1. 2nd IEEE International Workshop on Reliability and Security Data
Analysis (RSDA 2014)
Multi-Agent System for APT
Detection
Wim Mees & Thibault Debatty
3. APTs : … and all others!
● MiniDuke
– Targeted PDF + 0-day exploit
– June 2012 → February 2013
● Belgacom
– Fake, targeted, LinkedIn pages
– 2010 → June 2013
● …
Multi-Agent System for APT Detection 3
4. APTs : … and all others!
● MiniDuke
– Targeted PDF + 0-day exploit
– June 2012 → February 2013
● Belgacom
– Fake, targeted, LinkedIn pages
– 2010 → June 2013
● … Attackers WILL succeed
Achieve early detection
Multi-Agent System for APT Detection 4
8. Agents
● Frequency analysis
● Time-domain impulse
● Upload
● Domain name fan-in, fan-out
● Geographic outlier
● Domain name age
● URL reputation
● …
Multi-Agent System for APT Detection 8
9. Aggregation
● Ordered Weighted Averaging (Yager)
– E.g. : 0.2, 0.3, 0.5, 0.0
● Agent activation logic
– Run “light” agents on all clients
– Activate “heavy” agent on suspicious clients
Client honeypot, IDS, long time analysis, …
Multi-Agent System for APT Detection 9
10. First results
● Synthetic network traffic
● Simulated APT traces (from literature)
Multi-Agent System for APT Detection 10
11. First results
● Real network traffic (anonymized)
● Simulated APT traces (from literature)
Multi-Agent System for APT Detection 11
12. First results
● Real network traffic (anonymized)
● Simulated APT traces (from literature)
● Human interaction:
whitelisting
Multi-Agent System for APT Detection 12
13. Conclusions & future work …
● Promising approach (modular design)
● Current work:
– Additional agents (SMTP, IDS, client honeypot, …)
– Choose OWA coefficients to maximize area under ROC curve
– Test on real network traffic and APT traces
● Future work:
– Human feedback integration
– Time behavior
– Integration with SIEM
– Comparison with other tools
Multi-Agent System for APT Detection 13