TY - GEN
T1 - Applying The Attacks Tracer on Advanced Persistent Threats to Real Networks
AU - Tajima, Yuya
AU - Koide, Hiroshi
N1 - Funding Information:
VI. ACKNOWLEDGEMENT This research is supported by MEXT/JSPS KAKENHI Grant Number 21K11888, JST SICORP and Hitachi systems, Ltd.
Publisher Copyright:
© 2021 IEEE.
PY - 2021
Y1 - 2021
N2 - In this paper, we improve and expand the attacks tracer to receive information from real networks and to simulate advanced persistent threats in the networks based on it. Our improvement of the proposed system helps administrators to correctly recognize the status of the system and to expect near future events. Advanced persistent threats are cyber attacks that mainly target the information systems of organizations such as governments, research institutes, and enterprises. The attacks are characterized by long-lasting and continuous attacks that eventually result in the seizure of confidential information. In the past, system administrators and/or designers conducted digital forensic analysis. However the analysis is difficult because the number of communication traffic and connected devices are increasing now. The attacks tracer is a software that uses the actor model to simulate the behavior of an information system by modeling networked devices such as routers and servers abstractly. The abstract model and the actor model give the attacks tracer a scalable concurrency. Therefore the attacks tracer simulates a lot of attack scenarios of advanced persistent threats. However the attacks tracer before improvement we have implemented can only simulate specific scenarios in virtual spaces, and cannot analyze actual attacks. Therefore, in this proposal, we implemented the interface of gRPC, which is a high performance remote procedure call framework, in the attacks tracer. This allows attacks tracer to receive and analyze events that occur on the network immediately, thus the attacks tracer can simulate actual attacks. For example, if a system such as a firewall detects that an attack has occurred from a PC in the network, the attacks tracer can use that information to determine that the PC has been infected with malware and then indicate what kind of attack will occur. As a result of applying the attacks tracer to a real network, we found that the attacks tracer can get feedback from a real system and simulate advanced persistent threats based on it. The overview of the attacks tracer before improvement, the implementation method for applying to real environments and the case study are presented in this paper.
AB - In this paper, we improve and expand the attacks tracer to receive information from real networks and to simulate advanced persistent threats in the networks based on it. Our improvement of the proposed system helps administrators to correctly recognize the status of the system and to expect near future events. Advanced persistent threats are cyber attacks that mainly target the information systems of organizations such as governments, research institutes, and enterprises. The attacks are characterized by long-lasting and continuous attacks that eventually result in the seizure of confidential information. In the past, system administrators and/or designers conducted digital forensic analysis. However the analysis is difficult because the number of communication traffic and connected devices are increasing now. The attacks tracer is a software that uses the actor model to simulate the behavior of an information system by modeling networked devices such as routers and servers abstractly. The abstract model and the actor model give the attacks tracer a scalable concurrency. Therefore the attacks tracer simulates a lot of attack scenarios of advanced persistent threats. However the attacks tracer before improvement we have implemented can only simulate specific scenarios in virtual spaces, and cannot analyze actual attacks. Therefore, in this proposal, we implemented the interface of gRPC, which is a high performance remote procedure call framework, in the attacks tracer. This allows attacks tracer to receive and analyze events that occur on the network immediately, thus the attacks tracer can simulate actual attacks. For example, if a system such as a firewall detects that an attack has occurred from a PC in the network, the attacks tracer can use that information to determine that the PC has been infected with malware and then indicate what kind of attack will occur. As a result of applying the attacks tracer to a real network, we found that the attacks tracer can get feedback from a real system and simulate advanced persistent threats based on it. The overview of the attacks tracer before improvement, the implementation method for applying to real environments and the case study are presented in this paper.
UR - http://www.scopus.com/inward/record.url?scp=85124171351&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85124171351&partnerID=8YFLogxK
U2 - 10.1109/CANDARW53999.2021.00072
DO - 10.1109/CANDARW53999.2021.00072
M3 - Conference contribution
AN - SCOPUS:85124171351
T3 - Proceedings - 2021 9th International Symposium on Computing and Networking Workshops, CANDARW 2021
SP - 392
EP - 397
BT - Proceedings - 2021 9th International Symposium on Computing and Networking Workshops, CANDARW 2021
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 9th International Symposium on Computing and Networking Workshops, CANDARW 2021
Y2 - 23 November 2021 through 26 November 2021
ER -