Modeling Advanced Persistent Threats to enhance anomaly detection techniques
Advanced Persistent Threats (APTs) are characterized by their complexity and ability to stay relatively dormant and undetected on a computer system before launching a devastating attack. Numerous unsuccessful attempts have utilized machine learning techniques and rule-based technologies to try and detect these sophisticated attacks. In this paper, we opt for a more theoretical approach to identify unique APT characteristics, distinguishable from other multi-stage attacks. We model four well-known APTs, based on the kill chain framework, and we identify common behavior to create abstract models which describe generalized APT behavior. We find that attributes from the Command and Control phase of these attacks provide unique features that can be used by any anomaly detection systems. We further validate how expressive our abstract models are by formalizing a fifth APT and examining the behavior that was not captured.