Multi-Agent System for APT Detection

Multi-Agent System for APT Detection

Wim Mees & Thibault Debatty

2nd IEEE International Workshop on Reliability and Security Data Analysis (RSDA 2014)

Multi-Agent System for APT Detection 2

APTs : MiniDuke …


APTs : … and all others!

● MiniDuke– Targeted PDF + 0-day exploit– June 2012 → February 2013

● Belgacom– Fake, targeted, LinkedIn pages – 2010 → June 2013

● …


APTs : … and all others!

● MiniDuke– Targeted PDF + 0-day exploit– June 2012 → February 2013

● Belgacom– Fake, targeted, LinkedIn pages – 2010 → June 2013

● … Attackers WILL succeed

Achieve early detection


The approach

Analysis at choke point


The approach

Multi-agent


The approach

Human analyst


Agents

● Frequency analysis● Time-domain impulse● Upload● Domain name fan-in, fan-out● Geographic outlier● Domain name age● URL reputation● …


Aggregation

● Ordered Weighted Averaging (Yager)

– E.g. : 0.2, 0.3, 0.5, 0.0● Agent activation logic

– Run “light” agents on all clients– Activate “heavy” agent on suspicious clients

Client honeypot, IDS, long time analysis, …


First results

● Synthetic network traffic● Simulated APT traces (from literature)


First results

● Real network traffic (anonymized)● Simulated APT traces (from literature)


First results

● Real network traffic (anonymized)● Simulated APT traces (from literature)● Human interaction:

whitelisting


Conclusions & future work …

● Promising approach (modular design)

● Current work:– Additional agents (SMTP, IDS, client honeypot, …)– Choose OWA coefficients to maximize area under ROC curve– Test on real network traffic and APT traces

● Future work:– Human feedback integration– Time behavior– Integration with SIEM– Comparison with other tools


Thank you!


Contact

Thibault DebattyRoyal Military Academy

Brussels, Belgium

www.rma.ac.be

[email protected]

http://www.rma.ac.be/

mailto:[email protected]

Multi-Agent System for APT Detection

Internet

Transcript of Multi-Agent System for APT Detection