DT Huong scite author profile

Detecting and warning Advanced Persistent Threat (APT) malware in Endpoint is essential because the current trend of APT attacker groups is to find ways to spread malware to users and then escalate privileges in the system. In this study, to improve the ability to detect APT malware on Endpoint machines, we propose a novel intelligent cognitive calculation method based on a model combining graph embeddings and Attention using processes generated by executable files. The proposed intelligent cognitive computation method performs 3 main tasks: i) extracting behaviors of processes; ii) aggregating the malware behaviors based on the processes; iii) detecting APT malware based on behavior analysis. To carry out the task (i), we propose to use several data mining techniques: extracting processes from Event IDs in the operating system kernel; extracting abnormal behaviors of processes. For task (ii), a graph embedding (GE) model based on the Graph Convolutional Networks (GCN) network is proposed to be used. For task (iii), based on the results of task (ii), the paper proposes to use a combination of the Convolutional Neural Network (CNN) network and Attention network (called CNN-Attention). The novelty and originality of this study is an intelligent cognitive computation method based on the use, combination, and synchronization of many different data mining techniques to compute, extract, and represent relationships and correlations among APT malware behaviors from processes. Based on this new intelligent cognitive computation method, many meaningful anomalous features and behaviors of APT malware have been synthesized and extracted. The proposals related to data mining methods to extract malware’s features and the list of malware’s behaviors provided in this paper are new information that has not been published in previous studies. In the experimental section, to demonstrate the effectiveness of the proposed method in detecting APT malware, the study has compared and evaluated it with other approaches. Experimental results in the paper have shown the outstanding efficiency of the proposed method when ensuring all metrics from 96.6% or more (that are 2% to 6% higher than other approaches). Experimental results in the paper have proven that our proposed method not only has scientifically significant but also has practical meaning because the method has helped to improve the efficiency of analyzing and detecting APT malware on Endpoint devices. In addition, this research result also has opened up a new approach for the task of detecting other anomalies on the Endpoint such as malware, unauthorized intrusion, insider, etc.

show abstract

New approach for APT malware detection on the workstation based on process profile

Xuan¹,

Huong

Duong

2022

IFS

View full text Add to dashboard Cite

The Advanced Persistent Threat (APT) attack is a form of dangerous, intentionally and clearly targeted attack. Currently, the APT attack trend is through the end-users and then escalating privileges in the system by spreading malware which is widely used by attackers. Therefore, the problem of early detection and warning of the APT attack malware on workstations is urgent. In this paper, we propose a new approach to APT malware detection on workstations based on the technique of analyzing and evaluating process profiles. The characteristics and principles of our proposed method are as follows: Firstly, processes are collected and aggregated into process profiles of APT malware; Secondly, these process profiles are used by Graph2Vec graph analysis algorithm to extract the characteristics of the process profile. Finally, in order to conclude about the sign of malicious APT, this paper proposes to use Long short-term memory (LSTM) and bidirectional LSTM (BiLSTM) algorithm. With the proposed approach in the paper, we have not only succeeded in building and synthesizing APT malware behavior on Workstations as a basis to improve the efficiency of predicting APT malware, but also have opened up a new approach to the task of synthesizing and analyzing anomalous behavior of malware.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

DT Huong

A new approach for APT malware detection based on deep graph network for endpoint systems

A novel intelligent cognitive computing-based APT malware detection for Endpoint systems

New approach for APT malware detection on the workstation based on process profile

Contact Info

Product

Resources

About