Modeling Attack Process of Advanced Persistent Threat Using Network Evolution

Weina NIU  Xiaosong ZHANG  Guowu YANG  Ruidong CHEN  Dong WANG  

IEICE TRANSACTIONS on Information and Systems   Vol.E100-D   No.10   pp.2275-2286
Publication Date: 2017/10/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2016INP0007
Type of Manuscript: Special Section PAPER (Special Section on Security, Privacy and Anonymity in Computation, Communication and Storage Systems)
Category: Operating system and network Security
attack process modeling,  APT,  TCAN,  complex network theory,  

Full Text: PDF(1.2MB)
>>Buy this Article

Advanced Persistent Threat (APT) is one of the most serious network attacks that occurred in cyberspace due to sophisticated techniques and deep concealment. Modeling APT attack process can facilitate APT analysis, detection, and prediction. However, current techniques focus on modeling known attacks, which neither reflect APT attack dynamically nor take human factors into considerations. In order to overcome this limitation, we propose a Targeted Complex Attack Network (TCAN) model for APT attack process based on dynamic attack graph and network evolution. Compared with current models, our model addresses human factors by conducting a two-layer network structure. Meanwhile, we present a stochastic model based on states change in the target network to specify nodes involved in the procedure of this APT. Besides, our model adopts time domain to expand the traditional attack graph into dynamic attack network. Our model is featured by flexibility, which is proven through changing the related parameters. In addition, we propose dynamic evolution rules based on complex network theory and characteristics of the actual attack scenarios. Finally, we elaborate a procedure to add nodes by a matrix operation. The simulation results show that our model can model the process of attack effectively.