APT Detection: An Incremental Correlation Approach

AutorDaneshgadeh Çakmakçı, Salva; Gkoktsis, Georgios; Buchta, Robin; Detken, Kai Oliver; Heine, Felix; Kleiner, Carsten
ArtConference Paper
AbstraktAdvanced Persistent Threats (APTs) are a growing and increasingly prevalent threat. Current detection systems focus primarily on individual procedures and create alerts on this foundation. To effectively detect APT attacks, which rarely consist of single activities, individual alerts must be correlated to comprehensively encapsulate APT activity and provide better situational awareness to the operators. We use this to initiate targeted and proactive countermeasures and thus improve overall security. This paper presents a correlation engine that uses alarms from standard rule-based systems and correlates them with each other. We evaluate the proposed solution using an APT scenario as an example and discuss the advantages and disadvantages of this approach. We argue that the fast, simple implementation, which is an add-on to SIEM, must be considered when evaluating the limited informative value of rule-based systems in the face of zero-day exploits or even sophisticated living-off-the-land attacks.
KonferenzInternational Conference on Intelligent Data Acquisition and Advanced Computing Systems - Technology Applications 2023