Targeted Attack Prevention at Early Stage

Targeted cyber attacks play a critical role in disrupting network infrastructure and information privacy. Based on the incident investigation, Intelligence gathering is the first phase of such attacks. To evade detection, hacker may make use of botnet, a set of zombie machines, to gain the access of a target and the zombies send the collected results back to the hacker. Even though the zombies would be blocked by detection system, the hacker, using the access information obtained from the botnet, would login the target from another machine without being noticed by the detection system. Such information gathering tactic can evade detection and the hacker grants the initial access to the target. The proposed defense system analyzes multiple logs from the network and extracts the reconnaissance attack sequences related to targeted attacks. State-based model is adopted to model the steps of the above early phase attack performed by multiple scouts and an intruder and such attack events in a long time frame becomes significant in the state-aware model. The results show that the proposed system can identify the attacks at the early stage efficiently to prevent further damage in the networks.