Visible to the public Biblio

Filters: Keyword is apt  [Clear All Filters]
Dijk, Allard.  2021.  Detection of Advanced Persistent Threats using Artificial Intelligence for Deep Packet Inspection. 2021 IEEE International Conference on Big Data (Big Data). :2092–2097.

Advanced persistent threats (APT’s) are stealthy threat actors with the skills to gain covert control of the computer network for an extended period of time. They are the highest cyber attack risk factor for large companies and states. A successful attack via an APT can cost millions of dollars, can disrupt civil life and has the capabilities to do physical damage. APT groups are typically state-sponsored and are considered the most effective and skilled cyber attackers. Attacks of APT’s are executed in several stages as pointed out in the Lockheed Martin cyber kill chain (CKC). Each of these APT stages can potentially be identified as patterns in network traffic. Using the "APT-2020" dataset, that compiles the characteristics and stages of an APT, we carried out experiments on the detection of anomalous traffic for all APT stages. We compare several artificial intelligence models, like a stacked auto encoder, a recurrent neural network and a one class state vector machine and show significant improvements on detection in the data exfiltration stage. This dataset is the first to have a data exfiltration stage included to experiment on. According to APT-2020’s authors current models have the biggest challenge specific to this stage. We introduce a method to successfully detect data exfiltration by analyzing the payload of the network traffic flow. This flow based deep packet inspection approach improves detection compared to other state of the art methods.

Hong, Seoung-Pyo, Lim, Chae-Ho, lee, hoon jae.  2021.  APT attack response system through AM-HIDS. 2021 23rd International Conference on Advanced Communication Technology (ICACT). :271–274.
In this paper, an effective Advanced Persistent Threat (APT) attack response system was proposed. Reference to the NIST Cyber Security Framework (CRF) was made to present the most cost-effective measures. It has developed a system that detects and responds to real-time AM-HIDS (Anti Malware Host Intrusion Detection System) that monitors abnormal change SW of PCs as a prevention of APT. It has proved that the best government-run security measures are possible to provide an excellent cost-effectiveness environment to prevent APT attacks.
Yang, SU.  2021.  An Approach on Attack Path Prediction Modeling Based on Game Theory. 2021 IEEE 5th Advanced Information Technology, Electronic and Automation Control Conference (IAEAC). 5:2604–2608.
Considering the lack of theoretical analysis for distributed network under APT (advanced persistent threat) attacks, a game model was proposed to solve the problem based on APT attack path. Firstly, this paper analyzed the attack paths of attackers and proposed the defensive framework of network security by analyzing the characteristics of the APT attack and the distributed network structure. Secondly, OAPG(an attack path prediction model oriented to APT) was established from the value both the attacker and the defender based on game theory, besides, this paper calculated the game equilibrium and generated the maximum revenue path of the attacker, and then put forward the best defensive strategy for defender. Finally, this paper validated the model by an instance of APT attack, the calculated results showed that the model can analyze the attacker and defender from the attack path, and can provide a reasonable defense scheme for organizations that use distributed networks.
D'Agostino, Jack, Kul, Gokhan.  2021.  Toward Pinpointing Data Leakage from Advanced Persistent Threats. 2021 7th IEEE Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS). :157–162.
Advanced Persistent Threats (APT) consist of most skillful hackers who employ sophisticated techniques to stealthily gain unauthorized access to private networks and exfiltrate sensitive data. When their existence is discovered, organizations - if they can sustain business continuity - mostly have to perform forensics activities to assess the damage of the attack and discover the extent of sensitive data leakage. In this paper, we construct a novel framework to pinpoint sensitive data that may have been leaked in such an attack. Our framework consists of creating baseline fingerprints for each workstation for setting normal activity, and we consider the change in the behavior of the network overall. We compare the accused fingerprint with sensitive database information by utilizing both Levenstein distance and TF-IDF/cosine similarity resulting in a similarity percentage. This allows us to pinpoint what part of data was exfiltrated by the perpetrators, where in the network the data originated, and if that data is sensitive to the private company's network. We then perform feasibility experiments to show that even these simple methods are feasible to run on a network representative of a mid-size business.
Park, Kyuchan, Ahn, Bohyun, Kim, Jinsan, Won, Dongjun, Noh, Youngtae, Choi, JinChun, Kim, Taesic.  2021.  An Advanced Persistent Threat (APT)-Style Cyberattack Testbed for Distributed Energy Resources (DER). 2021 IEEE Design Methodologies Conference (DMC). :1–5.
Advanced Persistent Threat (APT) is a professional stealthy threat actor who uses continuous and sophisticated attack techniques which have not been well mitigated by existing defense strategies. This paper proposes an APT-style cyber-attack tested for distributed energy resources (DER) in cyber-physical environments. The proposed security testbed consists of: 1) a real-time DER simulator; 2) a real-time cyber system using real network systems and a server; and 3) penetration testing tools generating APT-style attacks as cyber events. Moreover, this paper provides a cyber kill chain model for a DER system based on a latest MITRE’s cyber kill chain model to model possible attack stages. Several real cyber-attacks are created and their impacts in a DER system are provided to validate the feasibility of the proposed security testbed for DER systems.
Coulter, Rory, Zhang, Jun, Pan, Lei, Xiang, Yang.  2020.  Unmasking Windows Advanced Persistent Threat Execution. 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). :268—276.

The advanced persistent threat (APT) landscape has been studied without quantifiable data, for which indicators of compromise (IoC) may be uniformly analyzed, replicated, or used to support security mechanisms. This work culminates extensive academic and industry APT analysis, not as an incremental step in existing approaches to APT detection, but as a new benchmark of APT related opportunity. We collect 15,259 APT IoC hashes, retrieving subsequent sandbox execution logs across 41 different file types. This work forms an initial focus on Windows-based threat detection. We present a novel Windows APT executable (APT-EXE) dataset, made available to the research community. Manual and statistical analysis of the APT-EXE dataset is conducted, along with supporting feature analysis. We draw upon repeat and common APT paths access, file types, and operations within the APT-EXE dataset to generalize APT execution footprints. A baseline case analysis successfully identifies a majority of 117 of 152 live APT samples from campaigns across 2018 and 2019.

Wang, W., Zhang, X., Dong, L., Fan, Y., Diao, X., Xu, T..  2020.  Network Attack Detection based on Domain Attack Behavior Analysis. 2020 13th International Congress on Image and Signal Processing, BioMedical Engineering and Informatics (CISP-BMEI). :962—965.

Network security has become an important issue in our work and life. Hackers' attack mode has been upgraded from normal attack to APT( Advanced Persistent Threat, APT) attack. The key of APT attack chain is the penetration and intrusion of active directory, which can not be completely detected via the traditional IDS and antivirus software. Further more, lack of security protection of existing solutions for domain control aggravates this problem. Although researchers have proposed methods for domain attack detection, many of them have not yet been converted into effective market-oriented products. In this paper, we analyzes the common domain intrusion methods, various domain related attack behavior characteristics were extracted from ATT&CK matrix (Advanced tactics, techniques, and common knowledge) for analysis and simulation test. Based on analyzing the log file generated by the attack, the domain attack detection rules are established and input into the analysis engine. Finally, the available domain intrusion detection system is designed and implemented. Experimental results show that the network attack detection method based on the analysis of domain attack behavior can analyze the log file in real time and effectively detect the malicious intrusion behavior of hackers , which could facilitate managers find and eliminate network security threats immediately.

Wang, W., Tang, B., Zhu, C., Liu, B., Li, A., Ding, Z..  2020.  Clustering Using a Similarity Measure Approach Based on Semantic Analysis of Adversary Behaviors. 2020 IEEE Fifth International Conference on Data Science in Cyberspace (DSC). :1—7.

Rapidly growing shared information for threat intelligence not only helps security analysts reduce time on tracking attacks, but also bring possibilities to research on adversaries' thinking and decisions, which is important for the further analysis of attackers' habits and preferences. In this paper, we analyze current models and frameworks used in threat intelligence that suited to different modeling goals, and propose a three-layer model (Goal, Behavior, Capability) to study the statistical characteristics of APT groups. Based on the proposed model, we construct a knowledge network composed of adversary behaviors, and introduce a similarity measure approach to capture similarity degree by considering different semantic links between groups. After calculating similarity degrees, we take advantage of Girvan-Newman algorithm to discover community groups, clustering result shows that community structures and boundaries do exist by analyzing the behavior of APT groups.

Drašar, M., Moskal, S., Yang, S., Zat'ko, P..  2020.  Session-level Adversary Intent-Driven Cyberattack Simulator. 2020 IEEE/ACM 24th International Symposium on Distributed Simulation and Real Time Applications (DS-RT). :1—9.

Recognizing the need for proactive analysis of cyber adversary behavior, this paper presents a new event-driven simulation model and implementation to reveal the efforts needed by attackers who have various entry points into a network. Unlike previous models which focus on the impact of attackers' actions on the defender's infrastructure, this work focuses on the attackers' strategies and actions. By operating on a request-response session level, our model provides an abstraction of how the network infrastructure reacts to access credentials the adversary might have obtained through a variety of strategies. We present the current capabilities of the simulator by showing three variants of Bronze Butler APT on a network with different user access levels.

Alghamdi, W., Schukat, M..  2020.  Practical Implementation of APTs on PTP Time Synchronisation Networks. 2020 31st Irish Signals and Systems Conference (ISSC). :1—5.
The Precision Time Protocol is essential for many time-sensitive and time-aware applications. However, it was never designed for security, and despite various approaches to harden this protocol against manipulation, it is still prone to cyber-attacks. Here Advanced Persistent Threats (APT) are of particular concern, as they may stealthily and over extended periods of time manipulate computer clocks that rely on the accurate functioning of this protocol. Simulating such attacks is difficult, as it requires firmware manipulation of network and PTP infrastructure components. Therefore, this paper proposes and demonstrates a programmable Man-in-the-Middle (pMitM) and a programmable injector (pInj) device that allow the implementation of a variety of attacks, enabling security researchers to quantify the impact of APTs on time synchronisation.
Burr, B., Wang, S., Salmon, G., Soliman, H..  2020.  On the Detection of Persistent Attacks using Alert Graphs and Event Feature Embeddings. NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium. :1—4.
Intrusion Detection Systems (IDS) generate a high volume of alerts that security analysts do not have the resources to explore fully. Modelling attacks, especially the coordinated campaigns of Advanced Persistent Threats (APTs), in a visually-interpretable way is a useful approach for network security. Graph models combine multiple alerts and are well suited for visualization and interpretation, increasing security effectiveness. In this paper, we use feature embeddings, learned from network event logs, and community detection to construct and segment alert graphs of related alerts and networks hosts. We posit that such graphs can aid security analysts in investigating alerts and may capture multiple aspects of an APT attack. The eventual goal of this approach is to construct interpretable attack graphs and extract causality information to identify coordinated attacks.
Mani, G., Pasumarti, V., Bhargava, B., Vora, F. T., MacDonald, J., King, J., Kobes, J..  2020.  DeCrypto Pro: Deep Learning Based Cryptomining Malware Detection Using Performance Counters. 2020 IEEE International Conference on Autonomic Computing and Self-Organizing Systems (ACSOS). :109—118.
Autonomy in cybersystems depends on their ability to be self-aware by understanding the intent of services and applications that are running on those systems. In case of mission-critical cybersystems that are deployed in dynamic and unpredictable environments, the newly integrated unknown applications or services can either be benign and essential for the mission or they can be cyberattacks. In some cases, these cyberattacks are evasive Advanced Persistent Threats (APTs) where the attackers remain undetected for reconnaissance in order to ascertain system features for an attack e.g. Trojan Laziok. In other cases, the attackers can use the system only for computing e.g. cryptomining malware. APTs such as cryptomining malware neither disrupt normal system functionalities nor trigger any warning signs because they simply perform bitwise and cryptographic operations as any other benign compression or encoding application. Thus, it is difficult for defense mechanisms such as antivirus applications to detect these attacks. In this paper, we propose an Operating Context profiling system based on deep neural networks-Long Short-Term Memory (LSTM) networks-using Windows Performance Counters data for detecting these evasive cryptomining applications. In addition, we propose Deep Cryptomining Profiler (DeCrypto Pro), a detection system with a novel model selection framework containing a utility function that can select a classification model for behavior profiling from both the light-weight machine learning models (Random Forest and k-Nearest Neighbors) and a deep learning model (LSTM), depending on available computing resources. Given data from performance counters, we show that individual models perform with high accuracy and can be trained with limited training data. We also show that the DeCrypto Profiler framework reduces the use of computational resources and accurately detects cryptomining applications by selecting an appropriate model, given the constraints such as data sample size and system configuration.
Akbari, I., Tahoun, E., Salahuddin, M. A., Limam, N., Boutaba, R..  2020.  ATMoS: Autonomous Threat Mitigation in SDN using Reinforcement Learning. NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium. :1—9.
Machine Learning has revolutionized many fields of computer science. Reinforcement Learning (RL), in particular, stands out as a solution to sequential decision making problems. With the growing complexity of computer networks in the face of new emerging technologies, such as the Internet of Things and the growing complexity of threat vectors, there is a dire need for autonomous network systems. RL is a viable solution for achieving this autonomy. Software-defined Networking (SDN) provides a global network view and programmability of network behaviour, which can be employed for security management. Previous works in RL-based threat mitigation have mostly focused on very specific problems, mostly non-sequential, with ad-hoc solutions. In this paper, we propose ATMoS, a general framework designed to facilitate the rapid design of RL applications for network security management using SDN. We evaluate our framework for implementing RL applications for threat mitigation, by showcasing the use of ATMoS with a Neural Fitted Q-learning agent to mitigate an Advanced Persistent Threat. We present the RL model's convergence results showing the feasibility of our solution for active threat mitigation.
Ayoade, G., Akbar, K. A., Sahoo, P., Gao, Y., Agarwal, A., Jee, K., Khan, L., Singhal, A..  2020.  Evolving Advanced Persistent Threat Detection using Provenance Graph and Metric Learning. 2020 IEEE Conference on Communications and Network Security (CNS). :1—9.

Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nation-states and sophisticated corporations to obtain high profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and common benign tools. Furthermore, these attack campaigns are often prolonged to evade detection. We leverage an approach that uses a provenance graph to obtain execution traces of host nodes in order to detect anomalous behavior. By using the provenance graph, we extract features that are then used to train an online adaptive metric learning. Online metric learning is a deep learning method that learns a function to minimize the separation between similar classes and maximizes the separation between dis-similar instances. We compare our approach with baseline models and we show our method outperforms the baseline models by increasing detection accuracy on average by 11.3 % and increases True positive rate (TPR) on average by 18.3 %.

Alghamdi, A. A., Reger, G..  2020.  Pattern Extraction for Behaviours of Multi-Stage Threats via Unsupervised Learning. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). :1—8.
Detection of multi-stage threats such as Advanced Persistent Threats (APT) is extremely challenging due to their deceptive approaches. Sequential events of threats might look benign when performed individually or from different addresses. We propose a new unsupervised framework to identify patterns and correlations of malicious behaviours by analysing heterogeneous log-files. The framework consists of two main phases of data analysis to extract inner-behaviours of log-files and then the patterns of those behaviours over analysed files. To evaluate the framework we have produced a (publicly available) labelled version of the SotM43 dataset. Our results demonstrate that the framework can (i) efficiently cluster inner-behaviours of log-files with high accuracy and (ii) extract patterns of malicious behaviour and correlations between those patterns from real-world data.
Sahabandu, D., Allen, J., Moothedath, S., Bushnell, L., Lee, W., Poovendran, R..  2020.  Quickest Detection of Advanced Persistent Threats: A Semi-Markov Game Approach. 2020 ACM/IEEE 11th International Conference on Cyber-Physical Systems (ICCPS). :9—19.
Advanced Persistent Threats (APTs) are stealthy, sophisticated, long-term, multi-stage attacks that threaten the security of sensitive information. Dynamic Information Flow Tracking (DIFT) has been proposed as a promising mechanism to detect and prevent various cyber attacks in computer systems. DIFT tracks suspicious information flows in the system and generates security analysis when anomalous behavior is detected. The number of information flows in a system is typically large and the amount of resources (such as memory, processing power and storage) required for analyzing different flows at different system locations varies. Hence, efficient use of resources is essential to maintain an acceptable level of system performance when using DIFT. On the other hand, the quickest detection of APTs is crucial as APTs are persistent and the damage caused to the system is more when the attacker spends more time in the system. We address the problem of detecting APTs and model the trade-off between resource efficiency and quickest detection of APTs. We propose a game model that captures the interaction of APT and a DIFT-based defender as a two-player, multi-stage, zero-sum, Stackelberg semi-Markov game. Our game considers the performance parameters such as false-negatives generated by DIFT and the time required for executing various operations in the system. We propose a two-time scale Q-learning algorithm that converges to a Stackelberg equilibrium under infinite horizon, limiting average payoff criteria. We validate our model and algorithm on a real-word attack dataset obtained using Refinable Attack INvestigation (RAIN) framework.
Klyaus, T. K., Gatchin, Y. A..  2020.  Mathematical Model For Information Security System Effectiveness Evaluation Against Advanced Persistent Threat Attacks. 2020 Wave Electronics and its Application in Information and Telecommunication Systems (WECONF). :1—5.
The article deals with the mathematical model for information security controls optimization and evaluation of the information security systems effectiveness. Distinctive features of APT attacks are given. The generalized efficiency criterion in which both the requirements of the return of security investment maximization and the return on attack minimization are simultaneously met. The generalized reduced gradient method for solving the optimization of the objective function based on formulated efficiency criterion is proposed.
Golushko, A. P., Zhukov, V. G..  2020.  Application of Advanced Persistent Threat Actors` Techniques aor Evaluating Defensive Countermeasures. 2020 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus). :312—317.
This paper describes research results of the possibility of developing a methodology to implement systematic knowledge about adversaries` tactics and techniques into the process of determining requirements for information security system and evaluating defensive countermeasures.
Zhang, H., Liu, H., Liang, J., Li, T., Geng, L., Liu, Y., Chen, S..  2020.  Defense Against Advanced Persistent Threats: Optimal Network Security Hardening Using Multi-stage Maze Network Game. 2020 IEEE Symposium on Computers and Communications (ISCC). :1—6.

Advanced Persistent Threat (APT) is a stealthy, continuous and sophisticated method of network attacks, which can cause serious privacy leakage and millions of dollars losses. In this paper, we introduce a new game-theoretic framework of the interaction between a defender who uses limited Security Resources(SRs) to harden network and an attacker who adopts a multi-stage plan to attack the network. The game model is derived from Stackelberg games called a Multi-stage Maze Network Game (M2NG) in which the characteristics of APT are fully considered. The possible plans of the attacker are compactly represented using attack graphs(AGs), but the compact representation of the attacker's strategies presents a computational challenge and reaching the Nash Equilibrium(NE) is NP-hard. We present a method that first translates AGs into Markov Decision Process(MDP) and then achieves the optimal SRs allocation using the policy hill-climbing(PHC) algorithm. Finally, we present an empirical evaluation of the model and analyze the scalability and sensitivity of the algorithm. Simulation results exhibit that our proposed reinforcement learning-based SRs allocation is feasible and efficient.

Benzekri, A., Laborde, R., Oglaza, A., Rammal, D., Barrere, F..  2019.  Dynamic security management driven by situations: An exploratory analysis of logs for the identification of security situations. 2019 3rd Cyber Security in Networking Conference (CSNet). :66—72.
Situation awareness consists of "the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future". Being aware of the security situation is then mandatory to launch proper security reactions in response to cybersecurity attacks. Security Incident and Event Management solutions are deployed within Security Operation Centers. Some vendors propose machine learning based approaches to detect intrusions by analysing networks behaviours. But cyberattacks like Wannacry and NotPetya, which shut down hundreds of thousands of computers, demonstrated that networks monitoring and surveillance solutions remain insufficient. Detecting these complex attacks (a.k.a. Advanced Persistent Threats) requires security administrators to retain a large number of logs just in case problems are detected and involve the investigation of past security events. This approach generates massive data that have to be analysed at the right time in order to detect any accidental or caused incident. In the same time, security administrators are not yet seasoned to such a task and lack the desired skills in data science. As a consequence, a large amount of data is available and still remains unexplored which leaves number of indicators of compromise under the radar. Building on the concept of situation awareness, we developed a situation-driven framework, called dynSMAUG, for dynamic security management. This approach simplifies the security management of dynamic systems and allows the specification of security policies at a high-level of abstraction (close to security requirements). This invited paper aims at exposing real security situations elicitation, coming from networks security experts, and showing the results of exploratory analysis techniques using complex event processing techniques to identify and extract security situations from a large volume of logs. The results contributed to the extension of the dynSMAUG solution.
Liang, Xiao, Ma, Lixin, An, Ningyu, Jiang, Dongxiao, Li, Chenggang, Chen, Xiaona, Zhao, Lijiao.  2019.  Ontology Based Security Risk Model for Power Terminal Equipment. 2019 12th International Symposium on Computational Intelligence and Design (ISCID). 2:212–216.
IoT based technology are drastically accelerating the informationization development of the power grid system of China that consists of a huge number of power terminal devices interconnected by the network of electric power IoT. However, the networked power terminal equipment oriented cyberspace security has continually become a challenging problem as network attack is continually varying and evolving. In this paper, we concentrate on the security risk of power terminal equipment and their vulnerability based on ATP attack detection and defense. We first analyze the attack mechanism of APT security attack based on power terminal equipment. Based on the analysis of the security and attack of power IoT terminal device, an ontology-based knowledge representation method of power terminal device and its vulnerability is proposed.
Pawlick, Jeffrey, Nguyen, Thi Thu Hang, Colbert, Edward, Zhu, Quanyan.  2019.  Optimal Timing in Dynamic and Robust Attacker Engagement During Advanced Persistent Threats. 2019 International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOPT). :1—8.
Advanced persistent threats (APTs) are stealthy attacks which make use of social engineering and deception to give adversaries insider access to networked systems. Against APTs, active defense technologies aim to create and exploit information asymmetry for defenders. In this paper, we study a scenario in which a powerful defender uses honeynets for active defense in order to observe an attacker who has penetrated the network. Rather than immediately eject the attacker, the defender may elect to gather information. We introduce an undiscounted, infinite-horizon Markov decision process on a continuous state space in order to model the defender's problem. We find a threshold of information that the defender should gather about the attacker before ejecting him. Then we study the robustness of this policy using a Stackelberg game. Finally, we simulate the policy for a conceptual network. Our results provide a quantitative foundation for studying optimal timing for attacker engagement in network defense.
De Abreu, Sergio.  2019.  A Feasibility Study on Machine Learning Techniques for APT Detection and Protection in VANETs. 2019 IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3). :212—212.
It is estimated that by 2030, 1 in 4 vehicles on the road will be driverless with adoption rates increasing this figure substantially over the next few decades.
Liu, Xiaohu, Li, Laiqiang, Ma, Zhuang, Lin, Xin, Cao, Junyang.  2019.  Design of APT Attack Defense System Based on Dynamic Deception. 2019 IEEE 5th International Conference on Computer and Communications (ICCC). :1655—1659.
Advanced Persistent Threat (APT) attack has the characteristics of complex attack means, long duration and great harmfulness. Based on the idea of dynamic deception, the paper proposed an APT defense system framework, and analyzed the deception defense process. The paper proposed a hybrid encryption communication mechanism based on socket, a dynamic IP address generation method based on SM4, a dynamic timing selection method based on Viterbi algorithm and a dynamic policy allocation mechanism based on DHCPv6. Tests show that the defense system can dynamically change and effectively defense APT attacks.
Hasan, Kamrul, Shetty, Sachin, Ullah, Sharif.  2019.  Artificial Intelligence Empowered Cyber Threat Detection and Protection for Power Utilities. 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC). :354—359.
Cyber threats have increased extensively during the last decade, especially in smart grids. Cybercriminals have become more sophisticated. Current security controls are not enough to defend networks from the number of highly skilled cybercriminals. Cybercriminals have learned how to evade the most sophisticated tools, such as Intrusion Detection and Prevention Systems (IDPS), and Advanced Persistent Threat (APT) is almost invisible to current tools. Fortunately, the application of Artificial Intelligence (AI) may increase the detection rate of IDPS systems, and Machine Learning (ML) techniques can mine data to detect different attack stages of APT. However, the implementation of AI may bring other risks, and cybersecurity experts need to find a balance between risk and benefits.