Hybrid Analysis Technique to detect Advanced Persistent Threats

Hybrid Analysis Technique to detect Advanced Persistent Threats

S Sibi Chakkaravarthy (Madras Institute of Technology, Anna University, India), V Vaidehi (VIT Chennai, India) and P Rajesh (Madras Institute of Technology, Anna University, India)
Copyright: © 2018 |Pages: 18
DOI: 10.4018/IJIIT.2018040104

Abstract

Advanced persistent threats (APT) are major threats in the field of system and network security. They are extremely stealthy and use advanced evasion techniques like packing and behaviour obfuscation to hide their malicious behaviour and evade the detection methods. Existing behavior-based detection technique fails to detect the APTs due to its high persistence mechanism and sophisticated code nature. Hence, a novel hybrid analysis technique using Behavior based Sandboxing approach is proposed. The proposed technique consists of four phases namely, Static, Dynamic, Memory and System state analysis. Initially, static analysis is performed on the sample which involves packer detection and signature verification. If the sample is found stealthy and remains undetected, then it is executed inside a sandbox environment to analyze its behavior. Further, memory analysis is performed to extract memory artefacts of the current system state. Finally, system state analysis is performed by correlating clean system state and infected system state to determine whether the system is compromised
Article Preview

1. Introduction

Advanced Persistent Threat (Sood & Enbody, 2012; Durham, 2014) is a continuous hacking process achieved using automated malwares carried over the targeted network or system in order to gain unauthorized access and remain undetected for a prolonged period of time. The goal of APT is data theft rather than to cause damage to the system or network. This sophisticated attack is a chain process which uses multiple attack vectors, several entry points to bypass existing defense and remains stealthy for several months. Most of such attacks are launched towards financial organization, defense industries, national critical infrastructures, small and large-scale enterprises. Intrusion kill chain as presented in Table 1 is a common attack cycle model widely used by APTs to launch a successful attack.

Within few decades, the number of incidents related to cyber espionage has significantly increased. The majority of such campaigns happen only through advanced malwares called Advanced Persistent Threats (APTs) targeting government sectors, financial sectors, data centers and private enterprises. The risks possessed by APTs over government sectors are very high. These APTs are target specific and the impacts of cyber-attacks caused by APTs are also at high risks. Advanced Persistent Threats (Veltsos, 2011; Nicho, 2014; Ray, 2014) are more advanced malicious software developed to infect computer systems without being detected easily. APTs are especially known for their covert approach and stealthy (Vasudevan, 2012.) mode of attack. APTs cannot be easily detected by regular anti-virus scanners (Mukkamala, 2007), Intrusion Detection Systems (Dhanakoti, 2015; Kannan, 2015) and Firewalls etc. They stay low and steal information from the target system slowly without causing much impact. APTs are highly persistent i.e. they never rest until the target system is compromised. Modern day cyber-attacks are far more advanced than the traditional attacks. Table 2 shows the difference between traditional malwares and APTs. Hence APTs are considered very harmful information stealers and system attackers. Several anti-security mechanisms such as packing, code obfuscation, behavior obfuscation (Naval, S., 2015), virtual environment etc. are used to prevent malware from being detected. Static detection and dynamic detection are the two malware analysis techniques (Fazlali, 2016; Mead, 2015; Vinod, 2011, 2014; Alazab, 2013, 2015).

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 15: 4 Issues (2019): Forthcoming, Available for Pre-Order
Volume 14: 4 Issues (2018)
Volume 13: 4 Issues (2017)
Volume 12: 4 Issues (2016)
Volume 11: 4 Issues (2015)
Volume 10: 4 Issues (2014)
Volume 9: 4 Issues (2013)
Volume 8: 4 Issues (2012)
Volume 7: 4 Issues (2011)
Volume 6: 4 Issues (2010)
Volume 5: 4 Issues (2009)
Volume 4: 4 Issues (2008)
Volume 3: 4 Issues (2007)
Volume 2: 4 Issues (2006)
Volume 1: 4 Issues (2005)
View Complete Journal Contents Listing