Forensic Analysis of APT Attacks based on Unsupervised Machine Learning

Authors : Mohammed ADNAN, Dima BSHARA, Ahmed AWAD

Pages : 75-82

Doi:10.31590/ejosat.1265586

View : 95 | Download : 380

Publication Date : 2023-03-31

Article Type : Research Paper

Abstract :Advanced Persistent Threat insert ignore into journalissuearticles values(APT); has become the concern of many enterprise networks. APT can remain unde- tected for a long time span and lead to undesirable consequences such as stealing of sensitive data, broken workflow, and so on. APTs often use evasion techniques to avoid being detected by security systems like Intrusion Detection System insert ignore into journalissuearticles values(IDS);, Security Event Information Management insert ignore into journalissuearticles values(SIEMs); or firewalls. Also, it makes it difficult to detect the root cause with forensic analysis. Therefore, companies try to identify APTs by defining rules on their IDS. However, besides the time and effort needed to iteratively refine those rules, new attacks cannot be detected. In this paper, we propose a framework to detect and conduct forensic analysis for APTs in HTTP and SMTP traffic. At the heart of the proposed framework is the detection algorithm that is driven by unsupervised machine learning. Experimental results on public datasets demonstrate the effectiveness of the proposed framework with more than 80% detection rate and with less than 5% false-positive rate.
Keywords : Unsupervised Machine Learning, Advanced Persistent Threats APTs, Forensic Analysis, HTTP, SMTP