Published: 2025-12-01
Advanced Persistent Threats Analysis and Intrusion Detection Systems Evaluation
DOI: 10.35870/ijsecs.v5i3.5770
Downloads
Abstract
-
Advanced Persistent Threats are significant cybersecurity threats that employ covert and strategically planned operations to achieve long-term unauthorized access and data exfiltration. PT XYZ, a logistics company with considerable operational and customer data, is more susceptible to APTs, which is why the company decided to implement Wazuh as an open-source SIEM platform for improved intrusion detection capabilities. We assessed how effectively this IDS-SIEM implementation could detect and respond to APT scenarios by analyzing multi-source logs from Wazuh, Sysmon, and endpoint telemetry across PT XYZ’s PC infrastructure between June 3-30, 2025—capturing 35,333 records in total. Simulated APT attacks were carried out using Atomic Red Team with detection mapping based on MITRE ATT&CK tactics. Most of the early stages of attack phases were identified by Wazuh particularly Initial Access and Execution phases where the system logged 1,060 true positives; 8,537 true negatives; 563 false positives; and 440 false negatives at an accuracy rate of 91%. Normal traffic detection results were good with a precision of 0.95, recall of 0.94 F1-score at the same value whereas attack detection had a precision value of 0.65 with a recall of 0.71 giving it an F1 score of 0.68 making macro-averaged metrics fall at values such as 0.80 for precision and 0.82 for recall which further brought the F1 score up to 0.81 while weighted averages peaked at 0.91.Our results indicate that an open-source SIEM like Wazuh can be used effectively for the detection of APTs in logistics operations when configured appropriately using MITRE ATT&CK-based threat simulations – hence having real-world applicability towards improving cybersecurity defenses within this sector.
Keywords
APT ; SIEM ; Wazuh ; Advanced Persistent Threat ; Intrusion Detection ; Cybersecurity
Article Information
This article has been peer-reviewed and published in the International Journal Software Engineering and Computer Science (IJSECS). The content is available under the terms of the Creative Commons Attribution 4.0 International License.
-
Issue: Vol. 5 No. 3 (2025)
-
Section: Articles
-
Published: %750 %e, %2025
-
License: CC BY 4.0
-
Copyright: © 2025 Authors
-
DOI: 10.35870/ijsecs.v5i3.5770
AI Research Hub
This article is indexed and available through various AI-powered research tools and citation platforms. Our AI Research Hub ensures that scholarly work is discoverable, accessible, and easily integrated into the global research ecosystem. By leveraging artificial intelligence for indexing, recommendation, and citation analysis, we enhance the visibility and impact of published research.
Dedy Wibowo
Postgraduate, Master of Informatics Engineering, Universitas Pamulang, South Tangerang City, Banten Province, Indonesia
Taswanda Taryo
Postgraduate, Master of Informatics Engineering, Universitas Pamulang, South Tangerang City, Banten Province, Indonesia
Ferhat Aziz
Postgraduate, Master of Informatics Engineering, Universitas Pamulang, South Tangerang City, Banten Province, Indonesia
-
Santoso, J. T., Hartono, B., Silalahi, F. D., & Muthohir, M. (2024). Transformers in cybersecurity: Advancing threat detection and response through machine learning architectures. Journal of Technology Informatics and Engineering, 3(3), 382–396. https://doi.org/10.51903/jtie.v3i3.211
-
Virkud, A., Inam, M. A., Riddle, A., Liu, J., Wang, G., & Bates, A. (2024). How does endpoint detection use the MITRE ATT&CK framework? https://www.usenix.org/conference/usenixsecurity24/presentation/virkud
-
Artioli, P., Dentamaro, V., Galantucci, S., Magrì, A., Pellegrini, G., & Semeraro, G. (2025). SIEVE: Generating a cybersecurity log dataset collection for SIEM event classification. Computer Networks, 266, 111330. https://doi.org/10.1016/j.comnet.2025.111330
-
Lu, S., Chi, B., Zhou, T., Zhou, W., & Hu, H. (2025). STAE-APT: An APT detection method based on long-term behavioral features from provenance graphs. 2025 International Conference on Smart Computing and Artificial Intelligence Technology, 1834–1841. https://doi.org/10.1109/iscait64916.2025.11010360
-
Jang, S.-W., & Lee, Y.-J. (2023). A study on the APT attack scenario verification system. Journal of the Korea Academia-Industrial Cooperation Society, 24(4), 610–615. https://doi.org/10.5762/kais.2023.24.4.610
-
Mamun, A. Al, Al-Sahaf, H., Welch, I., & Camtepe, S. (2025). Genetic programming for enhanced detection of advanced persistent threats through feature construction. Computers and Security, 149, 104185. https://doi.org/10.1016/j.cose.2024.104185
-
Andronache, M.-M., Vulpe, A., & Burileanu, C. (2025). A comparative study of intrusion events in different SIEM systems. 2025 IEEE 23rd World Symposium on Applied Machine Intelligence and Informatics (SAMI), 000065–000070. https://doi.org/10.1109/SAMI63904.2025.10883178
-
Radoglou-Grammatikis, P., Sarigiannidis, P., Iturbe, E., Rios, E., Martinez, S., Sarigiannidis, A., Eftathopoulos, G., Spyridis, Y., Sesis, A., Vakakis, N., Tzovaras, D., Kafetzakis, E., Giannoulakis, I., Tzifas, M., Giannakoulias, A., Angelopoulos, M., & Ramos, F. (2021). SPEAR SIEM: A security information and event management system for the smart grid. Computer Networks, 193, 108008. https://doi.org/10.1016/j.comnet.2021.108008
-
Ayu, M. A., Erlangga, D., Mantoro, T., & Handayani, D. (2023). Enhancing security information and event management (SIEM) by incorporating machine learning for cyber attack detection. 2023 IEEE 9th International Conference on Computing, Engineering and Design, ICCED 2023. https://doi.org/10.1109/ICCED60214.2023.10425288
-
Nas, M., Ulfiah, F., Putri, U., Elektro, T., Negeri, P., & Pandang, U. (2023). Analisis sistem security information and event management (SIEM) aplikasi Wazuh pada Dinas Komunikasi Informatika Statistik dan Persandian Sulawesi Selatan. Jurnal Teknologi Elekterika, 20(2). https://doi.org/10.31963/elekterika.v20i2.4536
-
Vazão, A. P., Santos, L., Costa, R. L. de C., & Rabadão, C. (2023). Implementing and evaluating a GDPR-compliant open-source SIEM solution. Journal of Information Security and Applications, 75, 103509. https://doi.org/10.1016/j.jisa.2023.103509
-
Ahmad, S., Ahn, B., Alvee, S. R. B., Trevino, D., Kim, T., Youn, Y. W., & Ryu, M. H. (2022, April). Advanced persistent threat (APT)-style attack modeling and testbed for power transformer diagnosis system in a substation. 2022 IEEE Power and Energy Society Innovative Smart Grid Technologies Conference, ISGT 2022. https://doi.org/10.1109/ISGT50606.2022
-
Karim, S. S., Afzal, M., Iqbal, W., & Al Abri, D. (2024). Advanced persistent threat (APT) and intrusion detection evaluation dataset for Linux systems 2024. https://doi.org/10.17632/5x68fv63sh.2
-
Park, N. E., Lee, Y. R., Joo, S., Kim, S. Y., Kim, S. H., Park, J. Y., Kim, S. Y., & Lee, I. G. (2023). Performance evaluation of a fast and efficient intrusion detection framework for advanced persistent threat-based cyberattacks. Computers and Electrical Engineering, 105, 108548. https://doi.org/10.1016/j.compeleceng.2022.108548
-
Sheng, C., & Gang, C. (2024). APT attack and detection technology. IMCEC 2024 - IEEE 6th Advanced Information Management, Communicates, Electronic and Automation Control Conference, 795–801. https://doi.org/10.1109/IMCEC59810.2024.10575432
-
Ward, A. M., Bohacek, S., & Phillips, J. (2024). An evaluation study of endpoint detection and response systems across multi-vector attack scenarios. Eastern-European Journal of Enterprise Technologies, 2(9), 182–191. https://doi.org/10.30837/2522-9818.2024.2.182
-
Alexopoulos, A., & Daras, N. J. (2020). Mathematical study of advanced persistent threat (APT) hunting techniques. Journal of Computations & Modelling, 10(2), 1–24. https://doi.org/10.47260/jcomod/1021
-
Cheng, S. M., Lui, Y. C., Tsai, N. J., & Hong, B. K. (2024). Toward intelligent IoT endpoint detection and response using digital twins via firmware emulation. IEEE Internet of Things Magazine, 7(6), 20–26. https://doi.org/10.1109/IOTM.001.2400070
-
Gulbay, B., & Demirci, M. (2024). APT-scope: A novel framework to predict advanced persistent threat groups from enriched heterogeneous information network of cyber threat intelligence. Engineering Science and Technology, an International Journal, 57, 101791. https://doi.org/10.1016/j.jestch.2024.101791
-
Mahmoud, R. V., Anagnostopoulos, M., Pastrana, S., & Pedersen, J. M. (2024). Redefining malware sandboxing: Enhancing analysis through Sysmon and ELK integration. IEEE Access, 12, 68624–68636. https://doi.org/10.1109/ACCESS.2024.3400167
-
Muhammad, A. R., Sukarno, P., & Wardana, A. A. (2022). Integrated security information and event management (SIEM) with intrusion detection system (IDS) for live analysis based on machine learning. Procedia Computer Science, 217, 1406–1415. https://doi.org/10.1016/j.procs.2022.12.339
-
Artioli, P., Dentamaro, V., Galantucci, S., Magrì, A., Pellegrini, G., & Semeraro, G. (2025). SIEVE: Generating a cybersecurity log dataset collection for SIEM event classification. Computer Networks, 266, 111330. https://doi.org/10.1016/j.comnet.2025.111330
-
Chi, C. H., Ooi, S. Y., Binti, E. H., Pang, Y. H., Yan, M. K. B. A., & Sidin, K. I. B. (2023). Intelligent-based SIEM security email alert. 2023 11th International Conference on Information and Communication Technology, ICoICT 2023, 481–486. https://doi.org/10.1109/ICoICT58202.2023.10262562
-
Esseghir, A., Kamoun, F., & Hraiech, O. (2022). AKER: An open-source security platform integrating IDS and SIEM functions with encrypted traffic analytic capability. Journal of Cyber Security Technology, 6(1–2), 27–64. https://doi.org/10.1080/23742917.2022.2058836
-
Sinaga, Y. Y. (2024). Analisis security information and event management (SIEM) berbasis Wazuh dalam mendeteksi malicious software pada sistem operasi Linux. Universitas Sumatera Utara. https://repositori.usu.ac.id/handle/123456789/96053
-
Cheng, S. M., Lui, Y. C., Tsai, N. J., & Hong, B. K. (2024). Toward intelligent IoT endpoint detection and response using digital twins via firmware emulation. IEEE Internet of Things Magazine, 7(6), 20–26. https://doi.org/10.1109/IOTM.001.2400070
-
Amami, R., Charfeddine, M., & Masmoudi, S. (2024). Exploration of open source SIEM tools and deployment of an appropriate Wazuh-based solution for strengthening cyberdefense. 10th 2024 International Conference on Control, Decision and Information Technologies, CoDIT 2024, 2139–2145. https://doi.org/10.1109/CoDIT62066.2024.10708476
-
Tharunika, V. S., Shridhar, T., Veeresh, K., Thangavel, S. K., Srinivasan, K., Vajipayajula, S., & Tibrewal, A. (2023). Detection and prevention of advanced persistent threat (APT) activities in heterogeneous networks using SIEM and deep learning. 2023 14th International Conference on Computing Communication and Networking Technologies, ICCCNT 2023. https://doi.org/10.1109/ICCCNT56998.2023.10306968
-
Saeed, N., Yaqub, M., Haider, A., Secureworks, D., Safdar, S., & Khan, H. (2025). An enhanced mechanism for advanced persistent threat (APT) detection based on deep learning. Spectrum of Engineering Sciences, 3(1), 48–62. https://sesjournal.com/index.php/1/article/view/118
-
Ren, W., Song, X., Hong, Y., Lei, Y., Yao, J., Du, Y., & Li, W. (2023). APT attack detection based on graph convolutional neural networks. International Journal of Computational Intelligence Systems, 16(1), 168. https://doi.org/10.1007/s44196-023-00369-5
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
1. Copyright Retention and Open Access License
Authors retain copyright of their work and grant the journal non-exclusive right of first publication under the Creative Commons Attribution 4.0 International License (CC BY 4.0).
This license allows unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
2. Rights Granted Under CC BY 4.0
Under this license, readers are free to:
- Share — copy and redistribute the material in any medium or format
- Adapt — remix, transform, and build upon the material for any purpose, including commercial use
- No additional restrictions — the licensor cannot revoke these freedoms as long as license terms are followed
3. Attribution Requirements
All uses must include:
- Proper citation of the original work
- Link to the Creative Commons license
- Indication if changes were made to the original work
- No suggestion that the licensor endorses the user or their use
4. Additional Distribution Rights
Authors may:
- Deposit the published version in institutional repositories
- Share through academic social networks
- Include in books, monographs, or other publications
- Post on personal or institutional websites
Requirement: All additional distributions must maintain the CC BY 4.0 license and proper attribution.
5. Self-Archiving and Pre-Print Sharing
Authors are encouraged to:
- Share pre-prints and post-prints online
- Deposit in subject-specific repositories (e.g., arXiv, bioRxiv)
- Engage in scholarly communication throughout the publication process
6. Open Access Commitment
This journal provides immediate open access to all content, supporting the global exchange of knowledge without financial, legal, or technical barriers.