Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

Journal of Big Data

Table 11 APT scenarios in generated dataset

		Attack type
#	Adapted from	Multi-step	Low-level	Slow	Propagation channels	Purpose of function	Attack duration	Special feature
1	Project Sauron APT [20]	\(\checkmark\)	\(\checkmark\)	\(\checkmark\)	Internet and USB device	Sabotage	7 months	Bypass air-gapped network
2	Flame APT [62]	\(\checkmark\)	\(\checkmark\)	\(\checkmark\) (very slow)	Internet	Data theft	11 months	Low-level data exfiltration
3	Shamoon [63] and StoneDrill [64] APT	\(\checkmark\)	\(\checkmark\)	\(\checkmark\)	Internet and LAN spreading	Data wiping	5 month	Code injection
4	WannaCry APT [65]	\(\checkmark\)	\(\checkmark\)	–	Internet	Ransomware	1 day	Exploits
5	Cloud Atlas [66] and Red October[67] APT	\(\checkmark\)	\(\checkmark\)	\(\checkmark\)(very slow)	Internet and USB device	Data theft	15 months	Exploits, social engineering
6	Cloud Atlas [66] and Red October [67] APT	\(\checkmark\)	\(\checkmark\)	–	Internet and USB device	Data theft	1 month	Exploits, social engineering
7	Poseidon APT [68]	\(\checkmark\)	\(\checkmark\)	–	Internet	Remote control	1 month	Backdoor and code injection
8	Dark hotel [69]	\(\checkmark\)	\(\checkmark\)	\(\checkmark\) (very slow)	Internet	Surveillance	14 months	Stolen digital certificates
9	Dark hotel [69]	\(\checkmark\)	\(\checkmark\)	\(\checkmark\)	Internet	Surveillance	9 months	Stolen digital certificates