Past Advanced Persistent Threat (APT) attacks on Industrial Internet-of-Things (IIoT), such as the 2016 Ukrainian power grid attack and the 2017 Saudi petrochemical plant attack, have shown the disruptive effects of APT campaigns while new IIoT malware continue to be developed by APT groups. Existing APT detection systems have been designed using cyberattack TTPs modelled for enterprise IT networks and leverage specific data sources (e.g., Linux audit logs, Windows event logs) which are not found on ICS devices. In this work, we propose RAPTOR, a system to detect APT campaigns in IIoT. Using cyberattack TTPs modelled for ICS/OT environments and focusing on "invariant" attack phases, RAPTOR detects and correlates various APT attack stages in IIoT leveraging data which can be readily collected from ICS devices/networks (packet traffic traces, IDS alerts). Subsequently, it constructs a high-level APT campaign graph which can be used by cybersecurity analysts towards attack analysis and mitigation. A performance evaluation of RAPTOR's APT attack-stage detection modules shows high precision and low false positive/negative rates. We also show that RAPTOR is able to construct the APT campaign graph for APT attacks (modelled after real-world attacks on ICS/OT infrastructure) executed on our IIoT testbed.

翻译：过去针对工业物联网（IIoT）的高级持续性威胁（APT）攻击（例如2016年乌克兰电网攻击和2017年沙特石化厂攻击）已表明APT活动的破坏性影响，同时APT组织仍在持续开发新的IIoT恶意软件。现有的APT检测系统基于针对企业IT网络建模的网络攻击TTPs设计，并依赖ICS设备上不存在的特定数据源（例如Linux审计日志、Windows事件日志）。本文提出RAPTOR系统，用于检测IIoT中的APT活动。通过采用针对ICS/OT环境建模的网络攻击TTPs并聚焦于“不变”攻击阶段，RAPTOR利用可从ICS设备/网络便捷采集的数据（数据包流量踪迹、IDS告警）检测并关联IIoT中的多个APT攻击阶段。随后，它构建高级APT活动图，可用于网络安全分析人员开展攻击分析与缓解。对RAPTOR的APT攻击阶段检测模块的性能评估显示，其具有高精度与低误报/漏报率。我们还证明了RAPTOR能够为在我们的IIoT测试平台上执行的APT攻击（基于ICS/OT基础设施上真实世界攻击建模）构建APT活动图。