Modeling and Analysis of Advanced Persistent Threats in Cyber Space

Publication Type:
Issue Date:
Full metadata record
Advanced Persistent Threat (APT), a professional cyber threat as indicated by its name, has become a type of significant risk in modern society. APT attackers employ various advanced attack technologies to carry out attacks in multiple stages over a long period of time. Due to its complexity, APT research is challenging and incomplete. This thesis proposes a series of models to analyze key processes of APT, i.e., social attack, propagation, and remote control. To be specific, game theoretic models are proposed to describe social network attacks, and epidemic models based on the susceptible-infected-susceptible process are developed to capture the propagation process; machine learning methods are adopted to detect the remote control traffic. The main contributions of this thesis can be summarized as follows. • This thesis proposes infinitely repeated games to capture the interactions between a message publisher and the administrator to suppress social attack messages. Critical conditions, under which the publisher can be disincentivized to send any attack messages, are identified. Closed-form expressions are established to give the maximum number of attack messages from an attacker in the absence or presence of misclassification on genuine messages. • This thesis proposes a new approach to model the propagation of APT across non-trivial networks. A discrete-time absorbing Markov process of epidemic model is first developed based on the adjacency matrix of the network. Asymptotically accurate bounds of the virus extinction rate are derived. We propose a practical approach for the estimation of the extinction rate in large networks. Our proposal has been proved theoretically and validated via simulations. • This thesis proposes a group-based propagation model to analyze the propagation process of APT in large-scale networks. The proposed model is efficient and accurate. The network nodes are divided into groups according to their connectivity. A continuous-time Markov susceptible-infectious-susceptible model is developed. The propagation threshold, under which the propagation will eventually stop, is derived based on the spectral radius of the collapsed adjacency matrix. Simulation results validate the model accuracy and the analytical epidemic threshold. • This thesis proposes a method of traffic feature analysis to detect the remote control traffic of APT. Based on the independent access feature of APT network traffic, concurrent domains in the domain name service are selected to detect APT domains from domain name system records. The proposed traffic features and detection process are then validated using public datasets.
Please use this identifier to cite or link to this item: