Expert knowledge and data analysis for detecting advanced persistent threats

Juan Ramón Moya 1 , Noemí DeCastro-García 2 , Ramón-Ángel Fernández-Díaz 1  and Jorge Lorenzana Tamargo 2
  • 1 Departamento de Ingenierías Mecánica, León, Spain
  • 2 Research Institute of Applied Science and Cybersecurity, León, Spain


Critical Infrastructures in public administration would be compromised by Advanced Persistent Threats (APT) which today constitute one of the most sophisticated ways of stealing information. This paper presents an effective, learning based tool that uses inductive techniques to analyze the information provided by firewall log files in an IT infrastructure, and detect suspicious activity in order to mark it as a potential APT. The experiments have been accomplished mixing real and synthetic data traffic to represent different proportions of normal and anomalous activity.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1]

    Falliere N., Murchu L.O., Chien E., W32.Stuxnet dossier, White paper, Symantec Corp., Security Response 5, 2011

  • [2]

    Holguín J.M., Moreno Maite, Merino B., Detección de APTs, CSIRT-CV and INTECO-CERT, Comunidad Valenciana-León, 2013

  • [3]

    Oprea A., Li Z., Yen T. F., Chin S. H., Alrwais S., Detection of early-stage Enterprise infection by mining large-scale log data, In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2015, 45-56

  • [4]

    Mosso J.M.R., Ciberseguridad Inteligente, arXiv preprint arXiv:1506.03830, 2015

  • [5]

    Friedberg I., Skopik F., Settanni G., Fiedler R., Combating advanced persistent threats: From network event correlation to incident detection, Computers & Security, 2015, 48, 35-57

  • [6]

    Giura P., Wang W., Using large scale distributed computing to unveil advanced persistent threats, Science Journal, 2012, 1 (3), 93-105

  • [7]

    Amoroso E.G., Fundamentals of computer security technology, Upper Saddle River, NJ, USA, Prentice-Hall, Inc., 1994

  • [8]

    Schneier B., Attack Trees - Modeling Security Threats, Dr. Dobb’s Journal, 1999,

  • [9]

    Skopik F., Settanni G., Fiedler R., Friedberg I., Semi-synthetic data set generation for security software evaluation, In: 12th Annual Conference on Privacy, Security and Trust. IEEE, 2014, 156-163

  • [10]

    Veeramachaneni K., Arnaldo I., Korrapati V., Bassias C., Li K., AI 2: training a big data machine to defend, In: Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016, 2016, 49-54

  • [11]

    Shyu M. L., Chen S. C., Sarinnapakorn K., Chang L., A novel anomaly detection scheme based on principal component classifier, In: Proceedings of the IEEE Foundations and New Directions of Data Mining Workshop, in conjunction with the Third IEEE International Conference on Data Mining (ICDM’03), 2003, 172-179

  • [12]

    Zinksecurity Thinking solutions, Advanced Persistent Threats (APTs), Guardia Civil, España, 2015

  • [13]

    Yao X., Pang J., Zhang Y., Yu Y., Lu, J., A method and implementation of control flow obfuscation using SEH, In: Proceedings of the 4th International Conference on Multimedia Information Networking and Security, MINES 2012, 2012, 336-339

  • [14]

    Wei Q., Wei T., Wang J., Evolution of exploitation and exploit mitigation, Journal of Tsinghua University, 2011, 51 (10), 1274-1280

  • [15]

    Support Microsoft, How to enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows operating systems, 2011,

  • [16]

    Dang T.H., Maniatis P., Wagner, D., The performance cost of shadow stacks and stack canaries, In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2015), 2015, 555-556

  • [17]

    Sood A., Enbody R., Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware, Syngress, 2014

  • [18]

    Sharp B.L., Peterson G.D., Yan L. K., Extending hardware based mandatory access controls for memory to multicore architectures, In: Proceedings of the 4th annual workshop on Cyber Security and Information Intelligence Research: Developing Strategies to meet the Cyber Security and Information Intelligence challenges ahead (CSIIRW ’08), ACM, 2008, 23:1-23:3

  • [19]

    Yotiyana J. P., Mishra A., Secure Authentication: Eliminating Possible Backdoors in Client-Server Endorsement, Procedia Computer Science, 2016, 85, 606-615

  • [20]

    López V., Fernández A., García S., Palade V., Herrera F., An insight into classification with imbalanced data: Empirical results and current trends on using data intrinsic characteristics, Information Sciences, 2013, 250, 113-141

  • [21]

    Han H., Wang W.Y., Mao, B.H., Borderline-SMOTE: a new over-sampling method in imbalanced data sets learning, In: Proceedings of the 2005 International Conference on Intelligent Computing (ICIC’05), Lecture Notes in Computer Science, 2005, 3644, 878-887

  • [22]

    He H., Bai Y., Garcia E.A., Li S., ADASYN: adaptive synthetic sampling approach for imbalanced learning, In: Proceedings of the 2008 IEEE International Joint Conference on Neural Networks (IJCNN’08), 2008, 1322-1328

  • [23]

    Borrajo D., González J., Isasi P., Aprendizaje Automático. Ed. Sanz y Torres, S.L, 2013

  • [24]

    López-Cabeceira M.M., Diez-Machío H., Trobajo M.T, Carriegos, M.V., Spectra analysis in detection of traces of explosives, Int. J. Modern Phys. B, 2012, 26 (25), 1246013

  • [25]

    Friedman N., Geiger D., Goldszmidt M., Bayesian Network Classifiers, Machine Learning, 1997, 29 (2-3), 131-163

  • [26]

    Berthold M.R., Diamond J., Constructive training of probabilistic neural networks, Neurocomputing, 1998, 19 (1), 167-183


Journal + Issues

Open Mathematics is a fully peer-reviewed, open access, electronic journal that publishes significant and original works in all areas of mathematics. The journal publishes both research papers and comprehensive and timely survey articles. Open Math aims at presenting high-impact and relevant research on topics across the full span of mathematics.