References & Citations
Computer Science > Cryptography and Security
Title: RAPTOR: Advanced Persistent Threat Detection in Industrial IoT via Attack Stage Correlation
(Submitted on 27 Jan 2023 (v1), last revised 26 Sep 2023 (this version, v3))
Abstract: Past Advanced Persistent Threat (APT) attacks on Industrial Internet-of-Things (IIoT), such as the 2016 Ukrainian power grid attack and the 2017 Saudi petrochemical plant attack, have shown the disruptive effects of APT campaigns while new IIoT malware continue to be developed by APT groups. Existing APT detection systems have been designed using cyberattack TTPs modelled for enterprise IT networks and leverage specific data sources (e.g., Linux audit logs, Windows event logs) which are not found on ICS devices. In this work, we propose RAPTOR, a system to detect APT campaigns in IIoT. Using cyberattack TTPs modelled for ICS/OT environments and focusing on "invariant" attack phases, RAPTOR detects and correlates various APT attack stages in IIoT leveraging data which can be readily collected from ICS devices/networks (packet traffic traces, IDS alerts). Subsequently, it constructs a high-level APT campaign graph which can be used by cybersecurity analysts towards attack analysis and mitigation. A performance evaluation of RAPTOR's APT attack-stage detection modules shows high precision and low false positive/negative rates. We also show that RAPTOR is able to construct the APT campaign graph for APT attacks (modelled after real-world attacks on ICS/OT infrastructure) executed on our IIoT testbed.
Submission history
From: Ayush Kumar [view email][v1] Fri, 27 Jan 2023 03:56:50 GMT (723kb,D)
[v2] Thu, 9 Feb 2023 14:35:45 GMT (723kb,D)
[v3] Tue, 26 Sep 2023 04:49:44 GMT (593kb,D)
Link back to: arXiv, form interface, contact.