A Novel Method for Detecting APT Attacks by Using OODA Loop and Black Swan Theory

  • Tero BodströmEmail author
  • Timo Hämäläinen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11280)


Advanced Persistent Threat (APT) attacks are a major concern for the modern societal digital infrastructures due to their highly sophisticated nature. The purpose of these attacks varies from long period espionage in high level environment to causing maximal destruction for targeted cyber environment. Attackers are skilful and well funded by governments in many cases. Due to sophisticated methods it is highly important to study proper countermeasures to detect these attacks as early as possible. Current detection methods under-performs causing situations where an attack can continue months or even years in a targeted environment. We propose a novel method for analysing APT attacks through OODA loop and Black Swan theory by defining them as a multi-vector multi-stage attacks with continuous strategical ongoing campaign. Additionally it is important to notice that for developing better performing detection methods, we have to find the most common factor within these attacks. We can state that the most common factor of APT attacks is communication, thus environment has to be developed in a way that we are able to capture complete network flow and analyse it.


Advanced Persistent Thread (APT) OODA loop Black Swan theory Network anomaly detection 


  1. 1.
    Brogi, G., Tong, V.V.T.: TerminAPTor: highlighting Advanced Persistent Threats through information flow tracking. In: 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS) (2016).
  2. 2.
    Vukalović, J., Delija, D.: Advanced Persistent Threats - detection and defense. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1324–1330 (2015).
  3. 3.
    Chandran, S., Hrudya, P., Poornachandran, P.: An efficient classification model for detecting Advanced Persistent Threat. In: 2015 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 2001–2009 (2015).
  4. 4.
    Settanni, G., Shovgenya, Y., Skopik, F., Graf, R., Wurzenberger, M., Fiedler, R.: Acquiring cyber threat intelligence through security information correlation. In: 2017 3rd IEEE International Conference on Cybernetics (CYBCONF) (2017).
  5. 5.
    Hu, P., Li, H., Fu, H., Cansever, D., Mohapatra, P.: Dynamic defense strategy against Advanced Persistent Threat with insiders. In: 2015 IEEE Conference on Computer Communications (INFOCOM), pp. 747–755 (2015).
  6. 6.
    Ussath, M., Jaeger, D., Cheng, F.: Advanced Persistent Threats: behind the scenes. In: 2016 Annual Conference on Information Science and Systems (CISS) (2016).
  7. 7.
    Messaoud, B., Guennoun, K., Wahbi, M., Sadik, M.: Advanced Persistent Threat: new analysis driven by life cycle phases and their challenges. In: 2016 International Conference on Advanced Communication Systems and Information Security (ACOSIS) (2016).
  8. 8.
    Bhatt, P., Yano, E.T., Gustavsson, P.M.: Towards a framework to detect multi-stage Advanced Persistent Threats attacks. In: 2014 IEEE 8th International Symposium on Service Oriented System Engineering, pp. 390–395 (2014).
  9. 9.
    Vance, A.: Flow based analysis of Advanced Persistent Threats detecting targeted attacks in cloud computing. In: 2014 First International Scientific-Practical Conference Problems of Infocommunications Science and Technology, pp. 173–176 (2014).
  10. 10.
    Xiao, L., Xu, D., Mandayam, N.B., Poor, H.V.: Attacker-centric view of a detection game against Advanced Persistent Threats. In: IEEE Transactions on Mobile Computing (2018). Scholar
  11. 11.
    Eidle, D., Ni, S.Y., DeCusatis, C., Sager, A.: Autonomic security for zero trust networks. In: 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON) (2017).
  12. 12.
    Zhu, Q., Rass, S.: On multi-phase and multi-stage game-theoretic modeling of Advanced Persistent Threats. IEEE Access 6, 13958–13971 (2018). Scholar
  13. 13.
    Taleb, N.: The Black Swan: The Impact of the Highly Improbable. Random House, New York (2007)Google Scholar
  14. 14.
    Zeng, Z., Zio, E.: Modelling unexpected failures with a hierarchical Bayesian model. In: 2017 2nd International Conference on System Reliability and Safety (ICSRS), pp. 135–139 (2017).
  15. 15.
    Arney, C., et al..: Using rare event modeling & networking to build scenarios and forecast the future. In: 2013 IEEE 2nd Network Science Workshop (NSW), pp. 29–64 (2013).
  16. 16.
    Révay, M., Líška, M.: OODA loop in command & control systems. In: 2017 Communication and Information Technologies (KIT) (2017).
  17. 17.
    Dapeng, G., Jianming, H., Yuhu, Guoqian, X., Nainiang, Z.: Research on combat SD model based on OODA loop. In: 2015 2nd International Conference on Information Science and Control Engineering, pp. 884–888 (2015).
  18. 18.
    Ma, L., Zhang, M., Zhou, Z.: The OODA loop robustness evaluation based on OSOS combat network. In: 2014 International Conference on Information and Communications Technologies (ICT 2014) (2014).
  19. 19.
    Blasch, E.P., Breton, R., Valin, P., Bosse, E.: User information fusion decision making analysis with the C-OODA model. In: 14th International Conference on Information Fusion (2011)Google Scholar
  20. 20.
    Fusano, A., Sato, H., Namatame, A.: Study of multi-agent based combat simulation for grouped OODA loop. In: SICE Annual Conference 2011, pp. 131–136 (2011)Google Scholar
  21. 21.
    Bilar, D., Saltaformaggio, B.: Using a novel behavioral stimuli-response framework to defend against adversarial cyberspace participants. In: 2011 3rd International Conference on Cyber Conflict (2011)Google Scholar
  22. 22.
    Bodström, T., Hämäläinen, T.: State of the art literature review on network anomaly detection. In: Galinina, O., Andreev, S., Balandin, S., Koucheryavy, Y. (eds.) NEW2AN/ruSMART 2018. LNCS, vol. 11118, pp. 89–101. Springer, Cham (2018). Scholar
  23. 23.
    Bodström, T., Hämäläinen, T.: State of the art literature review on network anomaly detection with deep learning. In: Galinina, O., Andreev, S., Balandin, S., Koucheryavy, Y. (eds.) NEW2AN/ruSMART 2018. LNCS, vol. 11118, pp. 64–76. Springer, Cham (2018). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Faculty of Information TechnologyUniversity of JyväskyläJyväskyläFinland

Personalised recommendations