Authors: Byung-Ik Kim, Hong-Koo Kang, Tae-Jin Lee, Hae-Ryong Park

Abstract:

Cyber terrors against specific enterprises or countries have been increasing recently. Such attacks against specific targets are called advanced persistent threat (APT), and they are giving rise to serious social problems. The malicious behaviors of APT attacks mostly affect websites and penetrate enterprise networks to perform malevolent acts. Although many enterprises invest heavily in security to defend against such APT threats, they recognize the APT attacks only after the latter are already in action. This paper discusses the characteristics of APT attacks at each step as well as the strengths and weaknesses of existing malicious code detection technologies to check their suitability for detecting APT attacks. It then proposes a network-based malicious behavior detection algorithm to protect the enterprise or national networks.

Keywords: Advanced Persistent Threat, Malware, Network Security, Network Packet, Exploit Kits.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1089243

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1508

References:

[1] Michael K. Daly, "The Advanced Persistent Threat,” LISA `09
[2] Mandiant, the Advanced Persistent Threat, M. Trends, 2010
[3] Giura.P, Wei Wang, "A Context-Based Detection Framework for Advanced Persistent Threats,” Cyber Security 2012 International Conference, pp. 69-74, 2012
[4] Ajay K. Sood, "Modern Malware and APT: What You May be Missing and Why’” AtlSecCon, March 2012
[5] Gang Wang, Jack W. Storkes, Cormac Herley, DividFelstead, "Detecting Malicious Landing Pages in Malware Distribution Networks,” 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp.1-11, June 2013
[6] J. Zhang, C. Seifert, J. W. Stokes, and W. Lee., "ARROW: Generating signatures to detect drive-by downloads,” In Proceedings of the 20th Annual World Wide Web Conference (WWW), pp. 187-196, Hyderabad, India, March 28 - Apr. 1, 2011
[7] BITS, "Malware Risk and Mitigation Report,” BITS, June 2011
[8] Niels Provos Panayiotis Mavrommatis Moheeb Abu Rajab Fabian Monrose, "All Your iFRAMEs Point to Us,” Google Technical Report provos-2008
[9] Y. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen and S. King, "Automated Web Patrol With Strider Honeymonkeys: Finding Web Sites That Exploit Browser Vulnerabilities", in 13th Annual Network and Distributed System Security Symposium. San Die: Internet Society, 2006
[10] Christian Seifert, Ian Welch and Peter Komisarczuk, "Application of divide-and-conquer algorithm paradigm to improve the detection speed of high interaction client honeypot", SAC'08, pp. 1426-1432, March 2008
[11] Ali Ikinci, Thorsten Holz, and Felix Freiling. (2008). "Monkey-Spider: Detecting Malicious WebSites with Low-Interaction Honeyclients,” In Proceeding of Sicherheit, Schutz and Zuverl.
[12] A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy, "A crawlerbased study of spyware on the web,” in Proc. NDSS, 2006.
[13] Long Lu, Vinod Yegneswaran, Phillip Porras, Wenke Lee "BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infection", CCS'10, 10.2010.
[14] Wepawet, http://wepawet.iseclab.org, UCSB
[15] Monkey Wrench, http://monkeywrench.de, G Data Software AG
[16] Jon Oliver, Sandra Cheng, Lala Manly, Joey Zhu, Roland Dela Paz, Sabrina Sioting, and Jonathan Leopando "Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs,” Trend Micro Incorporated Research Paper, 2012
[17] Rebecca Wynn, "Exploit Kits – Cybercrime Made Easy,” Hakin9 IT Security Magazine, pp. 18-25, Jun 2011