CAPTAIN: Community-based Advanced Persistent Threat Analysis in IT Networks (Received Revision from the International Journal of Critical Infrastructure Protection (Q2-JCR), July 2022).
Abstract: Today, organizations with valuable information assets and critical infrastructure suffer from targeted cybersecurity attacks such as Advanced Persistent Threats (APTs). The attackers behind the APT attacks are highly skilled, well-funded, extremely persistent with a specific goal, exfiltrating information from the target network or undermining the key services. The APT attacks have their life-cycle which consists of multiple stages called Intrusion Kill Chain (IKC) or Cyber Kill Chain (CKC). As one of the most common approaches to deal with these attacks. The organization's security staff use various heterogeneous security and non-security sensors in different lines of defense in the monitored network (Network, Host, and Application) to log the attacker's intrusive activities and model their behaviors by using logged events for detecting IKC of APT attacks. To this aim, numerous methods have been proposed in the literature which has the following three main drawbacks, 1) inability to use both security and non-security sensors of three mentioned detection levels in event correlation analysis, 2) high dependence on expert knowledge to setup and maintain commonly attacks patterns, and 3) unable to provide a graphical model for security administrators to better track on the fly attacks in a monitored network. To address the mentioned issues and challenges, this paper presents CAPTAIN framework, a system that implements a new graph-based attacker's behavior modeling method for detecting IKC of APT attacks by correlation analysis of logged events by heterogeneous sensors in different detection levels (Network, Host, and Application) and leveraging knowledge discovery on the graph. The input of the CAPTAIN is raw events logged by the sensors and the output is IKC of the APT attack scenario. The CAPTAIN framework is a 4-tier event correlation and IKC detection analysis including nine distinct components. In this framework, after receiving events logged by the various sensors, the model into an Event Correlation Graph (ECG) and then by detecting distinct event communities in generated ECG, malicious communities that are part of an APT campaign are labeled by using some Indicator of Attacks (IoAs) regarding the intent of each IKC stage. Then, after finding interconnections between labeled communities as constructing a directed community graph (DCG), the IKC of APT attack is extracted by using Depth First Search (DFS) method on the resulted DCG. Our evaluation results on the two standard datasets, Bryant and DARPA, indicate that CAPTAIN is robust and reliable against high volume events which can detect IKCs of APT attacks with high accuracy and low positive rates.
Link: -
Cite: Ali Ahmadian Ramaki, Abbas Ghaemi Bafghi, Abbas Rasoolzadegan. CAPTAIN: Community-based Advanced Persistent Threat Analysis in IT Networks. Received Revision from the International Journal of Critical Infrastructure Protection, July 2022.
DOI: -
Supplementary Material: CAPTAIN_Sup-Mat
------------------------------------------------------------------------------------------------------------------------------------------------
Towards event aggregation for reducing the volume of logged events during IKC stages of APT attacks (Has been Accepted in the ISeCure Journal (ISI), July 2022).
Abstract: Targeted attacks like Advanced Persistent Threats (APTs) have become a primary concern of many enterprise networks. As a common approach to counter these attacks, security staff deploy various security and non-security sensors at different lines of defense (Network, Host, and Application) to track the attacker's behaviors during their kill chain. However, one of the drawbacks of this approach is the massive amount of events raised by heterogeneous security and non-security sensors. This makes it challenging to analyze logged events for later processing, i.e., event correlation for timely detection of APT attacks. Some research papers have been published on event aggregation to reduce the volume of logged low-level events. However, most research works have provided a method to aggregate the events of a single-type and homogeneous event source, i.e., NIDS. In addition, their main focus is only on the degree to which the event volume is reduced, while the amount of security information lost during the event aggregation process is also significant. In this paper, we propose a three-phase event aggregation method to reduce the volume of logged heterogeneous events during APT attacks, considering the lowest rate of loss of security information. At this aim, the sensors' low-level events are first clustered into similar event groups. Then, after filtering noisy event clusters, the remaining clusters are summarized based on an Attribute-Oriented Induction (AOI) method in a controllable manner to reduce the unimportant or duplicated events. The method has been evaluated on the three publicly available datasets: SotM34, Bryant, and LANL. The experimental results show that the method is efficient enough in event aggregation and can reduce events volume up to 99.7% with an acceptable information loss ratio (ILR) level.
Link: In Press
Cite: Ali Ahmadian Ramaki, Abbas Ghaemi Bafghi, Abbas Rasoolzadegan. Towards event aggregation for reducing the volume of logged events during IKC stages of APT attacks. Accepted in the ISeCure Journal, July 2022.
DOI: In Press
------------------------------------------------------------------------------------------------------------------------------------------------
CAPTAIN: Community-based Advanced Persistent Threat Analysis in IT Networks (Submitted to the Journal, September 2021).
Abstract: Today, organizations with valuable information assets and critical infrastructure suffer from targeted cybersecurity attacks such as Advanced Persistent Threats (APTs). The attackers behind the APT attacks are highly skilled, well-funded, extremely persistent with a specific goal, exfiltrating information from the target network or undermining the key services. The APT attacks have their life-cycle which consists of multiple stages called Intrusion Kill Chain (IKC) or Cyber Kill Chain (CKC). As one of the most common approaches to deal with these attacks. The organization's security staff use various heterogeneous security and non-security sensors in different lines of defense in the monitored network (Network, Host, and Application) to log the attacker's intrusive activities and model their behaviors by using logged events for detecting IKC of APT attacks. To this aim, numerous methods have been proposed in the literature which has the following three main drawbacks, 1) inability to use both security and non-security sensors of three mentioned detection levels in event correlation analysis, 2) high dependence on expert knowledge to setup and maintain commonly attacks patterns, and 3) unable to provide a graphical model for security administrators to better track on the fly attacks in a monitored network. To address the mentioned issues and challenges, this paper presents CAPTAIN framework, a system that implements a new graph-based attacker's behavior modeling method for detecting IKC of APT attacks by correlation analysis of logged events by heterogeneous sensors in different detection levels (Network, Host, and Application) and leveraging knowledge discovery on the graph. The input of the CAPTAIN is raw events logged by the sensors and the output is IKC of the APT attack scenario. The CAPTAIN framework is a 4-tier event correlation and IKC detection analysis including nine distinct components. In this framework, after receiving events logged by the various sensors, the model into an Event Correlation Graph (ECG) and then by detecting distinct event communities in generated ECG, malicious communities that are part of an APT campaign are labeled by using some Indicator of Attacks (IoAs) regarding the intent of each IKC stage. Then, after finding interconnections between labeled communities as constructing a directed community graph (DCG), the IKC of APT attack is extracted by using Depth First Search (DFS) method on the resulted DCG. Our evaluation results on the two standard datasets, Bryant and DARPA, indicate that CAPTAIN is robust and reliable against high volume events which can detect IKCs of APT attacks with high accuracy and low positive rates.
Link: -
Cite: Ali Ahmadian Ramaki, Abbas Rasoolzadegan, Abbas Ghaemi Bafghi. CAPTAIN: Community-based Advanced Persistent Threat Analysis in IT Networks. Submitted to the Journal, September 2021.
DOI: -
------------------------------------------------------------------------------------------------------------------------------------------------
Towards event aggregation for reducing the volume of logged events during IKC stages of APT attacks (Published in arXiv, August 2021).
Abstract: Nowadays, targeted attacks like Advanced Persistent Threats (APTs) has become one of the major concern of many enterprise networks. As a common approach to counter these attacks, security staff deploy a variety of security and non-security sensors at different lines of defense (Network, Host, and Application) to track the attacker's behaviors during their kill chain. However, one of the drawbacks of this approach is the huge amount of events raised by heterogeneous security and non-security sensors which makes it difficult to analyze logged events for later processing i.e. event correlation for timely detection of APT attacks. Till now, some research papers have been published on event aggregation for reducing the volume of logged low-level events. However, most research works have been provided a method to aggregate the events of a single-type and homogeneous event source i.e. NIDS. In addition, their main focus is only on the degree to which the event volume is reduced, while the amount of security information lost during the event aggregation process is also very important. In this paper, we propose a three-phase event aggregation method to reduce the volume of logged heterogeneous events during APT attacks considering the lowest rate of loss of security information. To this aim, at first, low-level events of the sensors are clustered into some similar event groups and then, after filtering noisy event clusters, the remained clusters are summarized based on an Attribute-Oriented Induction (AOI) method in a controllable manner to reduce the unimportant or duplicated events. The method has been evaluated on the three publicly available datasets: SotM34, Bryant, and LANL. The experimental results show that the method is efficient enough in event aggregation and can reduce events volume up to 99.7% with an acceptable level of information loss ratio (ILR).
Link: http://arxiv.org/abs/2109.14303
Cite: Ali Ahmadian Ramaki, Abbas Ghaemi Bafghi, Abbas Rasoolzadegan. Towards event aggregation for reducing the volume of logged events during IKC stages of APT attacks. Submitted to the Journal, August 2021.
DOI: -
------------------------------------------------------------------------------------------------------------------------------------------------
Abstract: One of the main security concerns of enterprise-level organizations which provide network-based services is combating with complex cybersecurity attacks like advanced persistent threats (APTs). The main features of these attacks are being multilevel, multi-step, long-term and persistent. Also they use an intrusion kill chain (IKC) model to proceed the attack steps and reach their goals on targets. Traditional security solutions like firewalls and intrusion detection and prevention systems (IDPSs) are not able to prevent APT attack strategies and block them. Recently, deception techniques are proposed to defend network assets against malicious activities during IKC progression. One of the most promising approaches against APT attacks is Moving Target Defense (MTD). MTD techniques can be applied to attack steps of any abstraction levels in a networked infrastructure (application, host, and network) dynamically for disruption of successful execution of any on the fly IKCs. In this paper, after presentation and discussion on common introduced IKCs, one of them is selected and is used for further analysis. Also, after proposing a new and comprehensive taxonomy of MTD techniques in different levels, a mapping analysis is conducted between IKC models and existing MTD techniques. Finally, the effect of MTD is evaluated during a case study (specifically IP Randomization). The experimental results show that the MTD techniques provide better means to defend against IKC-based intrusion activities.
Link: https://ieeexplore.ieee.org/abstract/document/8566531/
Cite: Khosravi-Farmad, M., Ramaki, A. A., & Bafghi, A. G. (2018, October). Moving Target Defense Against Advanced Persistent Threats for Cybersecurity Enhancement. In 2018 8th International Conference on Computer and Knowledge Engineering (ICCKE) (pp. 280-285). IEEE.
------------------------------------------------------------------------------------------------------------------------------------------------
Abstract: Intrusion alert analysis is an attractive and active topic in the area of intrusion detection systems. In recent decades, many research communities have been working in this field. The main objective of this article is to achieve a taxonomy of research fields in intrusion alert analysis by using a systematic mapping study of 468 high-quality papers. The results show that there are 10 different research topics in the field, which can be classified into three broad groups: pre-processing, processing, and post-processing. The processing group contains most of the research works, and the post-processing group is newer than others.
Link: https://dl.acm.org/citation.cfm?id=3184898
Cite: Ali Ahmadian Ramaki, Abbas Rasoolzadegan, Abbas Ghaemi Bafghi: A Systematic Mapping Study on Intrusion Alert Analysis in Intrusion Detection Systems. ACM Computing Surveys. 51(3): 55:1-55:41 (2018).
DOI: 10.1145/3184898
------------------------------------------------------------------------------------------------------------------------------------------------
Abstract: Intrusion detection is a process in which a set of methods are used to detect malicious activities against the victims. Many techniques for detecting potential intrusions in software systems have already been introduced. One of the most important techniques for intrusion detection based on machine learning is using Hidden Markov Models (HMM). In recent decades, many research communities have been working toward HMM‐based intrusion detection. Therefore, a large volume of research works has been published and hence, various research areas have emerged in this field. However, until now, there has been no systematic and up‐to‐date review of research works within the field. This paper aims to survey the research in this field and provide open problems and challenges based on the analysis of advantages, limitations, types of architectural models, and applications of current techniques. Six various architecture models for intrusion detection purposes are proposed in the literature. We compare these models based on performance criteria in order to select an appropriate type for a specific application. The results show that HMM‐based intrusion detection techniques have 6 main advantages—precise intrusion detection, ability to detect new and unknown intrusions, prediction of the intruder's potential next steps, usage in real‐time applications by processing data streams on‐the‐fly, usage of heterogeneous data sources as input, and visual representation of acquired knowledge relative to the other techniques of machine learning.
Link: https://onlinelibrary.wiley.com/doi/abs/10.1002/sam.11377
Cite: Ali Ahmadian Ramaki, Abbas Rasoolzadegan, Abbas Javan Jafari: A systematic review on intrusion detection based on the Hidden Markov Model. Statistical Analysis and Data Mining 11(3): 111-134 (2018).
DOI: 10.1002/sam.11377
------------------------------------------------------------------------------------------------------------------------------------------------
Abstract: In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers' malicious activities. Intrusion detection systems, as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the intrusion detection systems clearly reflect the need for a novel proactive alert correlation framework to reduce redundant alerts, correlate security incidents, discover and model multi‐step attack scenarios, and track them. Several alert correlation frameworks have been proposed in the literature, but the majority of them address the alert correlation in the offline settings. In this paper, we propose a three‐phase alert correlation framework, which processes the generated alerts in real time, correlates the alerts with the aid of causal knowledge discovery to automatically extract causal relationships between alerts, constructs the attack scenarios using the Bayesian network concept, and predicts the next goal of the attacks using the creating attack prediction rules. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi‐step attack scenarios without using any predefined knowledge. The results also show that the proposed framework perfectly estimates complex attacks before they can damage the assets of the network.
Link: https://onlinelibrary.wiley.com/doi/abs/10.1002/sec.1756
Cite: Ali Ahmadian Ramaki, Abbas Rasoolzadegan: Causal knowledge analysis for detecting and modeling multi-step attacks. Security and Communication Networks 9(18): 6042-6065 (2016).
DOI: 10.1002/sec.1756
------------------------------------------------------------------------------------------------------------------------------------------------
Abstract: With the advent of new technologies and various services provided in the context of computer networks, a large volume of data is being generated. The main challenge in this area is providing network protection services against various threats and vulnerabilities. So far, many techniques have been proposed to deal with these threats. All of these techniques pursue the same goal, preventing attackers from reaching their objectives. A solution based on early warning system(s) (EWSs) is what exactly security teams need to manage the threats properly. EWS, as a complement to Intrusion Detection System, is a proactive approach against security threats. This is carried out through the early detection of potential behavior of a system, evaluating the scope of malicious behavior, and finally, using suitable response against any kind of detectable security event. This paper presents a comprehensive review on EWSs including definitions, applications, architectures, alert correlation aspects, and other technical requirements. Furthermore, previous studies and existing EWSs have been described and analyzed here. A classification of EWSs has been presented: commercial systems and systems under research and development. Finally, from the studies about EWSs, we conclude some challenges and research issues are still remain open.
Link: https://onlinelibrary.wiley.com/doi/abs/10.1002/sec.1647
Cite: Ali Ahmadian Ramaki, Reza Ebrahimi Atani: A survey of IT early warning systems: architectures, challenges, and solutions. Security and Communication Networks 9(17): 4751-4776 (2016).
DOI: 10.1002/sec.1647
------------------------------------------------------------------------------------------------------------------------------------------------
Abstract: Today, from information security perspective, prevention methods are not enough solely. Early Warning Systems (EWSs) are in the category of reactive methods. These systems are complementing Intrusion Detection Systems (IDSs) where their main goals include early detection of potential malicious behavior in large scale environments such as national level. An important process in EWSs is the analysis and correlation of alerts aggregated from the installed sensors (e.g. IDSs, IP telescopes, and botnet detection systems). In my MSc. thesis, an efficient framework for alert correlation in EWSs is proposed that called Real Time Episode Correlation Algorithm (RTECA). The framework includes a correlation scheme based on a combination of statistical and stream mining techniques. The method works real-time by extracting critical episodes from sequences of alerts, which could be part of multi-step attack scenarios. A Causal Correlation Matrix (CCM) is used for encoding correlation strength between the alert types in attack scenarios. Experimental results show that the RTECA is efficient enough in detecting known attack scenarios and new attack strategies. The results also show that the system is able to predict the next steps of the attack up to 95% of accuracy under special circumstances.
Link: http://www.sciencedirect.com/science/article/pii/S0167404814001527
Cite: Ali Ahmadian Ramaki, Morteza Amini, Reza Ebrahimi Atani: RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection. Computers & Security 49: 206-219 (2015).