Proposed Approach for Targeted Attacks Detection

. For years governments, organizations and companies have made great efforts to keep hackers, malware, cyber attacks at bay with different degrees of success. On the other hand, cyber criminals and miscreants produced more advanced techniques to compromise Internet infrastructure. Targeted attack or advanced persistent threat (APT) attack is a new challenge and aims to accomplish a specific goal, most often espionage. APTs are presently the biggest threat to governments and organizations. This paper states research questions and propose a novel approach to intrusion detection system processes network traffic and able to detect potential APT attack. This detection of APT attack is based on the correlation between the events which we get as outputs of our detection methods. Each detection method aims to detect one technique used in one of APT attack steps.


Introduction
Nowadays the cost of cyber attacks, malicious activities on Internet infrastructures, is estimated to somewhere between 100 billion to 1 trillion US dollars annually around the world [16]. Targeted attack or advanced persistent threat (APT) attack is a new challenge and aims to accomplish a specific goal, most often espionage. APTs are presently the biggest threat to governments and organizations [27]. These APTs create a problem for existent detection methods because the current techniques are based on known signatures of attacks and APTs often use new security holes for attacks. The financial losses due to a successful APT attack can be very high as it is confirmed through many previous research findings on APTs [24], [29], [14]. The expected economic effect of attacks is the major influence on investments in security measures [22].
In this paper we state our research questions and present our proposed approach for APT detection. In this research we are aiming to contribute to intrusion detection systems, particularly to APT attack detection. The goal of this work is to research a novel approach of intrusion detection processes network traffic and able to detect APT attack. The detection of APT attack is based on the correlation between the events which we get as outputs of our detection methods. We believe that the opportunity for using this approach in APTs detection is big and, to the best of our knowledge, still unexplored.
The remainder of this paper is organized as follows. State of the art is described in Section 2. We state our research questions in Section3. Section 4 presents our proposed approach for APT attack detection and Section 5 concludes the paper.

State of the Art
In January 2011, Google published the first report about APT. Known as Operation Aurora [24]; the attack has begun in the second half of 2009. It was considerably large-scale and is mentioned to have targeted 34 companies, including Dow Chemical, Morgan Stanley, Northrop Grumman, Symantec, Northrop Grumman and Yahoo, as well as Google itself. Later on, other research findings on APT attack are reported in [15], [29], [14].
Some researches have been done on analyzing already identified of APTs. In [18], the authors showed how to detect the N most likely infected hosts of the attack; their approach is based on the knowledge of previous APT attacks. By improving the performance in terms of false positives and detection rate, they developed a search engine for APT investigators to quickly reveal the possible infected hosts based on the features of a known APT infected host. They made use of N-gram based mechanisms.
During the year 2011, many targeted attacks were identified by Symantec. This large corpus of APTs was analyzed in-depth by the authors in [25]. Based on advanced TRIAGE data analytics, they were able to attribute many of advanced persistent threats to attack campaigns quite likely accomplished by the same individuals. They analyzed the dynamics and features of those attacks and presented new ideas into the modus operandi of attackers engaged in those campaigns.
By using an undirected graph in [17], the authors showed that APTs against the same target could be correlated. In addition, it is possible to identify clusters and create a map of APT activity that may uncover the activities of single group of malware writers.
With regards to detect potential targeted attack, in [12] they proposed a novel system to detect possible APT attack based on the information gathered on the host's side. The system depends on clustering techniques to classify groups of hosts that have a similar behavior with respect to the suspicious resources they request (e.g., C&C servers, drive-by downloads or exploit kits). The system was called SPuNge and implemented in a working prototype. SPuNge correlates the sites and industry data in which those hosts run (e.g., government or gas & oil) to detect interesting attack activities.
An abridged version of initial Duqu analysis was presented in [13]. A European corporation was targeted by a new malware, Duqu, and valuable information was stolen. The authors described the Duqu detector toolkit, a set of heuristic tools that they developed to detect Duqu and its variants.
Given the related works presented above, most of the above works focus on analyzing already identified campaigns, while the scope of our work is to present a new approach that detect possible APT attacks, none of the related works address explicitly the problem of detecting potential APT attacks by means of monitoring network traffic and correlation between detection methods of possible techniques used in APT attack life cycle.

Research Questions
To achieve the goal of this work we should answer the following research questions: Research question 1: What are the detection methods can be used for detecting possible techniques used through APT attack life cycle? To answer this question we have proposed 8 detection methods presented in Section 4. We will try to implement these methods in the first phase of our research. These proposed methods are not fixed; we can remove or suggest a new method based on the research progress.
Research question 2: How can we make the detection system resulting from our approach extensible and flexible? The attackers always try to find new techniques to perform APT attack, therefore each detection method should be independent from the other methods, so at any time we can add new method (for detecting new technique used in APT attack life cycle) to the system and correlate it with the other methods in the correlation framework. To achieve the flexibility, in the correlation framework it should be easy to remove or add a new rule for raising an alert on APT attack detection.
Research question 3: Is this approach able to handle the network traffic in the real-time? The detection system should support the real-time detection because if an attack, or an attempted attack, is detected quickly, then it can be much easier to trace back the attacker, minimize the damage and prevent further break-ins. To answer this question, in our approach and in the first phase, the detection methods should not depend on storing data and then analyzing it for detection. They should be able to process the network traffic in the real-time and submit their events to the next phase for correlation.
Research question 4: Is this approach effective? The effectiveness of the approach, which is its ability to detect APT attacks, should be high. This should be combined with a high accuracy resulting into a low number of false warnings. We expect that the chance at a false positive is lower when there is a direct link to other steps or correlation between the events. In order to achieve efficiency for our approach we should identify suitable rules for correlation between the events and this will depend on the evaluation of each detection method and will be done in the last phase of our research.

Proposed Approach
In this research we are aiming to contribute to intrusion detection systems, particularly to APT attack detection. The goal of this work is to research a novel approach of intrusion detection processes network traffic and able to detect APT attack. The detection of APT attack is based on the correlation between the events which we get as outputs of our detection methods. We believe that the opportunity for using this approach in APTs detection is big and, to the best of our knowledge, still unexplored.
We will implement our proposed approach on top of Bro intrusion detection system [20], [21]. Bro is a passive, open-source network traffic analyzer. It is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. The most immediate benefit that we gain from deploying Bro is an extensive set of log files that record a network's activity in high-level terms. These logs include not only a comprehensive record of every connection seen on the wire, but also application-layer transcripts such as, e.g., all HTTP sessions with their requested URIs, key headers, MIME types, and server responses; DNS requests with replies; and much more.
Our proposed approach, as it is shown in Figure 1, consists of two main phases: In the first phase, we process the network traffic to detect possible techniques used in APT attack life cycle. To this end we have our detection methods; each detection method aims to detect one technique used in one of APT attack steps. Each detection method is independent from the other methods and should be evaluated before it is adopted. The outputs of these detection methods should be submitted to the second phase where correlated to raise an alert on APT attack.
In the second phase, we have the correlation framework, this framework takes the events (the outputs of our detection methods) as an input and correlates them according to rules specified by the user (we can specify those rules based on the evaluation of each method) to raise an alert on APT attack detection. The correlation method is based on voting between the detection methods to raise an alert on APT attack and the detection can be based on one, two or three events. We believe that this correlation will reduce the false positive rate of our detection system.
A key question in our research is: What are the detection methods can be used for detecting possible techniques used through APT attack life cycle. To answer this question taking into consideration the life cycle of APT attack, which is shown in Figure 2 [26], we have 8 detection methods should be implemented in the first phase of our research: 1. Intelligence gathering: This initial phase aims to get information about the target, like its organizational structure, IT environment and even about people who are working for that target. For this purpose, the attacker can use public sources (LinkedIn, Facebook, etc) and prepare a customized attack. 2. Initial compromise (Point of entry): Performed by use of social engineering and spear phishing, over email, using zero-day exploits. Another popular infection method was planting malware on a website that the victim employees will be likely to visit. The most common technique used for this step is spear phishing emails, which may contain link to malicious website, malicious attachment or link to malicious file. Method 1, from previous findings on APTs, we have a list of exploited domain names (FQDNS) used in APT attack [14], we can analyze the traffic of possible protocols used in sending and retrieving emails and if there is a link to one of exploited FQDNS, we can detect spear phishing attack. Method 2, detection of any connection to a malicious domains based on a blacklist of malicious domains [7], [6], [10], [2], [1], [4].  [14], if a match is found, we detect an attack.
3. Command and control (C&C) communication: After an organization's perimeter has been breached, continuous communication between the infected host and the C&C server should be preserved to instruct and guide the compromised machine. These communications are usually protected by Secure Sockets Layer (SSL) encryption, making it difficult to identify if the traffic directed to sites is malicious. Method 5, we have a blacklist of SSL certificates (from previous reports) [9], [19], so we can monitor SSL certificates and match with the blacklist, if a match is found, we detect an attack. Method 6, we have a blacklist of C&C servers [8], [5], [11], [3], any connection to one of those servers is an attack. Another technique can be used in this step is domain flux technique [28]; an exploited host may try to connect to a large number of domain names which are expected to be C&C servers. The goal of this technique is to make it difficult or even impossible to shut down all of these domain names. This technique leads to many of DNS query failures because not all of these domains are registered. Method 7, domain flux detection based on DNS query failure. 4. Lateral movement: Once getting an access to the target's network, the attacker laterally moves throughout the target's network searching for new hosts to infect. Some techniques used: Brute force and pass the hash attacks. 5. Asset/Data discovery: This step aims to identify and isolate the noteworthy assets within the target's network for future data exfiltration.
Since the traffic of the steps 4 and 5 are inside the compromised network, we cannot see it. 6. Data exfiltration: Data of interest is transmitted into external servers which are controlled by the attacker. There are some techniques used for data exfiltration like built-in file transfer, via FTP or HTTP and via the Tor anonymity network. Method 8, Tor connection detection based on Tor server list [23]. The blacklists of blacklist-based detection methods should be automatically updated each day and the detection by all methods should be in the real time.

Conclusion
In this paper we proposed a novel approach for detecting potential APT attack and presented the research questions which we should answer to achieve this goal. The detection of APT attack is based on the correlation between the detection methods of possible techniques used in APT attack life cycle. We believe that the opportunity for using this approach in APTs detection is big and, to the best of our knowledge, still unexplored.