BroAPT - A system for detecting APT attacks in real-time

This work is licensed under a Creative Commons Attribution 4.0 International license.

We hereby describe BroAPT system, an APT detection system based on Bro IDS. The system monitors APT based on comprehensive analysis of the network traffic. It is granted with high performance and extensibility. It can reassemble then extract files transmitted in the traffic, analyse and generate log files in real-time; it can also classify extracted files through targeted malicious file detection configuration; and it detects APT attacks based on analysis of the log files generated by the system itself.

For more information, please refer to docs/thesis.pdf.

Repository structure

/broapt/
├── LICENSE             # CC license
├── LICENSE.bsd         # BSD license
├── cluster             # standalone implementation
│   └── ...
├── docs
│   ├── broaptd.8       # manual for BroAPT-Daemon
│   ├── thesis.pdf      # Bachelor's Thesis
│   └── ...
├── gitlab              # GitLab submodule
│   └── ...
├── source              # all-in-one implementation
│   └── ...
├── vendor              # vendors, archives & dependencies
│   └── ...
└── ...

Licensing

This work is in general licensed under the Creative Commons Attribution 4.0 International liscense. Part of this work is derived and copied from Zeek, Broker, and file-extraction all with BSD 3-Clause License, which shall be dual-licensed under the two licenses.

Original developed part of this software and associated documentation files (the "Software") are hereby licensed under the Creative Commons Attribution 4.0 International. No permits are foreordained unless granted by the author and maintainer of the Software, i.e. Jarry Shaw.