Options
December 21, 2023
Conference Paper
Title
APT Detection: An Incremental Correlation Approach
Abstract
Advanced Persistent Threats (APTs) are a growing and increasingly prevalent threat. Current detection systems focus primarily on individual procedures and create alerts on this foundation. To effectively detect APT attacks, which rarely consist of single activities, individual alerts must be correlated to comprehensively encapsulate APT activity and provide better situational awareness to the operators. We use this to initiate targeted and proactive countermeasures and thus improve overall security. This paper presents a correlation engine that uses alarms from standard rule-based systems and correlates them with each other. We evaluate the proposed solution using an APT scenario as an example and discuss the advantages and disadvantages of this approach. We argue that the fast, simple implementation, which is an add-on to SIEM, must be considered when evaluating the limited informative value of rule-based systems in the face of zero-day exploits or even sophisticated living-off-the-land attacks.
Author(s)