Сybernetic model of the advanced persisten threat

Ihor Yakoviv


The widespread use of sophisticated cyberattacks such as Advanced Persisten Threat with regard to critical infrastructure has become a powerful incentive for the development of proactive cyber defense techniques. Typical for APTs are a complex action set of malicious actor that are related time and space. Separately, these actions may not cause suspicion; targeted attack actions on the cyber segment of the victim object is being prepared for a long time (from a few months to a year or more); a set of actions of the intruder are a chain of tactics, the execution of which allows to achieve the purpose of the attack. Means of implementing tactics are varied. The set of tactics and their essence remain constant. Most of the known models of APT attacks are presented in the form of a verbal description of the stages of the APT and their semantic content. The disadvantage of such models is the impossibility of direct application in the SIEM due to the lack of a common basis for the algorithmization of actions during the attack stages. At the base of another group of models are different mathematical constructions that allow one to represent large-scale actions of an attacker in the form of one complex mathematical process. As a rule, such models are difficult to associate with technological processes for monitoring events in real time. From the standpoint of automating the detection of attacks, the first task is to develop such APT models that allow you to algorithmize the process of generating compromise indicators based on a reasoned correlation of events over time and space. The article is devoted to the development of a new model of APT based on a cybernetic approach. This allows you to imagine an attack in the form of a behavior trajectory of a controlled (cybernetic) system. Within the framework of the model, the behavior of the attacker cybernetic system was presented through a mathematical description of information management processes and the iterative relationship between adjacent phases (states) of the cybernetic system. This approach allows the attack to be presented in the form of a hierarchical structure: the upper level is a sequence of verbal stages of an attack; the middle level is a sequence of phases of the cybernetic system; lower level is a sequence of control loop procedures. Procedures are elementary events (transmitted data and computational processes) that are detected by security sensors at the nodes of a computer network. The model allows us to represent each attack as a set of interrelated characteristics of elementary events at the nodes of a computer network. Such a set (APT pattern) can be applied within the framework of automated attack detection using SIEM tools in proactive cyber defense systems.


Cyber defense; cybersecurity operation center; advanced persistent threat; targeted attack; cybernetic model; proactive defense strategy; correlation of cyberspace events; indicators of compromise; automated attack detection


P. Chen, and L. Desmet, and C. Huygens, “A study on Advanced Persistent Threats”, in Proc. 15th IFIP TC 6/TC 11 International on Conference Communications and Multimedia Security, Aveiro, Portugal, 2014, pp. 63-72. doi: 10.1007/978-3-662-44885-4_5.

E. M. Hutchins, M. J. Clopperty, and R. M. Amin, “Intelligence-Driven Computer Network Defense”, Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation, 2009. [Online]. Available: content/dam/lockheed/data/corporate/documents/ LM-White-Paper-Intel-Driven-Defense.pdf.

“Mandiant M-Trends: The Advanced Persistent Threat”. Mandiant, 2010. [Online]. Available:

D. Whitehead, K. Owens, D. Gammel, and J. Smith, “Schweitzer. Ukraine Cyber-Induced Power Outage: Analysis and Practical Mitigation Strategies”. Engineering Laboratories, Inc. Published in Wide-Area Protection and Control Systems: A Collection of Technical Papers Representing Modern Solutions”, in Proc. 70th Annual Conference for Protective Relay Engineers, 2017. [Online]. Available: doi: 10.1109/CPRE.2017.8090056.

S. Camtepe, and B. Yener, “Modeling and detection of complex attacks”, in. Proc. 3th International Conference on Security and Privacy in Communications Networks and the Workshops, Nice, 2007. pp. 234-243. doi: 10.1109/SECCOM.2007.4550338.

F. Arnold, H. Hermanns, R. Pulungan, and M. Stoelinga, “Time-dependent analysis of attacks”, Principles of Security and Trust, Lecture Notes in Computer Science, vol. 8414, pp. 285-305, 2014. [Online]. Available: doi: 10.1007/978-3-642-54792-8_16.

O. Flåten, and M. Lund, “How good are attack trees for modelling advanced cyber threats?”, in Proc. Norwegian Information Security Conference, Fredrikstad, 2014, pp. 1-4.

J. Navarro, V. Legrand, and al., “HuMA: A multi-layer framework for threat analysis in a heterogeneous log environment”, in Proc. International Symposium on Foundations and Practice of Security, Schiltigheim, 2015. [Online]. Available:

P. Giura, and W. Wang, “Using large scale distributed computing to unveil advanced persistent threats”, SCIENCE, no. 1 (3), pp. 93-105, 2013.

Z. Cui, I. Herwono, P. Kearney, “Multi-stage attack modeling”, in Proc. of Cyberpatterns, Abingdon, 2013, pp. 78-89.

I. Yakoviv, “The base model of informational processes of management and safety criteria for cybernetic systems”, Іnformation technology and security, vol. 3, iss. 1(4), pp.68-73, 2015.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

ISSN 2411-1031 (Print), ISSN 2518-1033 (Online)