Advanced persistent threat organization identification based on software gene of malware

Chen, Weixiang; Helu, Xiaohan; Jin, Cheng-Jie; Zhang, Man; Lu, Hui; Sun, Yanbin

doi:10.1002/ett.3884

Cited by 10 publications

(8 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Static analysis is a form of code analysis method that receives a software package's origin code or binary code as input [ 138 ] and then inspects the code without running the software package to ensure its security and reliability. When compared to dynamic analysis, static analysis does not need to execute the application, so it is efficient and fast.…”

Section: Analysis and Findings Of Research Questionsmentioning

confidence: 99%

A systematic literature review for APT detection and Effective Cyber Situational Awareness (ECSA) conceptual model

Salim

Singh

Keikhosrokiani

2023

Heliyon

View full text Add to dashboard Cite

Section: Analysis and Findings Of Research Questionsmentioning

confidence: 99%

A systematic literature review for APT detection and Effective Cyber Situational Awareness (ECSA) conceptual model

Salim

Singh

Keikhosrokiani

2023

Heliyon

View full text Add to dashboard Cite

“…ey trained each isolation forest with specific APT samples using only static features. To solve the problem of malware APT organization identification, Chen et al [4] designed a gene model combined with the knowledge graph of malware behavior. ey proposed a genetic similarity algorithm for malware APT organization identification and revealed the possibility of using genes to trace malware.…”

Section: Related Workmentioning

confidence: 99%

“…However, unlike traditional network attacks, APT attacks will use some independent development malware to achieve specific purposes against different targets [3]. is malware is collectively called APT malware [4]. APT malware is one kind of advanced malware tailored for special targets, which has posed even more serious threats than the traditional malware [2].…”

Section: Introductionmentioning

confidence: 99%

Toward Identifying APT Malware through API System Calls

Wei

Guo

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

Self-developed malware was usually used by advanced persistent threat (APT) attackers to launch APT attacks. Therefore, we can enhance the understanding and cognition of APT attacks by comprehending the behavior of APT malware. Unfortunately, the current research cannot effectively explain the relationship between the recognition, detection, and defense of APT. The model of similar studies also lacks an explanation about it. To defend against APT attacks and inquire about the similarity of different APT attacks, this study proposes an APT malware classification method based on a combination of multiple deep learning algorithms and transfer learning by collecting malware used in several famous APT groups in public. By extracting the application programming interface (API) system calls, with the vector representation of features by combining dynamic LSTM and attention algorithm, we can obtain API at different APT families classification contributions trained dynamic. Thus, we used transfer learning to perform multiple classifications of the APT family. This study aims to reduce the burden of network security staff from reviewing a large number of suspicious files when defending against APT attacks. Additionally, it can effectively intercept them in the initial invasion stage of APT to perform targeted defense against specific APT attacks by combining threat intelligence in public. The experimental result shows that the proposed method can achieve 99.2% in distinguishing common malware from APT malware and assign APT malware to different APT families with an accuracy of 95.5%.

show abstract

“…Moreover, in 2016, hackers launched DDOS attacks by manipulating IoT devices infected with malware known as Mirai. Behind APT attacks, there are usually organizations with government background or intelligence institutional background that provide funding with political or economic purpose [5]; the threat to national and enterprise information security systems is becoming more and more serious, and the number of APT reports is increasing year by year. Security agencies of various countries have disclosed hundreds of APT organizations, commonly active ones being Russia's APT28 and APT29, North Korea's Lazarus, and so on.…”

Section: Introductionmentioning

confidence: 99%

“…e dynamic feature extraction is used to monitor the behavior of the program when it is running and then extract the dynamic behavior characteristics of the code such as API operations, file system operations, function access, and system calls. For example, Chen et al [5] proposed a new genetic model combined with a knowledge map of malware behavior.…”

Section: Introductionmentioning

confidence: 99%

Attribution Classification Method of APT Malware in IoT Using Machine Learning Techniques

Zhang

et al. 2021

Security and Communication Networks

Self Cite

View full text Add to dashboard Cite

In recent years, the popularity of IoT (Internet of Things) applications and services has brought great convenience to people's lives, but ubiquitous IoT has also brought many security problems. Among them, advanced persistent threat (APT) is one of the most representative attacks, and its continuous outbreak has brought unprecedented security challenges for the large-scale deployment of the IoT. However, important research on analyzing the attribution of APT malware samples is still relatively few. Therefore, we propose a classification method for attribution organizations with APT malware in IoT using machine learning. It aims to mark the real attacking organization entities to better identify APT attack activity and protect the security of IoT. This method performs feature representation and feature selection based on APT behavior data obtained from devices in the Internet of Things and selects the features with a high degree of differentiation among organizations. Then, it trains a multiclass model named SMOTE-RF that can better deal with imbalance and multiclassification problems. Our experiments on real dynamic behavior data are combined to verify the effectiveness of the method proposed in this paper for attribution analysis of APT malware samples and achieve good performance. Our method could identify the organization behind complex APT attacks in IoT devices and services.

show abstract

Advanced persistent threat organization identification based on software gene of malware

Cited by 10 publications

References 28 publications

A systematic literature review for APT detection and Effective Cyber Situational Awareness (ECSA) conceptual model

A systematic literature review for APT detection and Effective Cyber Situational Awareness (ECSA) conceptual model

Toward Identifying APT Malware through API System Calls

Attribution Classification Method of APT Malware in IoT Using Machine Learning Techniques

Contact Info

Product

Resources

About