APTSHIELD: A Stable, Efficient and Real-Time APT Detection System for Linux Hosts

Advanced Persistent Threat (APT) attacks have caused massive financial loss worldwide. Researchers thereby have proposed a series of solutions to detect APT attacks, such as dynamic/static code analysis, traffic detection, sandbox technology, endpoint detection and response (EDR), etc. However, exis...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing 2023-11, Vol.20 (6), p.5247-5264
Main Authors: Zhu, Tiantian, Yu, Jinkai, Xiong, Chunlin, Cheng, Wenrui, Yuan, Qixuan, Ying, Jie, Chen, Tieming, Zhang, Jiabo, Lv, Mingqi, Chen, Yan, Wang, Ting, Fan, Yuan
Format: Article
Language:English
Subjects:
Advanced persistent threat
Compaction
Data collection
data compaction
Data processing
Dynamic characteristics
Forensics
Linux
Real time
real-time detection
Real-time systems
Semantics
Soft sensors
Static code analysis
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Advanced Persistent Threat (APT) attacks have caused massive financial loss worldwide. Researchers thereby have proposed a series of solutions to detect APT attacks, such as dynamic/static code analysis, traffic detection, sandbox technology, endpoint detection and response (EDR), etc. However, existing defenses are failed to accurately and effectively defend against the current APT attacks that exhibit strong persistent, stealthy, diverse and dynamic characteristics due to the weak data source integrity, large data processing overhead and poor real-time performance in the process of real-world scenarios. To overcome these difficulties, in this paper we propose APTSHIELD, a stable, efficient and real-time APT detection system for Linux hosts. In the aspect of data collection, audit is selected to stably collect kernel data of the operating system so as to carry out a complete portrait of the attack based on comprehensive analysis and comparison of existing logging tools; In the aspect of data processing, redundant semantics skipping and non-viable node pruning are adopted to reduce the amount of data, so as to reduce the overhead of the detection system; In the aspect of attack detection, an APT attack detection framework based on ATT&CK model is designed to carry out real-time attack response and alarm through the transfer and aggregation of labels. Experimental results on both laboratory and Darpa Engagement show that our system can effectively detect web vulnerability attacks, file-less attacks and remote access trojan attacks, and has a low false positive rate, which adds far more value than the existing frontier work.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2023.3243667