A Distributed Framework for APT Attack Analysis

Information security is an important part of Internet security. As more and more industries rely on the Internet, it has become urgent to protect information security of these industries, spawned local area networks (LANs), intranets and so on. With the development of information sensor technology, the Internet of Things (IoT) that interconnects physical devices has emerged. As a unity of computing process and physical process, the Cyber-physical systems (CPS) is the next generation intelligent system which integrates computing, communication and controlling capabilities. CPS covers a wide range of applications and critical infrastructures, including intelligent transportation systems, telemedicine, smart grids, aerospace, and many other fields. The APT attacks are typically conducted directly against these critical infrastructures around the world, which would incur severe consequences. It is meaningful to protect these information by detecting the APT attacks timely and accurately, and effective defensive measures could be adopted. Although the APT attacks seem destructive, the attack process are complex and changeable. In essence, the attack process usually follows certain rules. In this chapter, we introduce a distributed framework for detecting the APT attacks. Cyber security knowledge graph stores existing knowledge and the attack rules, which plays an important role in analyzing the attacks. We first analyze potential attack events by the proposed distributed framework on Spark, then we mine the attack chains from massive data with the spatial and temporal characteristics. These steps could help identify complicated attacks. We also conduct extensive experiments, the results show that the analysis accuracy depends on the completeness of the cyber security knowledge graph and the precision of the detection results from security equipments. With the rational expectation about more exposure of attacks and faster upgrade of security equipments, it is sufficient and necessary to improve the cyber security knowledge graph constantly for better performance.