MLDS: Multi-Layer Defense System for Preventing Advanced Persistent Threats
2. Related Works
2.1. Attack Cases
2.2. Steps Followed by an APT Attack
2.3. Malware Detection Techniques
- HIDS (Host-Based Intrusion Detection Systems) Related APT Actions: HIDS is the intrusion detection system for the host such as personal computer and server computer. HIDS analyzes the resources inside a computer such as log, file, folder, service and monitors and analyzes any trace of infection. In the case of an APT attack, it infects a system using an infected attachment; thus, the role of HIDS becomes very important. The detection technique of HIDS differs for each product; however, it saves the hash value of a file in order to confirm the presence of infection for a given file and checks the changes of a file periodically. In addition, it detects and analyzes any abnormal operation patterns by monitoring the system call or vector table provided by the operating system . Most HIDS is implemented as a program in the form of an agent inside a computer .
- NIDS (Network-Based Intrusion Detection Systems) Related APT Actions: Unlike HIDS, it focuses on external interface. It monitors the presence of malicious activities that take place inside network through an abnormality of network traffic. NIDS detects service refusal attack, port scanning, packing sniping, etc. NIDS is required for all the steps excluding the hiding step of APT attack. However, APT attacks use complex malware that allows them to bypass the NIDS system of the target; thus, technologies to better defend from the attacks are continuously carried out.
- Signature Detection: One finds malware by distinguishing the existing signature data when a new file or traffic comes into a system as configuring the signature value such as code and pattern of malware, which was previously discovered by the detection method generated from the file that intruded the system as it was infected with malware. However, an APT attack has a different form from the existing malware since it uses advanced malware. Thus, the signature based detection has some limitation for malware detection. However, its rate for wrong detection is low; thus, other detection technologies are not used.
- Virtual Sandbox Detection: This is the technology to detect malware dynamically . One determines the presence of malware from the information collected through the execution of a file. In general, Sandbox is known as an application emulator and it detects the presence of malicious activities by executing the application in virtual space. It is used mainly for zero-day attack or transformed malware detection . An APT attack intrudes a target system using zero-day vulnerability; thus, detection using virtual sandbox shall be mandatory for defending APT.
- Machine Learning: In recent years, the degree of complexity of malicious software has been on the rise. One of the most serious and heinous of the malicious software attacks can be said to be APT attacks. However, in fact, it is rare to see an APT attack that uses conventional malware. There are a number of variables even for those who attack the same vulnerability. As such, there have been many studies on the learning based detection technique to defend an attack of numerous variables and zero-day for vulnerabilities by learning malware dynamically [17–20]. The learning technique based algorithms include neural network, SVM (support vector machines-based), decision tree, Bayesian network, etc.
2.4. Analyses Information for Each Step of an APT Attack
3.2. Service Scenario
- AM → NM: sending an network trafficAM collects data from the network agent and transmits it to the network manager.
- NM: analyzing the trafficNM analyzes traffic through various module such as network signature, traffic frequency and whitelisting.
- NM → CF: sending the suspicious trafficWhen suspicious traffic is detected by the traffic analysis module of NM, it passes to the CF.
- CF: classify suspiciousCF classifies malicious traffics in accordance with risk level through Classify module.
- CF → AM: classify informationWhen certain traffic is classified as malicious by CF, AM is notified to protect the system from APT attacks.
- AM → NM: sending E-mail and Web TrafficEmails from each agent and network traffic data are delivered to AM as well.
- NM → AZ: sending a suspicious fileNM analyzes the traffic. When it detects any abnormality, the network stream extracts the file. It then transfers the file to AZ.
- AZ: analyzing the fileBasically, AZ determines if certain files are malicious by means of the static analysis module and then enhances the efficiency of detection by means of the dynamic analysis module.
- AZ → CF: sending an detected fileIf a file is deemed as malware, it transmits the information to CF.
- CF: classifying the fileCF classifies the files in accordance with the detected risk level.
- CF → AM: sending informationWhen certain classified traffic is found dangerous, AM is notified to protect the system from APT attacks.
- EM: file analysisEM classifies files suspicious of malicious software based on the files transmitted by an end-user’s agent.
- EM → AZ: sending a classified fileEM classifies the files saved by users primarily through the Initial Classifier.
- AZ → CF: sending a detected fileIn the case of those files that are detected for abnormal act, it sends these files to AZ to analyze the presence of malicious files.
- CF → AM: sending classified informationCF classifies the risk level of analyzed files and sends this information to AM to synchronize with an end-user.
3.3. Case Studies
Case 1. Prevention method for end-user form Spear phishing at initial intrusion
Case 2. Prevention method from Infection and Metastasis through USB
Conflicts of Interest
- Julian, J.-J.; Nepal, S. A survey of emerging threats in cybersecurity. J. Comput. Syst. Sci. 2014, 80, 973–993. [Google Scholar]
- Jingle, I.D.J.; Rajsingh, E.B. ColShield: An effective and collaborative protection shield for the detection and prevention of collaborative flooding of DDoS attacks in wireless mesh networks. Hum.-Centric Comput. Inf. Sci. 2014, 8. [Google Scholar] [CrossRef]
- Feng, L.; Liao, X.; Han, Q.; Li, H. Dynamical analysis and control strategies on malware propagation model. Appl. Math. Model. 2013, 37, 8225–8236. [Google Scholar]
- Hoang, T.; Nguyen, T.; Luong, C.; Do, S.; Choi, D. Adaptive cross-device gait recognition using a mobile accelerometer. J. Inf. Process. Syst. 2013, 9, 333–348. [Google Scholar]
- Misra, A.K.; Verma, M.; Sharma, A. Capturing the interplay between malware and anti-malware in a computer network. Appl. Math. Comput. 2014, 229, 340–349. [Google Scholar]
- Xenakis, C.; Ntantogian, C. An advanced persistent threat in 3G networks: Attacking the home network from roaming networks. Comput. Secur. 2014, 40, 84–94. [Google Scholar]
- Mustafa, T. Malicious data leak prevention and purposeful evasion attacks: An approach to Advanced Persistent Threat (APT) management, In Proceedings of the Saudi International Electronics, Communications and Photonics Conference (SIECPC), Riyadh, Saudi Arabia, 27–30 April 2013; pp. 1–5.
- Lu, H.; Wang, X.; Zhao, B.; Wang, F.; Su, J. ENDMal: An anti-obfuscation and collaborative malware detection system using syscall sequences. Math. Comput. Model. 2013, 58, 1140–1154. [Google Scholar]
- Sheen, S.; Anitha, R.; Sirisha, P. Malware detection by prunng of parallel ensembles using harmony Search. Pattern Recognit. Lett. 2013, 34, 1140–1154. [Google Scholar]
- Modi, C.; Patel, D.; Borisaniya, B.; Patel, H.; Patel, A.; Rajarajan, M. A survey of intrusion detection techniques in Cloud. J. Netw. Comput. Appl. 2013, 36, 42–57. [Google Scholar]
- Liu, G.; Wang, X. Homomorphic subspace MAC scheme for secure network coding. ETRI J 2013, 35, 173–176. [Google Scholar]
- Li, X.; Wang, X.; Xu, X.; Jin, L. A distributed implementation algorithm for physical layer security based on untrusted relay cooperation and artificial noise. ETRI J 2014, 36, 183–186. [Google Scholar]
- Santos, I.; Brezo, F.; Ugarte-Pedrero, X.; Bringas, P.G. Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inf. Sci. 2013, 231, 64–82. [Google Scholar]
- Qin, Y.; Tong, W.; Liu, J.; Zhu, Z. SmSD:A smart secure deletion scheme for SSDs. J. Converg. 2013, 4, 30–35. [Google Scholar]
- Younghee, P.; Reeves, D.S.; Stamp, M. Deriving common malware behavior through graph clustering. Comput. Secur. 2012, 39, 419–430. [Google Scholar]
- Yong, Q.; He, J.; Yang, Y.; Ji, L. Analyzing malware by abstracting the frequent itemsets in API call sequences, In Proceedings of the 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Victoria, Australia, 16–18 July 2013; pp. 265–270.
- Abuzaid, A.M.; Saudi, M.M.; Taib, B.M.; Zul Hilmi, A. An efficient trojan horse classification (ETC), IJCSI. Int. J. Comput. Sci. Issues. 2013, 10, 96–103. [Google Scholar]
- Nissim, N.; Moskovitch, R.; Rokach, L.; Elovici, Y. Novel active learning methods for enhanced PC malware detection in windows OS. Expert Syst. Appl. 2014, 41, 5843–5857. [Google Scholar]
- Malkawi, M.; Murad, O. Artificial neuro fuzzy logic system for detecting human emotions. Hum.-Centric Comput. Inf. Sci. 2013. [Google Scholar] [CrossRef]
- Verma, O.P.; Jain, V.; Gumber, R. Simple fuzzy rule based edge detection. J. Inf. Process. Syst. 2013, 9, 575–591. [Google Scholar]
- Rasheed, H. Data and infrastructure security auditing in cloud computing environments. Int. J. Inf. Manag. 2014, 34, 364–368. [Google Scholar]
- Jouini, M.; Rabai, L.B.A.; Aissa, A.B. Classification of security threats in information systems 489–496.
|Type||Step of Attack
|Step||Attack Method||Detection Method||Prevention Method|
|1||Port Scan, Social Engineering||NIDS, Router logs, Web logs, Firewall logs||Firewall ACL, Security Education|
|2||Spear Phishing, Infection USB, Infected Website, Watering Hole||HIDS, NIDS, Mail Filter, Web Application Filter||NIPS, Application Firewall|
|3||Rootkit, C&C Server,||HIDS, NIDS, Antivirus||Firewall ACL, NIPS|
|4||Malware, Botnet||NIDS, HIDS||Network Segmentation|
|5||Malware, Botnet||HIDS, NIDS, Antivirus, Logging, Audit trail||NIPS|
|6||Malware, Botnet||NIDS, HIDS, Antivirus, Logging, Audit trail||Firewall ACL, Network Segmentation|
|7||Rootkit, Altering Log Records, Altering File Dates||Virus scanners, Traffic lensors||HIPS, NIPS|
© 2014 by the authors; licensee MDPI, Basel, Switzerland This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Moon, D.; Im, H.; Lee, J.D.; Park, J.H. MLDS: Multi-Layer Defense System for Preventing Advanced Persistent Threats. Symmetry 2014, 6, 997-1010. https://doi.org/10.3390/sym6040997
Moon D, Im H, Lee JD, Park JH. MLDS: Multi-Layer Defense System for Preventing Advanced Persistent Threats. Symmetry. 2014; 6(4):997-1010. https://doi.org/10.3390/sym6040997Chicago/Turabian Style
Moon, Daesung, Hyungjin Im, Jae Dong Lee, and Jong Hyuk Park. 2014. "MLDS: Multi-Layer Defense System for Preventing Advanced Persistent Threats" Symmetry 6, no. 4: 997-1010. https://doi.org/10.3390/sym6040997