Construction of Index System Based on Advanced Persistent Threat

: With the proliferation of advanced persistent threat (APT), APT attack effect evaluation is playing an increasingly important role in cyberspace. As one of the hot issues of network security, the evaluation to its attack effect can quantify the harm caused by APT. Then according to the evaluation results, we can derive specific measures to the network attack. At present, a lot of work has done in the network attack effect evaluation index system. However, a significant barrier to the development of APT attack effect evaluation is that the existing index system is either from the point of view of the network security situation, or for a single attack weapons to customize. In this paper, an evaluation index system is proposed through analysing the features of APT. Through this index system, we can not only quantify APT attack effect, but also visually observe the APT ability from various angles. Then, we use the analytic hierarchy process (AHP) to model the evaluation process and calculate the weight of each indicator. Finally, the Ukrainian Power Outages is taken as an example to validate the proposed index system. The experimental results verify the effectiveness of the index system.


Introduction
With the rapid development of computer technology, the role of computer networks is more and more important. However, with the expansion of network size and the development of related technologies, the forms and means of cyber security threats are constantly changing. Network security has become a bottleneck restricting the development of social informatization. Advanced Persistent Threat (APT) is one of the hot topics in the field of network security. APT means using of advanced means of attack on specific targets for longterm continuous attack on the form of network attacks. Almost all means of the network attacks can be applied to APT, so the defense of APT is still a difficult problem in the field of network security.
The assessment of the effectiveness of network attacks can be achieved on the quantification of network attacks, and giving reasonable recommendations according to the results. So as to achieve the purpose of active defense. Therefore, we establish an APT evaluation index system, and model the assessment based on the index system.
The remainder of this paper is organized as follows. In section 2, we briefly review relate works. In section 3, we propose an APT attack evaluation system and model it based on AHP. Then, in section 4 we take the Ukrainian Power Outages as an example to validated the validity of the model. Finally, we draw our conclusion in section 5.

Related Works
The construction of the evaluation index system of network attack is one of the hotspots of safety research at home and abroad. A lot of work has been done in index system at home and abroad. Wang Juan et al. put forward 25 indicators from the perspective of the network situation [1]; Duan Bin et al. put forward a hierarchical worm hazard assessment index system from the perspective of the features of worms [2]. Wang Zhiping constructs a multi-level and multidimensional network security index system from 4 perspectives: basic operation dimension, fragile dimension, threat dimension and risk dimension [3]. Han Lansheng et al. proposed a set of three-level hazard evaluation index system for all computer virus [4]. Ai Peng puts forward a set of three-level network evaluation index system for all types of network attacks from the perspective of whether the systems, networks and services are normal or not [5].
The above research work, either from the perspective of the network situation, or only consider a single means of attack. Therefore, we propose an evaluation index system of APT from the perspective of composite attack.

Construction of Index System
In this section, we introduce APT and present the index system based on its features firstly. Then, we introduce the process of data normalization and index weight calculation.

About APT
For the definition of APT, there is no uniform standard. Generally, APT refers to the use of advanced means of attack on specific targets for long-term continuous attack on the from of network attacks. Its essence is a specific target for the precise attack. The term APT was originally originated in the 2005-2006, where network security engineers working with the Air Force described some of the security incidents. Some scholars believe that only those involving foreign organizations, directed against specific targets for long-term and deliberate attack is called APT. After the exposure of Google's Aurora operations in 2009, APT gradually spred in the media.
Since then, all the delicate and persistent attacks are called APT. In recent years, security incidents related to APT are increasing. Fig. 1[6] shows the number of APT in recent years.

Figure 1. Number of APT
The concept of APT has 3 meanings: Advanced: Attackers have the ability to evade detection, gain and maintain access to well-pretected networks and sensitive information systems. They usually have sufficient resources to attack.
Persistent: It is difficult to completely curbed APT and clear from the network system.
Threat: APT has both the ability and the intention to attack.

Evaluation Index System of APT
According to the definition of APT and its inherent features, we propose a complete index system, as shown in Persistent: Including not only the total duration of the attack, but also the attack frequency.
Hiding Ability: The probability of being detected and the clearance of the activity traces is complete or not.
Diffusibility: Including horizontal diffusion (scope of influence), vertical diffusion(rights) and methods of dissemination.
Intractable: Backup, complexity of clean and so on.
Harmfulness: Most of APT can be divided into paralysis class and information theft class by attack effect.
All indicators can be divided into consumption indicators and gain-type indicators. For gain-type indicators, the greater the index value is, the greater the valuation is; consumption indicators are the opposite. So set the consumption indicator value negative.

Calculation
In the evaluation of attack effectiveness, the calculation mainly includes data normalization and index weight calculation.

Data Normalization
Normalization, also known as quantification. Raw data often have different dimensions. Therefore, the raw data need to be normalized to eliminate the difference in dimensions. We divide the index into quantitative indicators and qualitative indicators. The normalization methods of qualitative indicators and quantitative indicators are not the same. Since data normalization is not the main work of this study, we briefly introduce the normalization of these two types of data.

Normalization of Quantitative Indicators
Quantitative indicators are assessment indicators that can be accurate quantitative definition, accurate measurement. Quantitative indicators are usually integer or floatingpoint values.
For the normalization of quantitative indicators, we use a linear normalization method. The normalized formula is: In this formula, X is the value of the current indicator. ܺ is the value after normalization. ܺ ௫ and ܺ are respectively the maximum and minimum values of a certain range.

Normalization of Qualitative Indicators
Qualitative indicators refer to indicators that can not be directly analyzed and evaluated directly through data, and the objective of the evaluation is analyzed and analyzed to reflect the evaluation results.
In general, qualitative indicators can be classified into Boolean types and level types. For Boolean types, we can convert "True" to 1 and "False" to 0. For level types, the normalization is shown in table II.

Weight Calculation
We use AHP to calculate the index weight. AHP is a systematic analysis method proposed by A.L. Saaty [7], an American operational scientist. There are already a lot of work done using AHP for weight calculation. Due to space constraints, we don't elaborate on AHP. Only describes the calculation of the weights of the indicators under U400.
The scale of the judgment matrix is shown in table III.

Table3. Scale of Judgment Matrix
Scaling Meaning 1 Representing two factors compared to the same importance 3 Indicating that one factor is slightly more important than the other 5 Indicating that one factor is obviously more important than the other 7 Indicating that one factor is strongly more important than the other 9 Indicating that one factor is extremely more important than the other 2,4,6,8 The median of the two adjacent judgments

Experiment
In order to verify the validity of the proposed index system, we take the Ukrainian Power Outages as an example to experiment it. December 23, 2015, the Ukrainian electricity sector suffered malicious code attacks. At least 3 zones were attacked and led to hours of power outages around 15 p.m. local time.
According to the Antiy's analysis report about Ukrainian Power Outages[8], we can see that this attack was initiated by the SandWorm, caused a large area of power outages, lasted 3 to 6 hours. It mainly uses BlackEnergy and KillDisk to achieve the purpose of attack.
Firstly, BlackEnergy encrypts itself and its installation package is named the same as the system process. So BlackEnergy's static hidden ability is strong. Secondly, BlackEnergy runtime injects the process into Svchost.exe to hide itself. Finally, BlackEnergy's update ability is weak.
For KillDisk, its features include: 1. Overwrite MBR and partial sectors.
2. Clean up the system log.
Through its function, KillDisk is very destructive, but the difficulty of removal is low.
Due to the high concealment of APT itself, some data cannot be obtained, such as the Attack Duration and the Number of Affected Machines. As the Ukrainian Power Outages is a paralysis attack, the total duration of the attack is less than the average APT event. Other unknown data are also available.
In summary, the index values of the Ukrainian Power Outages are shown in  Through the analysis of the Ukrainian Power Outages, we can see that there was no warning before the attack occurred. During the attack, the new 0day vulnerability was not used and the attack time was short. After the attack occurred, MBR and some sectors are overwritten, the system log is cleared and the controlled host cannot boot. Attack deals one-time damage to a controlled host, but the intransigence of malicious code is poor.
The above analysis and calculation results are basically the same, the Ukrainian Power Outages has a high degree of concealment and harm. But the continuity and intractability are poor. Its diffusion is moderate. Its comprehensive attack effect is moderate.

Conclusion
In this paper, a set of APT evaluation index system is proposed by analyzing the features of APT. And then use AHP to calculate the weight of this index system. Finally, the validity of the index system is verified by experiments.
The experiment results show that it cannot only calculate the quantitative results of APT, but also see the ability of APT in five dimensions.