N-victims: An approach to determine N-victims for APT investigations

Shun Te Liu; Yi Ming Chen; Hui Ching Hung

doi:10.1007/978-3-642-35416-8_16

N-victims: An approach to determine N-victims for APT investigations

Shun Te Liu, Yi Ming Chen, Hui Ching Hung

資訊管理學系

研究成果: 書貢獻/報告類型 › 會議論文篇章 › 同行評審

8 引文斯高帕斯（Scopus）

摘要

The advanced Persistent Threat (APT) is a sophisticated and target-oriented cyber attack for accessing valuable information. The attacker leverages the customized malware as the stepping stone to intrude into the enterprise network. For enterprises and forensic analysts, finding the victims and investigating them to evaluate the damages are critical, but the investigation is often limited by resources and time. In this paper, we propose an N-Victims approach that starts from a known malware-infected computer to determine the top N most likely victims. We test our approach in a real APT case that happened in a large enterprise network consisting of several thousand computers, which run a commercial antivirus system. N-Victims can find more malware-infected computers than N-Gram based approaches. In the top 20 detected computers, N-Victims also had a higher detection rate and a lower false positive rate than N-Gram based approaches.

原文	???core.languages.en_GB???
主出版物標題	Information Security Applications - 13th International Workshop, WISA 2012, Revised Selected Papers
編輯	Dong Hoon Lee, Moti Yung
發行者	Springer Verlag
頁面	226-240
頁數	15
ISBN（列印）	9783642354151
DOIs	https://doi.org/10.1007/978-3-642-35416-8_16
出版狀態	已出版 - 2012
事件	13th International Workshop on Information Security Applications, WISA 2012 - Jeju Island, Korea, Republic of 持續時間: 16 8月 2012 → 18 8月 2012

出版系列

名字	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
卷	7690 LNCS
ISSN（列印）	0302-9743
ISSN（電子）	1611-3349

???event.eventtypes.event.conference???

???event.eventtypes.event.conference???	13th International Workshop on Information Security Applications, WISA 2012
國家/地區	Korea, Republic of
城市	Jeju Island
期間	16/08/12 → 18/08/12

存取文件

10.1007/978-3-642-35416-8_16

引用此

Liu, S. T., Chen, Y. M., & Hung, H. C. (2012). N-victims: An approach to determine N-victims for APT investigations. 於 D. H. Lee, & M. Yung (編輯), Information Security Applications - 13th International Workshop, WISA 2012, Revised Selected Papers (頁 226-240). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); 卷 7690 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-642-35416-8_16

Liu, Shun Te ; Chen, Yi Ming ; Hung, Hui Ching. / N-victims : An approach to determine N-victims for APT investigations. Information Security Applications - 13th International Workshop, WISA 2012, Revised Selected Papers. 編輯 / Dong Hoon Lee ; Moti Yung. Springer Verlag, 2012. 頁 226-240 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{0eadd4c6f8984c449208081f278edd77,

title = "N-victims: An approach to determine N-victims for APT investigations",

abstract = "The advanced Persistent Threat (APT) is a sophisticated and target-oriented cyber attack for accessing valuable information. The attacker leverages the customized malware as the stepping stone to intrude into the enterprise network. For enterprises and forensic analysts, finding the victims and investigating them to evaluate the damages are critical, but the investigation is often limited by resources and time. In this paper, we propose an N-Victims approach that starts from a known malware-infected computer to determine the top N most likely victims. We test our approach in a real APT case that happened in a large enterprise network consisting of several thousand computers, which run a commercial antivirus system. N-Victims can find more malware-infected computers than N-Gram based approaches. In the top 20 detected computers, N-Victims also had a higher detection rate and a lower false positive rate than N-Gram based approaches.",

keywords = "Advanced persistent threat, Botnet detection, Incident investigation, Malware detection",

author = "Liu, {Shun Te} and Chen, {Yi Ming} and Hung, {Hui Ching}",

note = "Publisher Copyright: {\textcopyright} Springer-Verlag Berlin Heidelberg 2012.; 13th International Workshop on Information Security Applications, WISA 2012 ; Conference date: 16-08-2012 Through 18-08-2012",

year = "2012",

doi = "10.1007/978-3-642-35416-8_16",

language = "???core.languages.en_GB???",

isbn = "9783642354151",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "226--240",

editor = "Lee, {Dong Hoon} and Moti Yung",

booktitle = "Information Security Applications - 13th International Workshop, WISA 2012, Revised Selected Papers",

}

Liu, ST, Chen, YM & Hung, HC 2012, N-victims: An approach to determine N-victims for APT investigations. 於 DH Lee & M Yung (編輯), Information Security Applications - 13th International Workshop, WISA 2012, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 卷 7690 LNCS, Springer Verlag, 頁 226-240, 13th International Workshop on Information Security Applications, WISA 2012, Jeju Island, Korea, Republic of, 16/08/12. https://doi.org/10.1007/978-3-642-35416-8_16

N-victims: An approach to determine N-victims for APT investigations. / Liu, Shun Te; Chen, Yi Ming; Hung, Hui Ching.
Information Security Applications - 13th International Workshop, WISA 2012, Revised Selected Papers. 編輯 / Dong Hoon Lee; Moti Yung. Springer Verlag, 2012. p. 226-240 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); 卷 7690 LNCS).

研究成果: 書貢獻/報告類型 › 會議論文篇章 › 同行評審

TY - GEN

T1 - N-victims

T2 - 13th International Workshop on Information Security Applications, WISA 2012

AU - Liu, Shun Te

AU - Chen, Yi Ming

AU - Hung, Hui Ching

N1 - Publisher Copyright: © Springer-Verlag Berlin Heidelberg 2012.

PY - 2012

Y1 - 2012

N2 - The advanced Persistent Threat (APT) is a sophisticated and target-oriented cyber attack for accessing valuable information. The attacker leverages the customized malware as the stepping stone to intrude into the enterprise network. For enterprises and forensic analysts, finding the victims and investigating them to evaluate the damages are critical, but the investigation is often limited by resources and time. In this paper, we propose an N-Victims approach that starts from a known malware-infected computer to determine the top N most likely victims. We test our approach in a real APT case that happened in a large enterprise network consisting of several thousand computers, which run a commercial antivirus system. N-Victims can find more malware-infected computers than N-Gram based approaches. In the top 20 detected computers, N-Victims also had a higher detection rate and a lower false positive rate than N-Gram based approaches.

AB - The advanced Persistent Threat (APT) is a sophisticated and target-oriented cyber attack for accessing valuable information. The attacker leverages the customized malware as the stepping stone to intrude into the enterprise network. For enterprises and forensic analysts, finding the victims and investigating them to evaluate the damages are critical, but the investigation is often limited by resources and time. In this paper, we propose an N-Victims approach that starts from a known malware-infected computer to determine the top N most likely victims. We test our approach in a real APT case that happened in a large enterprise network consisting of several thousand computers, which run a commercial antivirus system. N-Victims can find more malware-infected computers than N-Gram based approaches. In the top 20 detected computers, N-Victims also had a higher detection rate and a lower false positive rate than N-Gram based approaches.

KW - Advanced persistent threat

KW - Botnet detection

KW - Incident investigation

KW - Malware detection

UR - http://www.scopus.com/inward/record.url?scp=84904731397&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-35416-8_16

DO - 10.1007/978-3-642-35416-8_16

M3 - 會議論文篇章

AN - SCOPUS:84904731397

SN - 9783642354151

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 226

EP - 240

BT - Information Security Applications - 13th International Workshop, WISA 2012, Revised Selected Papers

A2 - Lee, Dong Hoon

A2 - Yung, Moti

PB - Springer Verlag

Y2 - 16 August 2012 through 18 August 2012

ER -

Liu ST, Chen YM, Hung HC. N-victims: An approach to determine N-victims for APT investigations. 於 Lee DH, Yung M, 編輯, Information Security Applications - 13th International Workshop, WISA 2012, Revised Selected Papers. Springer Verlag. 2012. p. 226-240. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-35416-8_16

N-victims: An approach to determine N-victims for APT investigations

摘要

出版系列

???event.eventtypes.event.conference???

存取文件

指紋

引用此