e-space
Manchester Metropolitan University's Research Repository

    A machine-learning-based system for real-time advanced persistent threat detection and prediction

    Ghafir, Ibrahim (2017) A machine-learning-based system for real-time advanced persistent threat detection and prediction. Doctoral thesis (PhD), Manchester Metropolitan University.

    [img]
    Preview

    Available under License Creative Commons Attribution Non-commercial No Derivatives.

    Download (1MB) | Preview
    [img]
    File not available for download.
    Available under License In Copyright.

    Download (74kB)

    Abstract

    It is widely cited that cyber attacks have become more prevalent on a global scale. In light of this, the cybercrime industry has been established for various purposes such as political, economic and socio-cultural aims. Such attacks can be used as a harmful weapon and cyberspace is often cited as a battlefield. One of the most serious types of cyber attacks is the Advanced Persistent Threat (APT), which is a new and more complex version of multi-step attack. The main aim of the APT attack is espionage and data exfiltration, which has the potential to cause significant damage and substantial financial loss. This research aims to develop a novel system to detect and predict APT attacks. A Machine-Learning-based APT detection system, called MLAPT, is proposed. MLAPT runs through three main phases: (1) Threat detection, in which eight methods are developed to detect different techniques used during the various APT steps. The implementation and validation of these methods with real traffic is a significant contribution to the current body of research; (2) Alert correlation, in which a correlation framework is designed to link the outputs of the detection methods, aiming to find alerts that could be related and belong to one APT scenario; and (3) Attack prediction, in which a machine-learning-based prediction module is proposed based on the correlation framework output, to be used by the network security team to determine the probability of the early alerts to develop a complete APT attack. The correlation framework and prediction module are two other major contributions in this work. MLAPT is experimentally evaluated and the presented system is able to predict APT in its early steps with a prediction accuracy of 84.8%.

    Impact and Reach

    Statistics

    Activity Overview
    6 month trend
    772Downloads
    6 month trend
    1,024Hits

    Additional statistics for this dataset are available via IRStats2.

    Repository staff only

    Edit record Edit record