APT detection through suspiciously compromised point analysis
碩士 === 國立交通大學 === 資訊科學與工程研究所 === 104 === In the recent years, company and organization has become the victim of Advanced Persistent Threat (APT), causing the risk of revealing the classified document or material. As the advance of cyber attack, becoming much more organized and refined, traditional n...
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Others |
| Language: | zh-TW |
| Published: |
2015
|
| Online Access: | http://ndltd.ncl.edu.tw/handle/2fh7zk |
| id |
ndltd-TW-104NCTU5394005 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-TW-104NCTU53940052019-05-15T22:34:02Z http://ndltd.ncl.edu.tw/handle/2fh7zk APT detection through suspiciously compromised point analysis 威脅與受害嫌疑程度分析以進行 APT 偵測 Tsai, Shan-Yu 蔡珊鈺 碩士 國立交通大學 資訊科學與工程研究所 104 In the recent years, company and organization has become the victim of Advanced Persistent Threat (APT), causing the risk of revealing the classified document or material. As the advance of cyber attack, becoming much more organized and refined, traditional network security system is out-of-date to detect the APT. We propose strategies to defend against APT according to the characteristic of APT and it is our research objective. The characteristics of APT are in the following: (1) Complicated and advanced attacks (zero days or social engineering to achieve the initial invasion). (2) Long latent period in the internal network. (3) Attacker has refined target. The latent period accounts for up to seventy percent of APT lifecycle. However, achieving internal network visibility in traditional network with expensive cost. With the emerging technique of Software Defined Network (SDN), which decouples the network control function from network devices to a centralized controller. Controller has the global view of the network, so we can monitor internal network activity more easily. It is rarely discussed on the issue of on long latent in the internal network from the previous research. This study proposed an internal threat detection and tracking system for software-defined networks. Our method is divided into two stages. First, an entropy-based analysis is conducted for anomaly detection to identify the source machines possibly causing the anomalies. According to the level of anomaly, hosts were assigned to a suspiciously anomaly list. Second, tracking the hosts in anomaly suspicious list to bound the possible malicious influence, according to the contacting degree, hosts were assigned to a suspiciously infected list. Keywords: Advanced Persistent Threat (APT), Software Defined Network (SDN), Entropy, Network Infection Tseng, Chien-Chao Huang, Shih-Kun 曾建超 黃世昆 2015 學位論文 ; thesis 39 zh-TW |
| collection |
NDLTD |
| language |
zh-TW |
| format |
Others
|
| sources |
NDLTD |
| description |
碩士 === 國立交通大學 === 資訊科學與工程研究所 === 104 === In the recent years, company and organization has become the victim of Advanced Persistent Threat (APT), causing the risk of revealing the classified document or material.
As the advance of cyber attack, becoming much more organized and refined, traditional network security system is out-of-date to detect the APT. We propose strategies to defend against APT according to the characteristic of APT and it is our research objective.
The characteristics of APT are in the following:
(1) Complicated and advanced attacks (zero days or social engineering to achieve the initial invasion).
(2) Long latent period in the internal network.
(3) Attacker has refined target.
The latent period accounts for up to seventy percent of APT lifecycle. However, achieving internal network visibility in traditional network with expensive cost. With the emerging technique of Software Defined Network (SDN), which decouples the network control function from network devices to a centralized controller. Controller has the global view of the network, so we can monitor internal network activity more easily.
It is rarely discussed on the issue of on long latent in the internal network from the previous research. This study proposed an internal threat detection and tracking system for software-defined networks. Our method is divided into two stages.
First, an entropy-based analysis is conducted for anomaly detection to identify the source machines possibly causing the anomalies. According to the level of anomaly, hosts were assigned to a suspiciously anomaly list.
Second, tracking the hosts in anomaly suspicious list to bound the possible malicious influence, according to the contacting degree, hosts were assigned to a suspiciously infected list.
Keywords: Advanced Persistent Threat (APT), Software Defined Network (SDN), Entropy, Network Infection
|
| author2 |
Tseng, Chien-Chao |
| author_facet |
Tseng, Chien-Chao Tsai, Shan-Yu 蔡珊鈺 |
| author |
Tsai, Shan-Yu 蔡珊鈺 |
| spellingShingle |
Tsai, Shan-Yu 蔡珊鈺 APT detection through suspiciously compromised point analysis |
| author_sort |
Tsai, Shan-Yu |
| title |
APT detection through suspiciously compromised point analysis |
| title_short |
APT detection through suspiciously compromised point analysis |
| title_full |
APT detection through suspiciously compromised point analysis |
| title_fullStr |
APT detection through suspiciously compromised point analysis |
| title_full_unstemmed |
APT detection through suspiciously compromised point analysis |
| title_sort |
apt detection through suspiciously compromised point analysis |
| publishDate |
2015 |
| url |
http://ndltd.ncl.edu.tw/handle/2fh7zk |
| work_keys_str_mv |
AT tsaishanyu aptdetectionthroughsuspiciouslycompromisedpointanalysis AT càishānyù aptdetectionthroughsuspiciouslycompromisedpointanalysis AT tsaishanyu wēixiéyǔshòuhàixiányíchéngdùfēnxīyǐjìnxíngaptzhēncè AT càishānyù wēixiéyǔshòuhàixiányíchéngdùfēnxīyǐjìnxíngaptzhēncè |
| _version_ |
1719131795200409600 |