Deakin University
Browse

File(s) under permanent embargo

Unmasking windows advanced persistent threat execution

conference contribution
posted on 2020-12-01, 00:00 authored by Rory Coulter, Jun Zhang, Lei PanLei Pan, Yang Xiang
The advanced persistent threat (APT) landscape has been studied without quantifiable data, for which indicators of compromise (IoC) may be uniformly analyzed, replicated, or used to support security mechanisms. This work culminates extensive academic and industry APT analysis, not as an incremental step in existing approaches to APT detection, but as a new benchmark of APT related opportunity. We collect 15,259 APT IoC hashes, retrieving subsequent sandbox execution logs across 41 different file types. This work forms an initial focus on Windows-based threat detection. We present a novel Windows APT executable (APT-EXE) dataset, made available to the research community. Manual and statistical analysis of the APT-EXE dataset is conducted, along with supporting feature analysis. We draw upon repeat and common APT paths access, file types, and operations within the APT-EXE dataset to generalize APT execution footprints. A baseline case analysis successfully identifies a majority of 117 of 152 live APT samples from campaigns across 2018 and 2019.

History

Pagination

268-276

Location

Guangzhou, China

Start date

2020-12-29

End date

2021-01-01

ISBN-13

9780738143804

Language

eng

Publication classification

E1 Full written paper - refereed

Editor/Contributor(s)

Wang G, Ko R, Bhuiyan MZA, Pan Y

Title of proceedings

TrustCom 2020 : Proceedings of the 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications

Event

Trust, Security and Privacy in Computing and Communications. Conference (2020 : 19th : Guangzhou, China)

Publisher

IEEE

Place of publication

Piscataway, N.J.

Usage metrics

    Research Publications

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC