Advanced Persistent Threat Detection using Anomaly Score Calibration and Multi-class Classification




Soh, Ornella Lucresse

Journal Title

Journal ISSN

Volume Title



Organisations worldwide continue to face a diverse range of attacks. Traditionally, these have been attacks of opportunity that quickly act upon weaker targets whenever possible. However, in the past decade, advanced persistent threats (APTs) have emerged that consist of targeted and long-term campaigns perpetrated by skilled and determined hackers who have clearly defined objectives and relentlessly work towards achieving their aims. APT breaches can go undetected for long periods because of the hackers’ ability to adapt to and escape defensive methods. In this paper, we present a new approach to establishing whether a security event is part of an APT attack by predicting the corresponding kill chain stage. For monitored security activity and events, our approach derives a probabilistic anomaly score using an approach based on principal component analysis (PCA) and score calibration and classifying the event with a multi-class type of Bayesian Network (BN). We evaluate the proposed model using two different public APT datasets, which yielded very encouraging performance in accurately detecting APT event occurrences and stages.



Score, Calibration, Multi-class Classification, Bayesian network, PCA, APTs