Building a multi-agent system for APT detection

Artificial Intelligence Intrusion Detection

Code: SIC/12


Funding: Defence Funded Research

Start: August 2014

End: August 2018

Duration: 49 months

Georgi Nikolov

The threats, faced by government and military networks, have increased in such a way that regular perimeter defense and endpoint security solutions are no longer sufficient. Sooner or later one or more hosts in our networks will be the victim of a targeted attack and therefore it is essential that we have the capability of detecting these compromised hosts as quickly as possible so we can limit the impact of the incident.

In this study we will develop a prototype system that combines detection algorithms, found in scientific literature, with new detection algorithms, developed in the context of the study. The detectors, as well as the algorithms that aggregate the evidence provided by the individual detectors, will implement domain knowledge provided by network security specialists.

Furthermore, the system will not decide by itself which connections are suspicious and which are not. It will rather incorporate a human expert in the decision loop and provide the expert with a visual tool for exploring the available data, guided by the outputs of the detectors.

MASFAD 2 at EDA CapTech Cyber

APT Detection MASFAD

Today we are proud to present the Multi-Agent System for APT Detection project (MASFAD 2) at the first meeting of the Capability Technology Area Cyber (CapTech Cyber) of the European Defense Agency (EDA).

What is Situation Awareness?

Intrusion Detection Visual Analytics APT Detection

The constant stream of data produced daily, the complicated environment and the need for quick reaction to malicious attacks make the life of cyber defense analyst a living nightmare. Many wonder how are we supposed to be able to review the gigabytes of logs produced daily, how can we manage to analyze them all and extract valuable insight into what is happening in the network?

MITRE ATT&CK and the ATT&CK Matrix

Tools Offensive Security APT Detection

Defining cyber attacks is a difficult task. They vary in origins, goals and, at first glance, the techniques used might seem very different. Luckily a popular model was defined by Lockheed Martin, still used to this day, which illustrates very well the lifecycle of a typical cyber attack. The Cyber Kill Chain, popular but controversial, defines the 7 principal steps of an attack. There have been many advances, since its original conception, one of which is the wildly acclaimed ATT&CK Matrix for Enterprise.

MARk: Visualizations with D3.js

MARk JavaScript APT Detection

Detecting suspicious or malicious activity in a network is not a trivial task. In recent years the attacks perpetrated have grown in sophistication and frequency. For this reason a new detection tool was developed, in the form of the Multi Agent Ranking framework (MARk). MARk sets the groundwork for the implementation of large scale detection and ranking systems through the implementation of a distributed storage in conjuncture with highly specialized, stand-alone detector agents. The detector agents are responsible for analyzing specific predefined characteristics and producing a report of any suspicious activity encountered.

This website uses cookies. More information about the use of cookies is available in the cookies policy.