Advanced Persistent Threats (APTs) are the most critical menaces to modern organizations and the most challenging attacks to detect. They span over long periods of time, use encrypted connections and mimic normal behaviors in order to evade detection based on traditional defensive solutions. We propose an innovative approach that is able to analyze efficiently high volumes of network traffic to reveal weak signals related to data exfiltrations and other suspect APT activities. The final result is a ranking of the most suspicious internal hosts; this rank allows security specialists to focus their analyses on a small set of hosts out of the thousands of machines that typically characterize large organizations. Experimental evaluations in a network environment consisting of about 10K hosts show the feasibility and effectiveness of the proposed approach. Our proposal based on security analytics paves the way to novel forms of automatic defense aimed at early detection of APTs in large and continuously varying networked systems.

Analysis of high volumes of network traffic for Advanced Persistent Threat detection / Marchetti, Mirco; Pierazzi, Fabio; Colajanni, Michele; Guido, Alessandro. - In: COMPUTER NETWORKS. - ISSN 1389-1286. - 109:(2016), pp. 127-141. [10.1016/j.comnet.2016.05.018]

Analysis of high volumes of network traffic for Advanced Persistent Threat detection

MARCHETTI, Mirco;PIERAZZI, FABIO;COLAJANNI, Michele;GUIDO, ALESSANDRO
2016

Abstract

Advanced Persistent Threats (APTs) are the most critical menaces to modern organizations and the most challenging attacks to detect. They span over long periods of time, use encrypted connections and mimic normal behaviors in order to evade detection based on traditional defensive solutions. We propose an innovative approach that is able to analyze efficiently high volumes of network traffic to reveal weak signals related to data exfiltrations and other suspect APT activities. The final result is a ranking of the most suspicious internal hosts; this rank allows security specialists to focus their analyses on a small set of hosts out of the thousands of machines that typically characterize large organizations. Experimental evaluations in a network environment consisting of about 10K hosts show the feasibility and effectiveness of the proposed approach. Our proposal based on security analytics paves the way to novel forms of automatic defense aimed at early detection of APTs in large and continuously varying networked systems.
2016
109
127
141
WOS:000388546500002
2-s2.0-84995685027
Analysis of high volumes of network traffic for Advanced Persistent Threat detection / Marchetti, Mirco; Pierazzi, Fabio; Colajanni, Michele; Guido, Alessandro. - In: COMPUTER NETWORKS. - ISSN 1389-1286. - 109:(2016), pp. 127-141. [10.1016/j.comnet.2016.05.018]
Marchetti, Mirco; Pierazzi, Fabio; Colajanni, Michele; Guido, Alessandro
File in questo prodotto:
File Dimensione Formato  
pierazzi_apt.pdf

Accesso riservato

Descrizione: Articolo principale
Tipologia: VOR - Versione pubblicata dall'editore
Dimensione 1.97 MB
Formato Adobe PDF
  Visualizza/Apri   Richiedi una copia
1.97 MB Adobe PDF   Visualizza/Apri   Richiedi una copia
POST_PRINT_main.pdf

Open access

Tipologia: AAM - Versione dell'autore revisionata e accettata per la pubblicazione
Dimensione 2.75 MB
Formato Adobe PDF
Visualizza/Apri
2.75 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

Licenza Creative Commons
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11380/1135125
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 143
  • ???jsp.display-item.citation.isi??? 107
social impact