APT Detection: An Incremental Correlation Approach

Daneshgadeh Çakmakçı, Salva; Gkoktsis, Georgios; Buchta, Robin; Detken, Kai Oliver; Heine, Felix; Kleiner, Carsten

doi:10.1109/IDAACS58523.2023.10348952

December 21, 2023

Conference Paper

Abstract

Advanced Persistent Threats (APTs) are a growing and increasingly prevalent threat. Current detection systems focus primarily on individual procedures and create alerts on this foundation. To effectively detect APT attacks, which rarely consist of single activities, individual alerts must be correlated to comprehensively encapsulate APT activity and provide better situational awareness to the operators. We use this to initiate targeted and proactive countermeasures and thus improve overall security. This paper presents a correlation engine that uses alarms from standard rule-based systems and correlates them with each other. We evaluate the proposed solution using an APT scenario as an example and discuss the advantages and disadvantages of this approach. We argue that the fast, simple implementation, which is an add-on to SIEM, must be considered when evaluating the limited informative value of rule-based systems in the face of zero-day exploits or even sophisticated living-off-the-land attacks.

Author(s)

Daneshgadeh Çakmakçı, Salva

Gkoktsis, Georgios

Fraunhofer-Institut für Sichere Informationstechnologie SIT

Buchta, Robin

Detken, Kai Oliver

Heine, Felix

Kleiner, Carsten

Mainwork

IEEE 12th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS 2023. Proceedings. Vol.1

Conference

International Conference on Intelligent Data Acquisition and Advanced Computing Systems - Technology Applications 2023

Options

APT Detection: An Incremental Correlation Approach