N-Victims: An Approach to Determine N-Victims for APT Investigations

摘要

The advanced Persistent Threat (APT) is a sophisticated and target-oriented cyber attack for accessing valuable information. The attacker leverages the customized malware as the stepping stone to intrude into the enterprise network. For enterprises and forensic analysts, finding the victims and investigating them to evaluate the damages are critical, but the investigation is often limited by resources and time. In this paper, we propose an N-Victims approach that starts from a known malware-infected computer to determine the top N most likely victims. We test our approach in a real APT case that happened in a large enterprise network consisting of several thousand computers, which run a commercial antivirus system. N-Victims can find more malware-infected computers than N-Gram based approaches. In the top 20 detected computers, N-Victims also had a higher detection rate and a lower false positive rate than N-Gram based approaches.