دانلود رایگان مقاله تحلیل حجم بالای ترافیک شبکه برای تشخیص تهدید مداوم پیشرفته

Abstract

Advanced Persistent Threats (APTs) are the most critical menaces to modern organizations and the most challenging attacks to detect. They span over long periods of time, use encrypted connections and mimic normal behaviors in order to evade detection based on traditional defensive solutions. We propose an innovative approach that is able to analyze efficiently high volumes of network traffic to reveal weak signals related to data exfiltrations and other suspect APT activities. The final result is a ranking of the most suspicious internal hosts; this rank allows security specialists to focus their analyses on a small set of hosts out of the thousands of machines that typically characterize large organizations. Experimental evaluations in a network environment consisting of about 10K hosts show the feasibility and effectiveness of the proposed approach. Our proposal based on security analytics paves the way to novel forms of automatic defense aimed at early detection of APTs in large and continuously varying networked systems.

8. Conclusions

We have proposed the first framework that is able to identify and rank suspicious hosts possibly involved in data exfiltrations related to APTs. Our approach gathers and analyzes only network traffic data. We propose a set of features that is specifically tailored to detect possible data exfiltrations, and we define a suspiciousness score for each internal host. The final output is a ranked list of suspicious hosts possibly involved in data exfiltrations and other APT-related activities. The effectiveness of the proposed solution has been proved by implementing a prototype that is deployed on a real large network environment. The proposed approach is able to analyze about 140 millions of flows related to approximately 10,000 internal hosts in about 2 minutes. Experimental results demonstrate the ability of the framework to identify burst and low-and-slow exfiltrations. Our proposal paves the way to novel forms of efficient and automated traffic analyses related to APT activities. Future work includes the integration of correlation systems with respect to other network security assets, such as data flows and alerts coming from intrusion detection systems.