In the last decade, a new class of cyber-threats has emerged. This new cybersecurity adversary is known with the name of "Advanced Persistent Threat" (APT) and is referred to different organizations that in the last years have been "in the center of the eye" due to multiple dangerous and effective attacks targeting financial and politic, news headlines, embassies, critical infrastructures, TV programs, etc. In order to early identify APT related malware, a semi-automatic approach for malware samples analysis is needed. In our previous work we introduced a malware triage step for a semi-automatic malware analysis architecture. This step has the duty to analyze as fast as possible new incoming samples and to immediately dispatch the ones that deserve a deeper analysis, among all the malware delivered per day in the cyberspace, the ones that really worth to be further examined by analysts. Our paper focuses on malware developed by APTs, and we build our knowledge base, used in the triage, on known APTs obtained from publicly available reports. In order to have the triage as fast as possible, we only rely on static malware features, that can be extracted with negligible delay, and use machine learning techniques for the identification. In this work we move from multiclass classification to a group of oneclass classifier, which simplify the training and allows higher modularity. The results of the proposed framework highlight high performances, reaching a precision of 100% and an accuracy over 95%.the cybersecurity community. Recent analysis from McAfee [17] calculated that in the last quarter of 2017, there were discovered more than 60 millions of new malware. In the mid-2000s, indeed, the black hat community evolved from adolescent hackers to organized crime networks, fueling highly profitable identity theft schemes with massive loads of personal data harvested from corporate and government networks. In recent times, in fact, a new powerful and dangerous threat is on the rise, identified by the community as "Advanced Persistent Threat" (APT). According to NIST Glossary of Key Information Security Terms 1 , APT is "an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical and deception)". Hence the APT name identifies the main peculiarities of the threat: Advanced Criminal minds behind attacks utilize the full spectrum of computer intrusion technologies and techniques. While individual attacker may not be classed as particularly "advanced" (e.g. single stage malware component found on the black market), their operators typically access and develop more advanced tools as required. Persistent Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. The attack is indeed conducted through continuous monitoring and interaction in order to achieve the defined objectives. A "low-and-slow" approach is usually more su...
