This post is also available in: heעברית (Hebrew)

INSS LogoBy Amir Averbuch and Gabi Siboni
INSS – CYBER Warfare Program


APT Protection Via Anomaly Detection, ThetaRay
APT Protection Via Anomaly Detection, ThetaRay

The classic defense methods employed throughout the world in recent decades are proving unsuccessful in halting modern malware attacks that exploit unknown (and therefore still unsolved) security breaches called “zero-day vulnerabilities.” Viruses, worms, backdoor, and Trojan horses (remote management/access tools – RATs) are some examples of these attacks on the computers and communications networks of large enterprises and providers of essential and critical infrastructure and services.

The classic defense methods, which include firewall-based software and hardware tools, signatures and rules, antivirus software, content filters, intruder detection systems (IDS), and the like, have completely failed to defend against unknown threats such as those based on zeroday vulnerabilities or new threats. These sophisticated and stealth threats impersonate reliable and legal information and data in the system, and as a result, the classic defense methods do not provide the necessary defense solution. The current defensive systems usually protect against known attacks, creating heuristic solutions based on known signatures and analysis that are already known attacks, but they are useless against the increasing number of unfamiliar attacks that lack any signature. Solving this problem requires different thinking and solutions. This article proposes an up-to-date approach, based on an analysis of sensitive information that must be protected, for the purpose of identifying anomalous behavior. The analyzed information includes an organization’s data silos as a means of understanding unusual (anomalous) activity that in most cases indicates the presence of malware in the system. The article further proposes relying on the data to be protected as a source of knowledge for developing the defense system. An analytical analysis of massive data (big data analytics) will make it possible to identify such malware, while constructing a model that will provide a high degree of reliability in identifying and minimizing false positives, which pose a challenge to every defense system.

MSE Logo - EN INSSProf. Amir Averbuch is a faculty member at the Blavatnik School of Computer Science at Tel Aviv University and a researcher in the INSS Cyber Warfare program sponsored by the Neubauer Foundation.

Dr. Gabi Siboni is the head of the INSS Military and Strategic Affairs Program and head of the INSS Cyber Warfare Program.

This article was first published in Military & Strategic Affairs journal. Volume 5 issue 1.

To read the full article, press here (link):

The Classic Cyber Defense Methods Have Failed – What Comes Next