Advanced Persistent Threat(APT) has posed great challenges for various organizations and large businesses. These campaigns plan attacks against organizations or businesses for political or economic purposes. Actors of these campaigns are highly skilled in planning a cyber attack. These attack charactersitics make it difficult for traditional intrusion detection systems and antiviruses to detect them. Despite the occurrence of various incidents by these campaigns and numerous researches in this regard, the issue of APT detection is still an open problem in cyber security. Given the importance of the issue, it seems necessary to conduct more research and provide solutions that are also applicable in real world scenarios. Therefore, in this thesis, we try to provide a model and solution to deal with and detect these attacks. In designing the proposed model, we have tried to consider all the features of this type of attack such as slow, long in terms of time and use of zero day vulnerabilities and provide a proprietary model for APT. In this dissertation, a three-layer intrusion detection system called ARNicon is presented, which uses different processing techniques to detect this type of attack in an acceptable time. The three layers of this system form a cooperation framework in which the first layer processes data, the second layer with graph processing, statistical methods and cluster analysis and the last layer with cyber situation awareness and cognitive processing work together to detect attacks. To the best of our knowledge, this is the first research that forms a cooperation framework between statistical, learning and cognitive models for APT detection in semi real-time. Model eva‎luation is performed using large and valid datasets for APT detection systems such as DARPA and other datasets designed by recent researches. Model eva‎luation using large and valid datasets for X-detection systems such as DARPA and other datasets designed by recent researches shows that this system is able to detect APT with high efficiency and accuracy. Also, a comparison of the proposed solution with previous solutions in the field of APT detection shows that this system has been able to overcome some of the weaknesses of previous solutions. The model is designed in such a way that it is easy to add different modules to it.

علي فانيان

محمدحسين منشئي , مريم موزراني