Visible to the public "Ctracer: Uncover C amp;amp;C in Advanced Persistent Threats Based on Scalable Framework for Enterprise Log Data"Conflict Detection Enabled

Title"Ctracer: Uncover C amp;amp;C in Advanced Persistent Threats Based on Scalable Framework for Enterprise Log Data"
Publication TypeConference Paper
Year of Publication2015
AuthorsK. F. Hong, C. C. Chen, Y. T. Chiu, K. S. Chou
Conference Name2015 IEEE International Congress on Big Data
Date PublishedJune
ISBN Number978-1-4673-7278-7
Accession Number15411664
Keywordsadvanced persistent threat, Advanced Persistent Threat (APT), APT attack, business data processing, C), C&C channel, C&C sessions, Command and Control (C&amp, command and control systems, Computer crime, Computers, Ctracer, digital forensics, digital signatures, Electronic mail, enterprise log data, forensic report, hackers, Internet, invasive software, Itemsets, Malware, MapReduce, network signature, networking logs, pubcrawl170101, scalable framework, Security Operations Center, Servers, SoC, stealthy activities detection, stealthy command and control channel detection, targeted attacks, traffic data

Advanced Persistent Threat (APT), unlike traditional hacking attempts, carries out specific attacks on a specific target to illegally collect information and data from it. These targeted attacks use special-crafted malware and infrequent activity to avoid detection, so that hackers can retain control over target systems unnoticed for long periods of time. In order to detect these stealthy activities, a large-volume of traffic data generated in a period of time has to be analyzed. We proposed a scalable solution, Ctracer to detect stealthy command and control channel in a large-volume of traffic data. APT uses multiple command and control (C&C) channel and change them frequently to avoid detection, but there are common signatures in those C&C sessions. By identifying common network signature, Ctracer is able to group the C&C sessions. Therefore, we can detect an APT and all the C&C session used in an APT attack. The Ctracer is evaluated in a large enterprise for four months, twenty C&C servers, three APT attacks are reported. After investigated by the enterprise's Security Operations Center (SOC), the forensic report shows that there is specific enterprise targeted APT cases and not ever discovered for over 120 days.

Citation Key7207270