An Effective Reconstruction Method of the APT Attack Based on Hidden Markov Model

Advanced Persistent Threat (APT) is a multi-stage and multi-step attack process. The reconstruction of the APT attack scene can start with discrete stage attack detection. However, due to the strong characteristic of concealment of APT attacks, some discrete events in the attack scenarios may not be detected. Therefore, to reconstruct the APT attack scene, we need to mine the hidden attack events according to the APT attack target and the detected discrete attack events, describe the action sequence according to the time sequence or the conditions reached by the attack, and finally reconstruct the attack path. In this paper, we depend on the EP-IKC attack cooperation model, we take the total target of APT attack as the pyramid vertex, and the alerted network entities and potential attacked entities related to the vertex as the facet nodes, this paper introduces the hidden Markov model (HMM), and uses the methods of data association and advanced probability theory to mine the hidden APT attack stages, Finally, the detection of APT attack process and the reconstruction of attack scene are realized.

Automated summary

This paper introduces a method for reconstructing APT attack scenes. By mining hidden attack events, describing action sequences, and reconstructing attack paths, the detection of APT attack processes and the reconstruction of attack scenes are achieved.