Framework for detecting APTs based on steps analysis and correlation.

Abstract

An advanced persistent threatAdvanced persistent threat, (APTAPT), is an attack that uses multiple attack behavior to penetrate a system, achieve specifically targeted and highly valuable goals within a system. This type of attack has presented an increasing concern for cyber-security and business continuity. The resource availability, integrity, and confidentiality of the operational cyber-physical systems' (CPS) state and control are highly impacted by the safety and security measures adopted. In this study, we propose a framework based on deep APT steps analysis and correlation, of APTs approach abbreviated as ``APT-DASACAPT-DASAC'', for securing industrial control systems (ICSs) against APTs. This approach takes into consideration the distributed and multi-level nature of ICS architecture and reflects on multi-step APT attack lifecycle. We validated the framework with three case studies: (i) network transactions between a remote terminal unit (RTU)Remote Terminal Unit (RTU) and a master control unit (MTU)Master Control Unit (MTU) within a supervisory control and data acquisition (SCADASCADA) gas pipeline control system, (ii) a case study of command and response injection attacks, and (iii) a scenario based on network traffic containing hybrid of the real modern normal and the contemporary synthesized attack activities of the network traffic. Based on the achieved result, we show that the proposed approach achieves a significant attack detection capability and demonstrates that attack detection techniques that performed very well in one application domain may not yield the same result in another. Hence, robustness and resilience of operational CPS state or any system and performance are determined by the security measures in place, which is specific to the application system and domain.