Proposed Approach for Targeted Attacks Detection

  • Ibrahim GhafirEmail author
  • Vaclav Prenosil
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 362)


For years governments, organizations and companies have made great efforts to keep hackers, malware, cyber attacks at bay with different degrees of success. On the other hand, cyber criminals and miscreants produced more advanced techniques to compromise Internet infrastructure. Targeted attack or advanced persistent threat (APT) attack is a new challenge and aims to accomplish a specific goal, most often espionage. APTs are presently the biggest threat to governments and organizations. This paper states research questions and propose a novel approach to intrusion detection system processes network traffic and able to detect potential APT attack. This detection of APT attack is based on the correlation between the events which we get as outputs of our detection methods. Each detection method aims to detect one technique used in one of APT attack steps.


Cyber attacks Targeted attacks Advanced persistent threat Malware Intrusion detection system 



This work has been supported by the project “CYBER-2” funded by the Ministry of Defence of the Czech Republic under contract No. 1201 4 7110.


  1. 1.
    Kshetri, N.: The global cybercrime industry: economic, institutional and strategic perspectives. Springer, Berlin (2010)Google Scholar
  2. 2.
    Wood, P., Nisbet, M., Egan, G., Johnston, N., Haley, K., Krishnappa, B., Tran, T. K., Asrar, I., Cox, O., Hittel, S., et al.: Symantec Internet Security Threat Report Trends for 2011, vol. XVII (2012)Google Scholar
  3. 3.
    Tankard, C.: Advanced persistent threats and how to monitor and deter them. Netw. Secur. 2011(8), 16–19 (2011)CrossRefGoogle Scholar
  4. 4.
    Kaspersky Lab ZAO. Red October diplomatic cyber attacks investigation. Accessed 10-11-2014
  5. 5.
    Mandiant Intelligence Center. Apt1: Exposing one of china’s cyber espionage units. Technical report, Mandiant, Tech. Rep (2013)Google Scholar
  6. 6.
    Rakes, T. R., Deane, J. K., Rees, L. P.: It security planning under uncertainty for high-impact events. Omega 40(1), 79–88 (2012)Google Scholar
  7. 7.
    Ronald, D., Rafal R.: Tracking ghostnet: Investigating a cyber espionage network. Inf. Warf. Monitor, p. 6 (2009)Google Scholar
  8. 8.
    Liu, S.T., Chen, Y. M., Lin, S. J.: A novel search engine to uncover potential victims for apt investigations. In: Network and Parallel Computing, pp. 405–416. Springer, Berlin (2013)Google Scholar
  9. 9.
    Thonnard, O., Bilge, L., O’Gorman, G., Kiernan, S., Lee, M.: Industrial espionage and targeted attacks: Understanding the characteristics of an escalating threat. In Research in Attacks, Intrusions, and Defenses, pp. 64–85. Springer, Berlin (2012)Google Scholar
  10. 10.
    Lee, M, Lewis, D.: Clustering disparate attacks: mapping the activities of the advanced persistent threat. In: Proceedings of the 21st Virus Bulletin International Conference, pp. 122–127 (October 2011)Google Scholar
  11. 11.
    Marco Balduzzi, Vincenzo Ciangaglini, and Robert McArdle. Targeted attacks detection with spunge (2013)Google Scholar
  12. 12.
    Bencsath, B., Pek, G., Buttyan, L., Felegyhazi, M.: Duqu: Analysis, detection, and lessons learned. In ACM European Workshop on System Security (EuroSec), vol. 2012 (2012)Google Scholar
  13. 13.
    Paxson, Vern: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23), 2435–2463 (1999)CrossRefGoogle Scholar
  14. 14.
    Bro Project. The bro network security monitor. Accessed 10-11-2014
  15. 15.
    Trend Micro white paper. The custom defense against targeted attacks. Accessed: 10-11-2014
  16. 16.
    Blade defender. Accessed 10-11-2014
  17. 17.
    Malware domain list. Accessed 10-11-2014
  18. 18.
    Malware domains. Accessed 10-11-2014
  19. 19. Palevo domain blocklist. domainblocklist. Accessed 10-11-2014
  20. 20. Spyeye domain blocklist. Accessed 10-11-2014
  21. 21. Zeus domain blocklist. Accessed 10-11-2014
  22. 22. SSL blacklist a new weapon to fight malware and botnet. Accessed 10-11-2014
  23. 23.
    Mandiant. Mandiant apt1 report appendix f update: SSL certificate hashes. Accessed 10-11-2014
  24. 24.
    Malware domain list. Accessed 10-11-2014
  25. 25. Palevo C&C ip blocklist. Accessed 10-11-2014
  26. 26. Spyeye ip blocklist. Accessed 10-11-2014
  27. 27. Zeus ip blocklist. Accessed: 10-11-2014
  28. 28.
    Yadav, S., Reddy, A.K.K., Narasimha Reddy, A.L., Ranjan, S.: Detecting algorithmically generated domain flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20(5), 1663–1677 (2012)CrossRefGoogle Scholar
  29. 29.
    Tor Network Status. CSV list of all current tor server ip addresses. Accessed 10-11-2014

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Faculty of InformaticsMasaryk UniversityBrnoCzech Republic

Personalised recommendations