CAPTAIN: Community-based Advanced Persistent Threat Analysis in IT Networks

Organizations that possess valuable information assets and critical infrastructure are prone to Advanced Persistent Threats (APTs). The life cycle of this type of modern attack consists of multiple stages called Intrusion Kill Chain (IKC). As one of the most common approaches to deal with these attacks, organizations' security staff use various heterogeneous security and non-security sensors in different lines of defense (Network, Host, and Application) as the primary detection levels in the monitored IT network to log the attacker's intrusive activities. They then model their behaviors by using logged events to detect the IKC of APT attacks. However, numerous methods proposed in the literature have three primary drawbacks: 1) the inability to use both security and non-security sensors of the three mentioned detection levels in event correlation analysis, 2) high dependence on expert knowledge in setting up and maintaining common attack patterns, and 3) incapability to provide a visual representation of the attack path for security administrators to better track on-the-fly attacks in a monitored network. This paper presents a system for Community-based Advanced Persistent Threat Analysis in IT Networks (CAPTAIN) to address the aforementioned issues and challenges. The CAPTAIN framework comprises two distinct phases (including 12 different activities) that receive raw events logged by heterogeneous sensors as input and detect possible IKCs of the APT attacks as output. This system implements a novel graph-based attackers' behavior modeling technique for detecting the IKC of APT attacks by correlating analysis of logged events and leveraging knowledge discovery on the graph. Our evaluation of the two publicly available standard datasets, Bryant and DARPA Transparent Computing, indicates that the CAPTAIN is robust, reliable against high volume events, and can detect the IKC of APT attacks with high accuracy and low false positive rates.