Home // INTERNET 2020, The Twelfth International Conference on Evolving Internet // View article

Evaluation of a Multi-agent Anomaly-based Advanced Persistent Threat Detection Framework

Authors:
Georgi Nikolov
Thibault Debatty
Wim Mees

Keywords: anomaly-based analysis; command & control channel; advanced persistent threat; aggregation

Abstract:
Cyber attacks have become a major factor in the world today and their effect can be devastating. Protecting corporate and government networks has become an increasingly difficult challenge, when new persistent malware infections can remain undetected for long periods of time. In this paper, we introduce the Multi-agent ranking framework (MARK), a novel approach to Advanced Persistent Threat detection through the use of behavioral-analysis and pattern recognition. Such behavior-based mechanisms for discovering and eliminating new sophisticated threats are lacking in current detection systems, but research in this domain is gaining more importance and traction. Our goal is to take a on-hands approach in the detection by actively hunting for the threats, instead of passively waiting for events and alerts to signal abnormal behavior. We devise a framework that can be easily deployed as a stand-alone multi-agent system or to compliment many Security Information and Event Management systems. The MARK framework incorporates known and new beyond state-of-the-art detection techniques, in addition to facilitating incorporation of new data sources and detection agent modules through plug-ins. Throughout our testing and evaluation, impressive true detection rates and acceptable false positive rates were obtained, which proves the usefulness of the framework.

Pages: 61 to 67

Copyright: Copyright (c) IARIA, 2020

Publication date: October 18, 2020

Published in: conference

ISSN: 2308-443X

ISBN: 978-1-61208-796-2

Location: Porto, Portugal

Dates: from October 18, 2020 to October 22, 2020