An enhanced detection of advanced persistent threats using machine learning

Abstract

Nowadays, countries are targeted by many electronic threats, which have expanded to reach almost all business sectors, either in private corporate entities or public institutions. Advanced Persistent Threats (APTs) are well-known examples of these electronic threats. APTs are very advanced and stealthy computer network attacks designed to gain unauthorized access to computer networks and remain undetected for an extended period. They represent one of the most critical cybersecurity challenges facing governments, corporations, and individuals. Since APT are categorized as the most critical cybersecurity threats, this study came to understand the nature of these attacks and propose a multi-stage framework to detect APT attacks based on the building on time series data. Unlike the previous model, the proposed approach can detect real-time attacks based on stored attack scenarios. This study has reviewed the background research, identified their strengths and weaknesses, and identified improvement opportunities. Moreover, available standardized techniques have been enhanced to detect APT attacks. Furthermore, the datasets used to feed the learning process are generated from different sources, including Journal logs, Traceability audits, and Systems monitoring statistics. Then, an effective APT detection and prevention system of Composition-Based Decision Tree (CDT) has been built/ developed/ implemented in complex environments. The results indicated that the proposed approach, on average, outperformed the existing algorithms reported in the literature. For example, the precision estimate of detecting whether the attack was malicious for the proposed model (CDT) was 96%, consistent with precision estimates by the existing algorithm: PRISM 96.9%, JRip 96%, and OneR 96%. However, the proposed model outperformed the existing algorithm when detecting whether the attack was benign. For example, the precision of CDT in this scenario was 50% compared to 0% for OneR, 10% for JRip, and 13.6% for PRISM. Overall, the average score indicates that the proposed model has outperformed the existing algorithms. For example, the average precision estimate for the proposed model was 94.3% compared to the existing algorithms, with values of 93.7%, 92.6%, and 92.1% for PRISM, JRip, and OneR, respectively. The evaluation of the CDT algorithm has been achieved by adopting the algorithm number 3 outputs to the NB Tree standard upon the WEKA software.