Skip to Main content Skip to Navigation

Real-time detection of Advanced Persistent Threats using Information Flow Tracking and Hidden Markov Models

Abstract : In this thesis, we present the risks posed by Advanced Persitent Threats (APTs) and propose a two-step approach for recognising when detected attacks are part of one. This is part of the Akheros solution, a fully autonomous Intrusion Detection System (IDS) being developed in collaboration by three PhD students. The idea is to use machine learning to detect unexpected events and check if they present a security risk. The last part, and the subject of this thesis, is the highlighting of APT. APTs campaigns are particularly dangerous because they are performed by skilled attackers with a precise goal and time and money on their side.We start with the results from the previous part of the Akheros IDS: a list of events, which can be translated to flows of information, with an indication for events found to be attacks. We find links between attacks using Information Flow Tracking. To do so, we create a new taint for each detected attack and propagate it. Whenever a taint is on the input of an event that is part of another attack, then the two attacks are linked. However, the links are only potential because the events used are not precise enough, which leads to erroneously propagated taints. In the case of an undetected attack, no taint is created for that attack, but the other taints are still propagated as normal so that previous attack is still linked to the next attack, only skipping the undetected one. The second step of the approach is to filter out the erroneous links. To do so, we use a Hidden Markov Model to represent APTs and remove potential attack campaign that do not fit the model. This is possible because, while each APT is different, they all go through the same phases, which form the hidden states of our model. The visible observations are the kind of attacks performed during these phases. In addition, the results in one phase dictate what the attackers do next, which fits the Markov hypothesis. The score used to rank potential attack campaign from most likely an APT to least likely so is based on a customised Viterbi algorithm in order to take into account potentially undetected attacks.
Complete list of metadatas

Cited literature [44 references]  Display  Hide  Download
Contributor : Abes Star :  Contact
Submitted on : Wednesday, May 16, 2018 - 7:10:05 PM
Last modification on : Tuesday, March 24, 2020 - 3:39:17 PM
Long-term archiving on: : Tuesday, September 25, 2018 - 5:12:47 PM


Version validated by the jury (STAR)


  • HAL Id : tel-01793752, version 2



Guillaume Brogi. Real-time detection of Advanced Persistent Threats using Information Flow Tracking and Hidden Markov Models. Machine Learning [cs.LG]. Conservatoire national des arts et metiers - CNAM, 2018. English. ⟨NNT : 2018CNAM1167⟩. ⟨tel-01793752v2⟩



Record views


Files downloads