2024.bib

@article{10.1145/3696014,
  author = {Buchta, Robin and Gkoktsis, George and Heine, Felix and Kleiner, Carsten},
  title = {Advanced Persistent Threat Attack Detection Systems: A Review of Approaches, Challenges, and Trends},
  year = {2024},
  issue_date = {December 2024},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  volume = {5},
  number = {4},
  url = {https://doi.org/10.1145/3696014},
  doi = {10.1145/3696014},
  abstract = {Advanced persistent threat (APT) attacks present a significant challenge for any organization, as they are difficult to detect due to their elusive nature and characteristics. In this article, we conduct a comprehensive literature review to investigate the various APT attack detection systems and approaches and classify them based on their threat model and detection method. Our findings reveal common obstacles in APT attack detection, such as correctly attributing anomalous behavior to APT attack activities, limited availability of public datasets and inadequate evaluation methods, challenges with detection procedures, and misinterpretation of requirements. Based on our findings, we propose a reference architecture to enhance the comparability of existing systems and provide a framework for classifying detection systems. In addition, we look in detail at the problems encountered in current evaluations and other scientific gaps, such as a neglected consideration of integrating the systems into existing security architectures and their adaptability and durability. While no one-size-fits-all solution exists for APT attack detection, this review shows that graph-based approaches hold promising potential. However, further research is required for real-world usability, considering the systems’ adaptability and explainability.},
  journal = {Digital Threats},
  month = dec,
  articleno = {39},
  numpages = {37},
  keywords = {Cybersecurity, APT, attack detection, machine learning, artificial intelligence}
}

@inproceedings{10711127,
  author = {Buchta, Robin and Kleiner, Carsten and Heine, Felix and Mahrenholz, Daniel and Mönks, Uwe and Trsek, Henning},
  booktitle = {2024 IEEE 29th International Conference on Emerging Technologies and Factory Automation (ETFA)},
  title = {GraphWatch: A Novel Threat Hunting Approach for APT Activities based on Anomaly Detection},
  year = {2024},
  volume = {},
  number = {},
  pages = {01-04},
  keywords = {Learning systems;Manuals;Graph neural networks;Digital twins;Critical infrastructure;Security;Information technology;Anomaly detection;Manufacturing automation;Resilience;Threat Hunting;Anomaly Detection;Cyber-Physical Systems;Graph Neural Networks},
  doi = {10.1109/ETFA61755.2024.10711127}
}

@inproceedings{10575161,
  author = {Buchta, Robin and Fritz, Tobias and Kleiner, Carsten and Heine, Felix and Rodosek, Gabi Dreo},
  booktitle = {NOMS 2024-2024 IEEE Network Operations and Management Symposium},
  title = {One-Class Learning on Temporal Graphs for Attack Detection in Cyber-Physical Systems},
  year = {2024},
  volume = {},
  number = {},
  pages = {1-5},
  abstract = {Various domains, including critical infrastructures, industry, and the private sector, deploy cyber-physical systems (CPS). These systems integrate IT and OT components and interact with the environment and therefore differ significantly from pure IT setups. However, CPS often operate as black boxes, hindering effective attack detection. Our research addresses the challenge of detecting attacks in CPS relying on network data and learning on normal behavior. We show the performance of two methods in use for attack detection without attack knowledge. We propose new memory update strategies that can be used in practice. Specifically, we optimize for temporal graphs using graph neural networks (GNN) to capture system behavior. Negative sampling helps to use one-class learning. Our results show that a temporal graph network (TGN), combined with negative sampling, is suitable for one-class learning and can be used for attack detection. Additionally, a simple heuristic suffices for detecting basic attacks. Notably, existing benchmark datasets do not adequately support one-class learning, highlighting the need for tailored evaluation.},
  keywords = {Industries;Image edge detection;Training data;Intrusion detection;Focusing;Cyber-physical systems;Graph neural networks;Anomaly Detection;Temporal Graph Neural Networks;Network Attack Detection;Cyber-Physical Systems},
  doi = {10.1109/NOMS59830.2024.10575161}
}

@inproceedings{10.1007/978-3-031-57540-2_3,
  author = {Gesell, Jan Eske
and Buchta, Robin
and Dangendorf, Kilian
and Franzke, Pascal
and Heine, Felix
and Kleiner, Carsten},
  editor = {Mosbah, Mohamed
and S{\`e}des, Florence
and Tawbi, Nadia
and Ahmed, Toufik
and Boulahia-Cuppens, Nora
and Garcia-Alfaro, Joaquin},
  title = {Comparative Analysis of Reduction Methods on Provenance Graphs for APT Attack Detection},
  booktitle = {Foundations and Practice of Security},
  year = {2024},
  publisher = {Springer Nature Switzerland},
  address = {Cham},
  pages = {28--39},
  abstract = {Data reduction is a critical aspect of current research in advanced persistent threat attack detection. The challenge is handling the huge amount of data generated by system logging, which exposes dependencies among system entities, often depicted as provenance graphs. Data reduction methods aim to reduce the data size of provenance graphs, but their evaluation on non-public datasets limits the results' transferability and general applicability. This study compares state-of-the-art reduction methods for APT Attack Detection on publicly available provenance graph datasets, exploring their dependencies on graph characteristics and attack detection methods. One outcome of the work is that the effectiveness of many reduction methods depends highly on the underlying data. And secondly, using a reduction method does not necessarily negatively affect detection quality.},
  isbn = {978-3-031-57540-2}
}