A novel flow-based statistical pattern recognition architecture to detect and classify pivot attacks
dc.contributor.advisor | Al-Khateeb, Haider | |
dc.contributor.author | Marques, Rafael Salema | |
dc.date.accessioned | 2023-02-20T15:02:26Z | |
dc.date.available | 2023-02-20T15:02:26Z | |
dc.date.issued | 2022 | |
dc.identifier.citation | Marques, R.S. (2022) A novel flow-based statistical pattern recognition architecture to detect and classify pivot attacks. Wolverhampton: University of Wolverhampton. http://hdl.handle.net/2436/625109 | en |
dc.identifier.uri | http://hdl.handle.net/2436/625109 | |
dc.description | A thesis submitted in partial fulfilment of the requirements of the University of Wolverhampton for the degree of Doctor of Philosophy. | en |
dc.description.abstract | Pivot attack or pivoting is a well-known technique used by threat actors to cover their tracks and overcome connectivity restrictions imposed by the network defences or topology. Therefore, detecting ongoing pivot attacks while the opponent has not yet achieved their goals is essential for a solid defence strategy. However, recognising and classifying this technique in large corporate networks is a complex task. The literature presents limited studies regarding pivot attacks, and mitigation strategies have severe constraints to date. For example, related work still focuses on specific protocol restrictions techniques scoped at internal network assets only. This approach is inefficient since opponents commonly create pivot tunnels across the internet. This thesis introduces and evaluates APIVADS, a novel flow-based detection scheme to identify compromised assets supporting pivot attacks. Moreover, APIVADS outperforms previous approaches regarding features and capacities. To the best of our knowledge, this is the first protocol and cryptographic primitives agnostic, privacy-preserving approach capable of detecting pivot attacks over the internet. For example, Its efficient data reduction technique can achieve near real-time detection accuracy of 99.37% by distinguishing ongoing pivot attacks from regular enterprise traffic such as TLS, HTTPS, DNS and P2P over the internet. Additionally, this thesis proposes APCA, an automatic pivot attack classifier algorithm based on perceived indicators of attack (IoA) generated by APIVADS, to determine the level of connectivity achieved by the adversary. APCA can distinguish between different types of pivoting and contribute to the threat intelligence capabilities regarding the adversary modus operandi. The architecture composed by APIVADS and APCA considers a hybrid approach between decentralised pivoting host-based detection and a centralised approach to aggregate results and achieve scalability. Empirical results from our experiments show that even when the adversary uses evasive pivoting techniques, the proposed architecture is efficient and feasible regarding classification and detection, achieving high accuracy of 98.54% and low false positives. | en |
dc.format | application/pdf | en |
dc.language.iso | en | en |
dc.publisher | University of Wolverhampton | en |
dc.rights | Attribution-NonCommercial-NoDerivatives 4.0 International | * |
dc.rights.uri | http://creativecommons.org/licenses/by-nc-nd/4.0/ | * |
dc.subject | pivoting | en |
dc.subject | pivot attack | en |
dc.subject | flow-based | en |
dc.subject | privacy-preserving | en |
dc.subject | pattern recognition | en |
dc.subject | APT | en |
dc.subject | advanced persistent threats | en |
dc.title | A novel flow-based statistical pattern recognition architecture to detect and classify pivot attacks | en |
dc.type | Thesis or dissertation | en |
dc.contributor.department | Faculty of Science and Engineering | |
dc.type.qualificationname | PhD | |
dc.type.qualificationlevel | Doctoral | |
refterms.dateFOA | 2023-02-20T15:02:27Z |