Advanced Persistent Threats (APTs) are the most critical menaces to modern organizations and the most challenging attacks to detect. They span over long periods of time, use encrypted connections and mimic normal behaviors in order to evade detection based on traditional defensive solutions. We propose an innovative approach that is able to analyze efficiently high volumes of network traffic to reveal weak signals related to data exfiltrations and other suspect APT activities. The final result is a ranking of the most suspicious internal hosts; this rank allows security specialists to focus their analyses on a small set of hosts out of the thousands of machines that typically characterize large organizations. Experimental evaluations in a network environment consisting of about 10K hosts show the feasibility and effectiveness of the proposed approach. Our proposal based on security analytics paves the way to novel forms of automatic defense aimed at early detection of APTs in large and continuously varying networked systems.

Analysis of high volumes of network traffic for Advanced Persistent Threat detection / Marchetti, Mirco; Pierazzi, Fabio; Colajanni, Michele; Guido, Alessandro. - In: COMPUTER NETWORKS. - ISSN 1389-1286. - 109:(2016), pp. 127-141. [10.1016/j.comnet.2016.05.018]

Analysis of high volumes of network traffic for Advanced Persistent Threat detection

MARCHETTI, Mirco;PIERAZZI, FABIO;COLAJANNI, Michele;GUIDO, ALESSANDRO
2016

Abstract

Advanced Persistent Threats (APTs) are the most critical menaces to modern organizations and the most challenging attacks to detect. They span over long periods of time, use encrypted connections and mimic normal behaviors in order to evade detection based on traditional defensive solutions. We propose an innovative approach that is able to analyze efficiently high volumes of network traffic to reveal weak signals related to data exfiltrations and other suspect APT activities. The final result is a ranking of the most suspicious internal hosts; this rank allows security specialists to focus their analyses on a small set of hosts out of the thousands of machines that typically characterize large organizations. Experimental evaluations in a network environment consisting of about 10K hosts show the feasibility and effectiveness of the proposed approach. Our proposal based on security analytics paves the way to novel forms of automatic defense aimed at early detection of APTs in large and continuously varying networked systems.
109
127
141
Analysis of high volumes of network traffic for Advanced Persistent Threat detection / Marchetti, Mirco; Pierazzi, Fabio; Colajanni, Michele; Guido, Alessandro. - In: COMPUTER NETWORKS. - ISSN 1389-1286. - 109:(2016), pp. 127-141. [10.1016/j.comnet.2016.05.018]
Marchetti, Mirco; Pierazzi, Fabio; Colajanni, Michele; Guido, Alessandro
File in questo prodotto:
File Dimensione Formato  
pierazzi_apt.pdf

non disponibili

Descrizione: Articolo principale
Tipologia: Versione dell'editore (versione pubblicata)
Dimensione 1.97 MB
Formato Adobe PDF
1.97 MB Adobe PDF   Visualizza/Apri   Richiedi una copia
POST_PRINT_main.pdf

accesso aperto

Tipologia: Post-print dell'autore (bozza post referaggio)
Dimensione 2.75 MB
Formato Adobe PDF
2.75 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

Caricamento pubblicazioni consigliate

Licenza Creative Commons
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11380/1135125
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 108
  • ???jsp.display-item.citation.isi??? 72
social impact