Network Intrusion Detection Against Advanced Persistent Threats

Abstract

The thesis explores the challenges of detecting Advanced Persistent Threats (APTs) due to their complex nature and low occurrence. The study focuses on network intrusion detection and analyzes 33 APT campaigns spanning the past 22 years. It finds that 81% of APT campaigns use HTTP(S) for evasion techniques, while 45% utilize the DNS protocol for resolution and tunnelling. By analyzing data from 63 APT campaigns over 13 years, we propose HawkEye, a system that achieves an accuracy of 98.53%, a macro average F1-score of 90.38%, and a low false positive rate (FPR) of 0.48% against unseen APT campaigns. In comparison, the baseline achieves lower performance, with accuracy, F1-score, and FPR values of 96.95%, 76.81%, and 0.68%, respectively.

The thesis also examines the TTPs used by APTs employing HTTP(S) protocols and introduces EarlyCrow, which achieves a headline macro average F1-score of 93.72%, an accuracy of 98.11%, and an FPR of 0.74% against unseen APTs. On the other hand, the state of the art achieves a 60.29% F1-score with no false positive rates. Additionally, we present NightVision, which extracts information from network traffic using statistical digital signal processing techniques. NightVision achieves an average F1-score of 80.09%, an accuracy rate of 97.71%, and a low FPR of 0.25%. In comparison, the state of the art baseline performs at 67.61% F1-score, 95.82% accuracy, and 1.61% FPR, respectively. We recommend using the proposed tools in conjunction with Host Intrusion Detection Systems (HIDS) to enhance overall security defences against APTs. By combining HawkEye, EarlyCrow, and NightVision, the approach aims to provide a comprehensive and effective defence mechanism.