A Novel Search Engine to Uncover Potential Victims for APT Investigations

Abstract : Advanced Persistent Threats (APT) are sophisticated and target-oriented cyber attacks which often leverage customized malware and bot control techniques to control the victims for remotely accessing valuable information. As the APT malware samples are specific and few, the signature-based or learning-based approaches are weak to detect them. In this paper, we take a more flexible strategy: developing a search engine for APT investigators to quickly uncover the potential victims based on the attributes of a known APT victim. We test our approach in a real APT case happened in a large enterprise network consisting of several thousands of computers which run a commercial antivirus system. In our best effort to prove, the search engine can uncover the other unknown 33 victims which are infected by the APT malware. Finally, the search engine is implemented on Hadoop platform. In the case of 440GB data, it can return the queries in 2 seconds.
Type de document :
Communication dans un congrès
Ching-Hsien Hsu; Xiaoming Li; Xuanhua Shi; Ran Zheng. 10th International Conference on Network and Parallel Computing (NPC), Sep 2013, Guiyang, China. Springer, Lecture Notes in Computer Science, LNCS-8147, pp.405-416, 2013, Network and Parallel Computing. 〈10.1007/978-3-642-40820-5_34〉
Liste complète des métadonnées

Littérature citée [25 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01513755
Contributeur : Hal Ifip <>
Soumis le : mardi 25 avril 2017 - 14:33:22
Dernière modification le : mardi 25 avril 2017 - 14:35:51
Document(s) archivé(s) le : mercredi 26 juillet 2017 - 13:54:43

Fichier

978-3-642-40820-5_34_Chapter.p...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Shun-Te Liu, Yi-Ming Chen, Shiou-Jing Lin. A Novel Search Engine to Uncover Potential Victims for APT Investigations. Ching-Hsien Hsu; Xiaoming Li; Xuanhua Shi; Ran Zheng. 10th International Conference on Network and Parallel Computing (NPC), Sep 2013, Guiyang, China. Springer, Lecture Notes in Computer Science, LNCS-8147, pp.405-416, 2013, Network and Parallel Computing. 〈10.1007/978-3-642-40820-5_34〉. 〈hal-01513755〉

Partager

Métriques

Consultations de la notice

26

Téléchargements de fichiers

57