|
10th Author's Affiliation |
() |
11th Author's Name |
|
11th Author's Affiliation |
() |
12th Author's Name |
|
12th Author's Affiliation |
() |
13th Author's Name |
|
13th Author's Affiliation |
() |
14th Author's Name |
|
14th Author's Affiliation |
() |
15th Author's Name |
|
15th Author's Affiliation |
() |
16th Author's Name |
|
16th Author's Affiliation |
() |
17th Author's Name |
|
17th Author's Affiliation |
() |
18th Author's Name |
|
18th Author's Affiliation |
() |
19th Author's Name |
|
19th Author's Affiliation |
() |
20th Author's Name |
|
20th Author's Affiliation |
() |
Speaker |
Author-1 |
Date Time |
2017-03-14 11:20:00 |
Presentation Time |
25 minutes |
Registration for |
ICSS |
Paper # |
ICSS2016-65 |
Volume (vol) |
vol.116 |
Number (no) |
no.522 |
Page |
pp.153-158 |
#Pages |
6 |
Date of Issue |
2017-03-06 (ICSS) |
|