Advanced Persistent Threats (APTs) involve attackers maintaining a long-term presence on victim systems, leading to the stealthy exfiltratio
Advanced Persistent Threats (APTs) involve attackers maintaining a long-term presence on victim systems, leading to the stealthy exfiltration of sensitive data during network transfers. Despite existing methods to detect and halt APT data exfiltration, these attacks continue to pose significant threats to sensitive information and result in substantial commercial losses. Current approaches primarily focus on preemptive measures, which are insufficient once early-stage detection fails due to a lack of continuous monitoring. We propose an effective and efficient network monitoring method to address this gap and detect APT exfiltration during data transfer. Our approach assumes the presence of an undetected APT attacker within the victim system. We examine data exfiltration across three exfiltration traffic environments: exfiltration over command control channels, exfiltration over transfer size limitations, and their combinations. We introduce two detection metrics: Package Transfer Rate and Byte Transfer Rate. Utilizing these metrics, we measure network traffic, categorize APT attack environments, and train deep neural network models, named EDXGB, using ensembled decision trees to predict APT exfiltration. Our method is validated on two public datasets and compared against six baseline methods. Additionally, we simulate real-world exfiltration scenarios by creating three exfiltration traffic environments for each dataset. The results demonstrate that our method effectively detects APT exfiltration across various network environments, enhancing data protection and secure transfer. The code is open source and available at Visa.
