| Formatted contents note |
Linux now powers the backbone of modern computing, such as mission critical infrastructure,<br/>the cloud, and special purpose environments. As it became more widely used,<br/>the OS has gained more attention from APTs. These attacks are different because they<br/>can remain hidden, adapt to your defenses, and use various complex tactics, techniques,<br/>and procedures (TTPs) that maintain long-term access to the target networks. Since<br/>Linux has come to underpin much of global digital activity, its security arguably matters<br/>more than anything else. To protect these systems, we need defenses that are<br/>flexible and evolve with the complex strategies of opponents.<br/>Despite the criticality of Linux systems, traditional security measures often fail to<br/>detect advanced threats that use innovative TTPs to evade ordinary defenses. Existing<br/>security frameworks frequently exhibit blind spots when defending against such<br/>stealthy intrusions, as they often rely on static signatures rather than behavioral analysis.<br/>Furthermore, there is a significant gap in understanding the Linux APT menace,<br/>specifically regarding the need for adaptive machine learning (ML)-driven defense systems<br/>that can identify malicious intent without relying solely on known indicators.<br/>To address these challenges, this thesis proposes, develops, and evaluates a comprehensive<br/>framework that uses approaches based on machine learning (ML), deep learning<br/>(DL) and Large Language Model (LLM) for detection and threat intelligence. A foundational<br/>Linux-specific dataset was established by simulating multiple APT campaigns<br/>with various payloads, mapped specifically to the MITRE ATT&CK framework. Using<br/>this dataset, the research evaluates the efficiency of the models, including Support<br/>Vector Machines (SVM), Random Forests (RF) and Convolutional and Feed-Forward<br/>Neural Networks (CNN/FNN), with SVM, CNN, and FNN demonstrating particularly<br/>high detection accuracies. Additionally, the research integrates LLMs, specifically Meta<br/>Llama-2, to enhance threat analysis by generating natural language explanations of security<br/>deviations, thus supporting analysts in critical decision-making. |
