DOI: 10.14569/IJACSA.2024.0150999

A Relevant Feature Identification Approach to Detect APTs in HTTPS Traffic

Author 1: Abdou Romaric Tapsoba
Author 2: Tounwendyam Frederic Ouedraogo

International Journal of Advanced Computer Science and Applications(IJACSA), Volume 15 Issue 9, 2024.

Abstract: This study addresses the significant challenges posed by Advanced Persistent Threats (APTs) in modern computer networks, particularly their use of DNS to establish covert communication via command and control (C&C) servers. The advent of TLS 1.3 encryption further complicates detection efforts, as critical data within DNS over HTTPS (DoH) traffic remains inaccessible, and decryption would compromise user privacy. APTs frequently leverage Domain Generation Algorithms (DGAs), necessitating real-time detection solutions based on immediately accessible features within HTTPS traffic. Current research predominantly focuses on system-level behavioral analysis, often neglecting the proactive potential offered by Cyber Threat Intelligence (CTI), which can reveal malicious patterns through Techniques, Tactics, and Procedures (TTPs) and Indicators of Compromise (IoCs). This study proposes an innovative approach utilizing the MITRE ATT&CK framework to identify relevant features in the face of encryption and the inherent complexity of APT activities. The primary objective is to develop a robust dataset and methodology capable of detecting APT behaviors throughout their lifecycle, emphasizing a lightweight, cost-effective solution through passive monitoring of network traffic to ensure real-time detection. The key contributions of this research include an in-depth analysis of the encryption challenges in detecting DNS-based APTs, a thorough examination of APT attack strategies using DNS, and the integration of CTI to enhance detection capabilities. Moreover, this study introduces the KAPT 2024 dataset, generated by the KExtractor tool, and demonstrates the effectiveness of the detection model through experiments with a variety of machine learning algorithms. The results underscore the potential for this approach to significantly improve APT detection in encrypted network environments.

Keywords: DNS over HTTPS; advanced persistent threats; machine learning; cyber threat intelligence; MITRE ATT&CK; domain generation algorithms

Abdou Romaric Tapsoba and Tounwendyam Frederic Ouedraogo, “A Relevant Feature Identification Approach to Detect APTs in HTTPS Traffic” International Journal of Advanced Computer Science and Applications(IJACSA), 15(9), 2024. http://dx.doi.org/10.14569/IJACSA.2024.0150999

@article{Tapsoba2024,
title = {A Relevant Feature Identification Approach to Detect APTs in HTTPS Traffic},
journal = {International Journal of Advanced Computer Science and Applications},
doi = {10.14569/IJACSA.2024.0150999},
url = {http://dx.doi.org/10.14569/IJACSA.2024.0150999},
year = {2024},
publisher = {The Science and Information Organization},
volume = {15},
number = {9},
author = {Abdou Romaric Tapsoba and Tounwendyam Frederic Ouedraogo}
}


Copyright Statement: This is an open access article licensed under a Creative Commons Attribution 4.0 International License, which permits unrestricted use, distribution, and reproduction in any medium, even commercially as long as the original work is properly cited.

IJACSA

Upcoming Conferences

IntelliSys 2025

28-29 August 2025

Future Technologies Conference 2025

6-7 November 2025

Healthcare Conference 2026

21-22 May 2026

Computing Conference 2026

9-10 July 2026

IntelliSys 2026

3-4 September 2026

Computer Vision Conference 2026

15-16 October 2026