Multi-Agent System for APT Detection
-
Upload
thibault-debatty -
Category
Internet
-
view
91 -
download
2
Transcript of Multi-Agent System for APT Detection
Multi-Agent System for APT Detection
Wim Mees & Thibault Debatty
2nd IEEE International Workshop on Reliability and Security Data Analysis (RSDA 2014)
Multi-Agent System for APT Detection 2
APTs : MiniDuke …
Multi-Agent System for APT Detection 3
APTs : … and all others!
● MiniDuke– Targeted PDF + 0-day exploit– June 2012 → February 2013
● Belgacom– Fake, targeted, LinkedIn pages – 2010 → June 2013
● …
Multi-Agent System for APT Detection 4
APTs : … and all others!
● MiniDuke– Targeted PDF + 0-day exploit– June 2012 → February 2013
● Belgacom– Fake, targeted, LinkedIn pages – 2010 → June 2013
● … Attackers WILL succeed
Achieve early detection
Multi-Agent System for APT Detection 5
The approach
Analysis at choke point
Multi-Agent System for APT Detection 6
The approach
Multi-agent
Multi-Agent System for APT Detection 7
The approach
Human analyst
Multi-Agent System for APT Detection 8
Agents
● Frequency analysis● Time-domain impulse● Upload● Domain name fan-in, fan-out● Geographic outlier● Domain name age● URL reputation● …
Multi-Agent System for APT Detection 9
Aggregation
● Ordered Weighted Averaging (Yager)
– E.g. : 0.2, 0.3, 0.5, 0.0● Agent activation logic
– Run “light” agents on all clients– Activate “heavy” agent on suspicious clients
Client honeypot, IDS, long time analysis, …
Multi-Agent System for APT Detection 10
First results
● Synthetic network traffic● Simulated APT traces (from literature)
Multi-Agent System for APT Detection 11
First results
● Real network traffic (anonymized)● Simulated APT traces (from literature)
Multi-Agent System for APT Detection 12
First results
● Real network traffic (anonymized)● Simulated APT traces (from literature)● Human interaction:
whitelisting
Multi-Agent System for APT Detection 13
Conclusions & future work …
● Promising approach (modular design)
● Current work:– Additional agents (SMTP, IDS, client honeypot, …)– Choose OWA coefficients to maximize area under ROC curve– Test on real network traffic and APT traces
● Future work:– Human feedback integration– Time behavior– Integration with SIEM– Comparison with other tools
Multi-Agent System for APT Detection 14
Thank you!
Multi-Agent System for APT Detection 15
Contact
Thibault DebattyRoyal Military Academy
Brussels, Belgium
www.rma.ac.be