Show simple item record

dc.contributor.advisorAl-Khateeb, Haider
dc.contributor.authorMarques, Rafael Salema
dc.identifier.citationMarques, R.S. (2022) A novel flow-based statistical pattern recognition architecture to detect and classify pivot attacks. Wolverhampton: University of Wolverhampton.
dc.descriptionA thesis submitted in partial fulfilment of the requirements of the University of Wolverhampton for the degree of Doctor of Philosophy.en
dc.description.abstractPivot attack or pivoting is a well-known technique used by threat actors to cover their tracks and overcome connectivity restrictions imposed by the network defences or topology. Therefore, detecting ongoing pivot attacks while the opponent has not yet achieved their goals is essential for a solid defence strategy. However, recognising and classifying this technique in large corporate networks is a complex task. The literature presents limited studies regarding pivot attacks, and mitigation strategies have severe constraints to date. For example, related work still focuses on specific protocol restrictions techniques scoped at internal network assets only. This approach is inefficient since opponents commonly create pivot tunnels across the internet. This thesis introduces and evaluates APIVADS, a novel flow-based detection scheme to identify compromised assets supporting pivot attacks. Moreover, APIVADS outperforms previous approaches regarding features and capacities. To the best of our knowledge, this is the first protocol and cryptographic primitives agnostic, privacy-preserving approach capable of detecting pivot attacks over the internet. For example, Its efficient data reduction technique can achieve near real-time detection accuracy of 99.37% by distinguishing ongoing pivot attacks from regular enterprise traffic such as TLS, HTTPS, DNS and P2P over the internet. Additionally, this thesis proposes APCA, an automatic pivot attack classifier algorithm based on perceived indicators of attack (IoA) generated by APIVADS, to determine the level of connectivity achieved by the adversary. APCA can distinguish between different types of pivoting and contribute to the threat intelligence capabilities regarding the adversary modus operandi. The architecture composed by APIVADS and APCA considers a hybrid approach between decentralised pivoting host-based detection and a centralised approach to aggregate results and achieve scalability. Empirical results from our experiments show that even when the adversary uses evasive pivoting techniques, the proposed architecture is efficient and feasible regarding classification and detection, achieving high accuracy of 98.54% and low false positives.en
dc.publisherUniversity of Wolverhamptonen
dc.rightsAttribution-NonCommercial-NoDerivatives 4.0 International*
dc.subjectpivot attacken
dc.subjectpattern recognitionen
dc.subjectadvanced persistent threatsen
dc.titleA novel flow-based statistical pattern recognition architecture to detect and classify pivot attacksen
dc.typeThesis or dissertationen
dc.contributor.departmentFaculty of Science and Engineering

Files in this item


This item appears in the following Collection(s)

Show simple item record

Attribution-NonCommercial-NoDerivatives 4.0 International
Except where otherwise noted, this item's license is described as Attribution-NonCommercial-NoDerivatives 4.0 International