Modeling and Analysis of Advanced Persistent Threats in Cyber Space

Wang, Xu

Modeling and Analysis of Advanced Persistent Threats in Cyber Space

Wang, Xu

Permalink

Publication Type:: Thesis
Issue Date:: 2020

Open Access

Copyright Clearance Process

Recently Added
In Progress
Open Access

This item is open access.

Adobe PDF

Download contents and abstractAdobe PDF (211.08 kB)

Adobe PDF

Download thesisAdobe PDF (3.04 MB)

View statistics

Full metadata record

Field	Value	Language
dc.contributor.author	Wang, Xu
dc.date.accessioned	2020-04-23T23:04:23Z
dc.date.available	2020-04-23T23:04:23Z
dc.date.issued	2020
dc.identifier.uri	http://hdl.handle.net/10453/140233
dc.description	University of Technology Sydney. Faculty of Engineering and Information Technology.	en_AU
dc.description.abstract	Advanced Persistent Threat (APT), a professional cyber threat as indicated by its name, has become a type of significant risk in modern society. APT attackers employ various advanced attack technologies to carry out attacks in multiple stages over a long period of time. Due to its complexity, APT research is challenging and incomplete. This thesis proposes a series of models to analyze key processes of APT, i.e., social attack, propagation, and remote control. To be specific, game theoretic models are proposed to describe social network attacks, and epidemic models based on the susceptible-infected-susceptible process are developed to capture the propagation process; machine learning methods are adopted to detect the remote control traffic. The main contributions of this thesis can be summarized as follows. • This thesis proposes infinitely repeated games to capture the interactions between a message publisher and the administrator to suppress social attack messages. Critical conditions, under which the publisher can be disincentivized to send any attack messages, are identified. Closed-form expressions are established to give the maximum number of attack messages from an attacker in the absence or presence of misclassification on genuine messages. • This thesis proposes a new approach to model the propagation of APT across non-trivial networks. A discrete-time absorbing Markov process of epidemic model is first developed based on the adjacency matrix of the network. Asymptotically accurate bounds of the virus extinction rate are derived. We propose a practical approach for the estimation of the extinction rate in large networks. Our proposal has been proved theoretically and validated via simulations. • This thesis proposes a group-based propagation model to analyze the propagation process of APT in large-scale networks. The proposed model is efficient and accurate. The network nodes are divided into groups according to their connectivity. A continuous-time Markov susceptible-infectious-susceptible model is developed. The propagation threshold, under which the propagation will eventually stop, is derived based on the spectral radius of the collapsed adjacency matrix. Simulation results validate the model accuracy and the analytical epidemic threshold. • This thesis proposes a method of traffic feature analysis to detect the remote control traffic of APT. Based on the independent access feature of APT network traffic, concurrent domains in the domain name service are selected to detect APT domains from domain name system records. The proposed traffic features and detection process are then validated using public datasets.	en_AU
dc.format	Thesis (PhD)
dc.language.iso	en_AU	en_AU
dc.relation	https://opus.lib.uts.edu.au/bitstream/10453/140233/2/02whole.pdf
dc.rights	The author owns the copyright in this thesis including all reproduction and reuse rights for the work. The work may not be altered without the permission of the copyright owner. Attribution is essential when quoting or paraphrasing from this thesis.
dc.rights	au.edu.uts.lib/ppc
dc.rights	info:eu-repo/semantics/openAccess
dc.title	Modeling and Analysis of Advanced Persistent Threats in Cyber Space	en_AU
dc.type	Thesis	en_AU
utslib.copyright.status	open_access

Abstract:

Advanced Persistent Threat (APT), a professional cyber threat as indicated by its name, has become a type of significant risk in modern society. APT attackers employ various advanced attack technologies to carry out attacks in multiple stages over a long period of time. Due to its complexity, APT research is challenging and incomplete. This thesis proposes a series of models to analyze key processes of APT, i.e., social attack, propagation, and remote control. To be specific, game theoretic models are proposed to describe social network attacks, and epidemic models based on the susceptible-infected-susceptible process are developed to capture the propagation process; machine learning methods are adopted to detect the remote control traffic. The main contributions of this thesis can be summarized as follows. • This thesis proposes infinitely repeated games to capture the interactions between a message publisher and the administrator to suppress social attack messages. Critical conditions, under which the publisher can be disincentivized to send any attack messages, are identified. Closed-form expressions are established to give the maximum number of attack messages from an attacker in the absence or presence of misclassification on genuine messages. • This thesis proposes a new approach to model the propagation of APT across non-trivial networks. A discrete-time absorbing Markov process of epidemic model is first developed based on the adjacency matrix of the network. Asymptotically accurate bounds of the virus extinction rate are derived. We propose a practical approach for the estimation of the extinction rate in large networks. Our proposal has been proved theoretically and validated via simulations. • This thesis proposes a group-based propagation model to analyze the propagation process of APT in large-scale networks. The proposed model is efficient and accurate. The network nodes are divided into groups according to their connectivity. A continuous-time Markov susceptible-infectious-susceptible model is developed. The propagation threshold, under which the propagation will eventually stop, is derived based on the spectral radius of the collapsed adjacency matrix. Simulation results validate the model accuracy and the analytical epidemic threshold. • This thesis proposes a method of traffic feature analysis to detect the remote control traffic of APT. Based on the independent access feature of APT network traffic, concurrent domains in the domain name service are selected to detect APT domains from domain name system records. The proposed traffic features and detection process are then validated using public datasets.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/140233