Feature analysis for data-driven APT-related malware discrimination

Liras, Luis Francisco Martín; Soto, Adolfo Rodríguez de; Prada, Miguel A.

doi:10.1016/j.cose.2021.102202

Cited by 17 publications

(8 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Additionally, some related studies attempt to use hybrid analysis methods that combine the advantages of both techniques. Liras et al [8] selected features from static, dynamic, or network traffic analysis. Liang et al [9] used the Noriben sandbox to extract process behavior, file behavior, registry behavior, and network behavior of the tested software as dynamic behavioral features, and extracted DLLs and APIs called by APT malware as static features.…”

Section: Related Workmentioning

confidence: 99%

Research on deep-learning-based techniques for advanced persistent threat malware detection and attribution

Wang,

2024

Fourth International Conference on Sensors and Information Technology (ICSI 2024)

View full text Add to dashboard Cite

Advanced Persistent Threat attacks(APT) are targeted attacks launched by professional hacker organizations using advanced techniques, resulting in significant harm. Therefore, there is an urgent need to detect APT malware and trace their associated organizations. This paper proposes an improved Transformer-based method for APT malware detection and attribution. In terms of detection, dynamic behaviors of APT malware are extracted, and an information filtering gate mechanism is applied to reduce redundant feature noise in the original Transformer model. A contrastive learningconstrained model is used for information filtering, self-training, and optimization. In terms of attribution, static features of APT malware samples are extracted, global features of sequence data are established using the Transformer model, local features are constructed using Incremental Dilated Convolutional Neural Network, and features are fused using attention mechanism. This method outperforms the baseline methods.

show abstract

Section: Related Workmentioning

confidence: 99%

Research on deep-learning-based techniques for advanced persistent threat malware detection and attribution

Wang,

2024

Fourth International Conference on Sensors and Information Technology (ICSI 2024)

View full text Add to dashboard Cite

show abstract

“…ey used only opcodes as static features, which have limitations. Martín Liras et al [8] proposed using the static, dynamic, and network-related characteristics through the domain knowledge interpretation and choice, as well as the well-known machine learning techniques to analyze the discriminability of APT-related malware from generic malware without any known association to APT. However, the machine learning classification algorithm model is not active.…”

Section: Related Workmentioning

confidence: 99%

“…Additionally, manual analysis of samples at present is impractical. When an intrusion detection system detects suspicious samples and issues an alert, it calls network security experts for a long time to carry out manual analysis to determine whether the samples belong to particular APT attacks [8]. Due to the excessive number of alarms, network security experts have brought great pressure.…”

Section: Introductionmentioning

confidence: 99%

“…Currently, there are two methods for solving this problem: dynamic and static analyses [9]. It means training the classification model by extracting dynamic or static features [2,3,7,8,10,11]. Static analysis technology can inspect executable programs without actual execution samples; the main advantage it has is that it is not affected by execution expenses, whereas dynamic analysis is to observe executable programs in real or virtual execution environments and monitor actual malicious acts [12].…”

Section: Introductionmentioning

confidence: 99%

“…Each APT group has its characteristics, and the APT of the same APT family has some similarities. erefore, most APT attacks are variants of existing attacks [8,13]. e target of APT attackers in the same organization is often similar and regular; thus, the behavior of malware and the target of attack are often regular.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Toward Identifying APT Malware through API System Calls

Wei

Guo

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

Self-developed malware was usually used by advanced persistent threat (APT) attackers to launch APT attacks. Therefore, we can enhance the understanding and cognition of APT attacks by comprehending the behavior of APT malware. Unfortunately, the current research cannot effectively explain the relationship between the recognition, detection, and defense of APT. The model of similar studies also lacks an explanation about it. To defend against APT attacks and inquire about the similarity of different APT attacks, this study proposes an APT malware classification method based on a combination of multiple deep learning algorithms and transfer learning by collecting malware used in several famous APT groups in public. By extracting the application programming interface (API) system calls, with the vector representation of features by combining dynamic LSTM and attention algorithm, we can obtain API at different APT families classification contributions trained dynamic. Thus, we used transfer learning to perform multiple classifications of the APT family. This study aims to reduce the burden of network security staff from reviewing a large number of suspicious files when defending against APT attacks. Additionally, it can effectively intercept them in the initial invasion stage of APT to perform targeted defense against specific APT attacks by combining threat intelligence in public. The experimental result shows that the proposed method can achieve 99.2% in distinguishing common malware from APT malware and assign APT malware to different APT families with an accuracy of 95.5%.

show abstract