Professional Documents
Culture Documents
Detecting Advanced Persistent Threats
Detecting Advanced Persistent Threats
2014. 04. 18
오 대 명 주재웅
Email: wdm1517@gmail.com
1.연구배경 및 목적
2.APT 배경지식
1)Advanced Persistent Threats
2)Intelligent Data Analysis for Intrusion Detection
3.APT 분석의 새로운 Framework 소개
1)Analysis Framework
2)Application of framework
4.APT 탐지시스템 개발
1)The Framework Used as Development Roadmap for Design
2)Roadmap based system design, general aspects
3)Roadmap based system design, concrete aspects
5.Test case
6.결론
2
연구배경 및 목적
3
연구배경 및 목적
연구배경
4
연구배경 및 목적
연구목적
5
APT 배경지식
–Advanced Persistent Threats
–Intelligent Data Analysis for Intrusion Detection
6
What is APT?
The term “Advanced Persistent Threat” is loosely used for a wide variety of
cyber threats. In essence it always implies a threat in which the attacker is
determined and has a specific goal.
• Advanced
Can utilize a wide range of attack.
• Persistent
As well as to establish a permanent, undetectable presence in the
environment.
• Threat
APT attacks target organizations to achieve a specific objective.
7
Intrusion Detection System
• Intrusion
- Any unauthorized access, not permitted attempt to access/damage
or malicious use of information resources
• Intrusion Detection
- Detection of break-in and break-in attempts via automated software
systems
• Intrusion Detection Systems(IDS)
- Defense systems, which detect and
possibly prevent intrusion detection
activities
8
IDS Monitoring Process
• Information sources:
Information sources
Network traffic or host log file.
• Feature extraction:
• Analysis engines:
• Decision of responses:
9
IDS Monitoring Location
• Host-Base IDS
• Network-Base IDS
10
Host-Base IDS
11
Host-Base IDS
Host-Base IDS
12
Network-Base IDS
13
Network-Base IDS
Network-Base IDS
14
Intrusion Detection Method
• Signature Detection
• Anomaly Detection
15
Signature Detection
A signature detection system compares a data sample to the signatures in the system.
When a signature matches, a warning is issued.
Data stream
Learned patterns No
Match?
(Login name=‘Sadan’)
Yes
Abnormal!
16
Signature Detection
Advantages
• Quality and reliability of the signature detection results;
• Low false positive rate;
• Detected attacks a clear definition;
• After installation, can immediately detect the attacker.
Disadvantages
• Can’t capable of detecting unknown characteristics of attacks.
• frequent updating of the signature database.
17
Anomaly Detection
18
Anomaly Detection
19
Anomaly Detection
Advantages
• Can potentially detect unknown attacks;
Disadvantages
• High rate of missed detections and false alarms;
• The initial training for a long time.
• In the process of training cannot protect the network.
• Difficult to put specific attack associated with the alert.
20
APT 분석의 새로운 Framework 소개
– Analysis Framework
– Roadmap based system design, general aspects
21
Analysis Framework
• Signature Detection
• Anomaly Detection
• Combines signature detection and anomaly detection
22
2th column 3th column
Analysis Framework
1th column
23
Analysis Framework
4th column 5th column 6th column 7th column
24
Application of framework
5 Gathering target Information Methods aimed at locating information and services of interrest.
26
The Framework Used as Development Roadmap for Design
27
The Framework Used as Development Roadmap for Design
29
Roadmap based system design, general aspects
30
Roadmap based system design, general aspects
31
Roadmap based system design, general aspects
32
Roadmap based system design, general aspects
33
Roadmap based system design, general aspects
34
Roadmap based system design, general aspects
36
Roadmap based system design concrete aspects
37
Roadmap based system design concrete aspects
38
Roadmap based system design concrete aspects
39
Roadmap based system design concrete aspects
40
A Test Case
41
A Test Case
42
결론
43
결론
44
Q&A
45
Thanks!
46