An AI-based Approach for Detecting Advanced Persistent Threats (APT) in Large Networks
31st March - 25th April 2025
Principal Investigator: Dr. Edward Chuah, University of Aberdeen
Supporting Partner: BT Group UK
Project overview
The cost of cybercrime worldwide is expected to reach $15.63 trillion US dollars by 2029. Consequently, early detection of cyberattacks enables organisations to prevent and mitigate the damage associated with these cyberattacks. Large networks generate huge volumes of data and analysing this is key for detecting cyberattacks.
APTs are prolonged and targeted cyberattacks where an intruder executes various attacks and remains undetected for extended periods of time. Therefore they are one of the most concerning threats organisations face. Several recent advances in deep learning-based anomaly detection and zero-shot learning enable efficient training of complex machine learning algorithms for detecting cyberattacks. This project will develop an AI-based approach using deep learning and zero-shot learning to solve two major subproblems: (a) model training time, and (b) identify patterns of events associated with APT attacks.
Activities
In this secondment project with BT, three Python program scripts were implemented and the Recurrent Neural Network (RNN), Long-Short-Term Memory (LSTM) and Temporal Convolution Network (TCN) algorithms were applied on open-source NetFlow data to predict attack events on several network services such as the Domain Name Service (DNS) and NetBIOS. Then, five days’ worth of open-source NetFlow (NF) data was obtained and several NF records containing the same port were identified to ascertain whether these NF records correspond to an attack that uses a well-known network protocol such as the Network Time Protocol (NTP) or are false positives.
In the first week, I presented a deep learning-based approach for predicting network events that correspond to a reflection attack. A paper that describes this approach and the results has been accepted for publication in Computers & Security, Elsevier. In this paper, I showed that RNN, LSTM and TCN predicted reflection attack events on DNS and NetBIOS with high accuracy on several
dates. However, all the three DL models predicted reflection attack events on DNS with low accuracy on two dates. Additionally, the time it took to train TCN ranged from 2.5 hours to 21 hours. To address the long training time of TCN, a zero-shot probabilistic time-series model called Chronos can be used. Chronos has been shown to outperform several time-series prediction models in terms of accuracy and speed. To address the low prediction accuracy, predictions from multiple baseline models such as the RNN and LSTM can be integrated into an ensemble learning framework to increase the accuracy in predicting these attacks.
During discussion with BT engineers, an issue pertaining to the utility of this approach was raised. As such, a second activity was initiated to identify false positives in the NetFlow data. Publicly available NetFlow (NF) data provided by Los Alamos National Laboratories (LANL) were downloaded and five days’ worth of NF data was analysed. Several NF records that contain the same port were identified. A small number of packets sent by the source device and a large number of packets sent by the destination device in response to the source device were observed.
These NF records contain source and destination ports that correspond to well-known network services such as the Network Time Protocol (NTP), NetBIOS and Domain Name Service (DNS), which are widely exploited in a Distributed Denial-of-Service (DDoS) attack. However, determining which NF record corresponds to a legitimate communication between two network devices or an exploit of well-known ports is difficult. Therefore, the goal is to determine whether a NF record corresponds to an attack or a benign event.
Specifically, we focused on NF records that contain the same NTP port 123. NTP is a network protocol that synchronises the clocks of computers over a network to ensure that these computers maintain a consistent time. It is widely used in many network services such as Microsoft ActiveDirectory and Domain Name Service. However, the NTP protocol is vulnerable to DDoS attacks. From our results, we made two conclusions:
While a large number of packets were sent to clients by the ActiveDirectory service, the start time in these NF NTP records on days 1 to 5 indicate that these are legitimate clock synchronisation events.
While a large number of packets were returned to Comp307203 by Comp275646, the time interval between NTP requests range from 5.5 minutes to 8.5 minutes, indicating that these are clock synchronisation events executed over multiple sessions to ensure that Comp307203’s clock is accurate.
Impact
From our findings, we observed that the NF NTP events were clock synchronisation events that occurred frequently over all the five days. However, we also observed that a large number of packets was returned to each client. This result shows that individual NF record in the NF data which include the start time, duration and number of packets sent by a source device and a destination device only are insufficient to determine whether these network events are malicious.
Consequently, our findings help raise awareness to the extent to which an individual NF record and a small feature set are effective in detecting a malicious network event. Our findings and recommendations are summarised in the table below:
No. | Finding | Indicator | Response |
|---|---|---|---|
1 | A large number of packets were returned to several clients by one host on NTP port 123. | Monitor any change in the number of packets returned to each client on the network. If an increase in the number of packets returned is observed on one client or several clients and the increase exceeds a threshold, e.g., 10%, then this indicates a start of a DDoS attack exploiting NTP. | 1. Put the destination device IP address into a ban list. 2. Apply rate limiting to limit the number of packets returned on NTP port 123. |
2 | Multiple NTP request packets were sent by one client to one host over multiple durations, and a large number of packets were returned. | Monitor any change in the time interval of NTP requests. If the time interval between NTP requests starts to decrease, then this indicates a start of a DoS attack exploiting NTP. | 1. Put the source device IP address into a ban list. 2. Apply an antivirus software to remove any malware / botnet / trojan horse on this source device. |
3 | The packet and payload size are not available in all NF NTP records. | The NetFlow collector is not configured to capture raw traffic on all network ports. | 1. Configure the NetFlow collector to capture raw traffic on all network ports. 2. If the NetFlow collector device is overloaded, then sampling can be used to reduce the number of NetFlow records. |
Future work
Attacks that APTs execute include, but are not limited to reconnaissance, DDoS, ransomware, infiltration and data exfiltration. These are targeted cyberattacks that can remain undetected for long periods of time. Consequently, understanding how to increase the accuracy in detecting and predicting an APT attack is necessary for protecting an I.T network.
The MITRE ATT&CK framework describes current tactics and techniques used by APTs and has recently been used to develop baseline machine learning (ML) models to predict APT attacks. Ensemble Learning (EL), which aggregates predictions produced by multiple baseline ML models, has been shown to achieve a higher detection accuracy than baseline ML models in intrusion detection systems.
Several recent advances in network traffic generators enable efficient generation of network attack traffic for detecting and predicting these attacks. As such, these advances present an excellent opportunity to apply the MITRE ATT&CK framework, ensemble learning and network traffic generators to detect and predict APT attacks.
In our future work, we plan to develop solutions to address the following challenges: (a) understand how APT attacks occur in I.T networks by modelling APT attacks within a sandbox based on an adversary’s tactics and techniques described in the MITRE ATT&CK framework, (b) apply network traffic generators such as Breaking Point and Open Traffic Generator within a sandbox to generate network attack traffic and obtain synthetic data, (c) develop cyberattack predictors using ensembles of ML and deep learning models, (d) evaluate cyberattack predictors using standard evaluation metrics, and (e) validate these cyberattack predictors on synthetic data, existing open-source labelled network data as well as real-world network data on BT’s networks.
Outcomes/outputs
There are two outputs from this project. A summary of these outputs are described below:
Three Python program scripts that used the Recurrent Neural Network (RNN), Long-Short-Term Memory (LSTM) and Temporal Convolution Network (TCN) algorithms were implemented. These program scripts were shared with BT during the secondment.
A new research paper is currently being written and BT will be included as a co-author on this paper. This paper investigates the ability of an ensemble of regression models to increase the detection accuracy of reflection DDoS attacks. The identification of false positive network events which was the second activity that I conducted with BT during my secondment, will be discussed in this paper. The plan is to complete a first draft by the end of September 2025, obtain feedback from BT and then submit this paper for consideration by a good journal such as International Journal of Information Security, Springer.