Defenders spend significant time interpreting low-level events while attackers, especially Advanced Persistent Threats (APTs), think and plan their activities at a higher strategic level. In this paper, we close this semantic gap by making the attackers’ strategy an explicit machine-readable component of intrusion detection. We introduce the concept of semantic clusters, which combine high-level technique and tactic annotations with a set of events providing evidence for those annotations. We then use a fully automated cybergaming environment, in which a red team is programmed to emulate APT behavior, to assess and improve defensive posture. Semantic clusters both provide the basis of scoring these cybergames and highlight promising defensive improvements. In a set of experiments, we demonstrate effective defensive adjustments which can be made using this higher-level information about adversarial strategy.
CITATION STYLE
Gianvecchio, S., Burkhalter, C., Lan, H., Sillers, A., & Smith, K. (2019). Closing the gap with APTs through semantic clusters and automated cybergames. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST (Vol. 304 LNICST, pp. 235–254). Springer. https://doi.org/10.1007/978-3-030-37228-6_12
Mendeley helps you to discover research relevant for your work.