Optimizing Cybersecurity Defenses: Clustering APT Groups for Tailored Mitigation Strategies

Lalas, Efthymios (2024). Optimizing Cybersecurity Defenses: Clustering APT Groups for Tailored Mitigation Strategies. Tesis (Master), E.T.S. de Ingenieros Informáticos (UPM).

Descripción

Título: Optimizing Cybersecurity Defenses: Clustering APT Groups for Tailored Mitigation Strategies
Autor/es:
  • Lalas, Efthymios
Director/es:
Tipo de Documento: Tesis (Master)
Título del máster: Artificial Intelligence for Public Services (AI4Gov)
Fecha: Julio 2024
Materias:
Palabras Clave Informales: Machine Learning, APT, cybersecurity, MITRE
Escuela: E.T.S. de Ingenieros Informáticos (UPM)
Departamento: Sistemas Informáticos
Licencias Creative Commons: Reconocimiento - No comercial

Texto completo

[thumbnail of TFM_E_LALAS.pdf] PDF (Portable Document Format) - Se necesita un visor de ficheros PDF, como GSview, Xpdf o Adobe Acrobat Reader
Descargar (1MB)

Resumen

The cyber threat landscape evolves considerably every year, and Advanced Persistent Threats (APTs) continue to present challenges to the organisations, due to their sophisticated level of expertise and extensive resources. Traditional defenses are not often adequate to mitigate the risk of nuanced Tactics, Techniques and Procedures (TTPs) employed by APT groups, whereas the cost of the implementation indicates the need for proper selection and prioritization of more tailored security measures. This thesis aims to bridge this gap by leveraging clustering algorithms to categorize APT groups based on their behaviors and characteristics, thereby enabling the formulation of tailored mitigation strategies.
Our research work begins by detailing the current state of cybersecurity, and how Artificial Intelligence (AI) and Machine Learning (ML) are employed for threat identification. Even though there is a lot of bibliography around anomaly detection in logs and categorisation of APT groups based on the malware samples they deploy, there is no relevant work on APT clustering that makes use of their TTPs. The obvious research question is if we can show that such clustering exists, so that organisation can focus on the techniques of the cluster of groups that mostly target them, and tailor their mitigation strategies accordingly.
To prove our hypothesis, we select and prepare the relevant dataset and we apply different clustering algorithms to assess the clusterability of APT data. The results prove that there exists indeed such clustering, which allows us to select the most common TTPs per cluster and propose the corresponding mitigation strategies, resulting in prioritised and tailored security measures to be implemented.
Overall, this thesis contributes to the optimisation of cybersecurity defenses by introducing a structured approach to represent cyber attacks using their TTPs, and then cluster APT groups based on those specific techniques in order to propose tailored mitigation strategies that enhance the resilience of the organisations against advanced threats.

Más información

ID de Registro: 91327
Identificador DC: https://oa.upm.es/91327/
Identificador OAI: oai:oa.upm.es:91327
Depositado por: Mr Efthymios Lalas
Depositado el: 18 Feb 2026 10:22
Ultima Modificación: 18 Feb 2026 10:22