APT-MMF: An advanced persistent threat actor attribution method based on multimodal and multilevel feature fusion

• URL: http://arxiv.org/abs/2402.12743v1
• Date: Tue, 20 Feb 2024 06:19:55 GMT
• Title: APT-MMF: An advanced persistent threat actor attribution method based on multimodal and multilevel feature fusion
• Authors: Nan Xiao, Bo Lang, Ting Wang, Yikai Chen
• Abstract summary: Threat actor attribution is a crucial defense strategy for combating advanced persistent threats (APTs) Here, we propose an APT actor attribution method based on multimodal and multilevel feature fusion (APT-MMF) We show that our method not only outperforms the existing methods but also demonstrates its good interpretability for attribution analysis tasks.
• Score: 10.562355854634566
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Threat actor attribution is a crucial defense strategy for combating advanced persistent threats (APTs). Cyber threat intelligence (CTI), which involves analyzing multisource heterogeneous data from APTs, plays an important role in APT actor attribution. The current attribution methods extract features from different CTI perspectives and employ machine learning models to classify CTI reports according to their threat actors. However, these methods usually extract only one kind of feature and ignore heterogeneous information, especially the attributes and relations of indicators of compromise (IOCs), which form the core of CTI. To address these problems, we propose an APT actor attribution method based on multimodal and multilevel feature fusion (APT-MMF). First, we leverage a heterogeneous attributed graph to characterize APT reports and their IOC information. Then, we extract and fuse multimodal features, including attribute type features, natural language text features and topological relationship features, to construct comprehensive node representations. Furthermore, we design multilevel heterogeneous graph attention networks to learn the deep hidden features of APT report nodes; these networks integrate IOC type-level, metapath-based neighbor node-level, and metapath semantic-level attention. Utilizing multisource threat intelligence, we construct a heterogeneous attributed graph dataset for verification purposes. The experimental results show that our method not only outperforms the existing methods but also demonstrates its good interpretability for attribution analysis tasks.

Related papers

• AURA: A Multi-Agent Intelligence Framework for Knowledge-Enhanced Cyber Threat Attribution [3.6586145148601594]
  AURA (Attribution Using Retrieval-Augmented Agents) is a knowledge-enhanced framework for automated and interpretable APT attribution.<n>AURA ingests diverse threat data including Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IoCs), malware details, adversarial tools, and temporal information.
  arXiv  Detail & Related papers  (2025-06-11T21:00:51Z)
• Explainable AI for Enhancing IDS Against Advanced Persistent Kill Chain [0.0]
  This work proposes a feature selection and classification model that integrates two prominent machine learning algo-rithms.<n>The aim is to develop lightweight IDS based on a selected minimum number of influential features for detecting APTs at various phases.
  arXiv  Detail & Related papers  (2025-06-09T06:54:12Z)
• Knowledge Graph Completion with Relation-Aware Anchor Enhancement [50.50944396454757]
  We propose a relation-aware anchor enhanced knowledge graph completion method (RAA-KGC) We first generate anchor entities within the relation-aware neighborhood of the head entity. Then, by pulling the query embedding towards the neighborhoods of the anchors, it is tuned to be more discriminative for target entity matching.
  arXiv  Detail & Related papers  (2025-04-08T15:22:08Z)
• Detecting Code Vulnerabilities with Heterogeneous GNN Training [3.1333320740278627]
  Graph Neural Network (GNN) machine learning can be a promising approach by modeling source code as graphs. This paper presents Inter-Procedural Abstract Graphs (IPAGs) as an efficient, language-agnostic representation of source code. We also propose a Heterogeneous Attention GNN (HAGNN) model that incorporates multiple subgraphs capturing different features of source code.
  arXiv  Detail & Related papers  (2025-02-24T04:39:16Z)
• Multi-View Attention Syntactic Enhanced Graph Convolutional Network for Aspect-based Sentiment Analysis [33.68786386700902]
  Aspect-based Sentiment Analysis (ABSA) is the task aimed at predicting the sentiment polarity of aspect words within sentences. Recent incorporating graph neural networks (GNNs) to capture additional syntactic structure information in the dependency tree has been proven to be an effective paradigm for boosting ABSA. We propose a new multi-view attention syntactic enhanced graph convolutional network (MASGCN) that weighs different syntactic information of views using attention mechanisms.
  arXiv  Detail & Related papers  (2025-01-27T11:26:13Z)
• CONTINUUM: Detecting APT Attacks through Spatial-Temporal Graph Neural Networks [0.9553673944187253]
  Advanced Persistent Threats (APTs) represent a significant challenge in cybersecurity. Traditional Intrusion Detection Systems (IDS) often fall short in detecting these multi-stage attacks.
  arXiv  Detail & Related papers  (2025-01-06T12:43:59Z)
• Heterogeneous Relationships of Subjects and Shapelets for Semi-supervised Multivariate Series Classification [4.4881185098082]
  We propose a heterogeneous relationships of subjects and shapelets method for semi-supervised MTS classification. We first utilize a contrast temporal self-attention module to obtain sparse MTS representations. Secondly, we learn the shapelets for different subject types, incorporating both the subject features and their shapelets as additional information. Finally, we use a dual level graph attention network to get prediction.
  arXiv  Detail & Related papers  (2024-11-27T04:25:13Z)
• CTINEXUS: Leveraging Optimized LLM In-Context Learning for Constructing Cybersecurity Knowledge Graphs Under Data Scarcity [49.657358248788945]
  Textual descriptions in cyber threat intelligence (CTI) reports are rich sources of knowledge about cyber threats. Current CTI extraction methods lack flexibility and generalizability, often resulting in inaccurate and incomplete knowledge extraction. We propose CTINexus, a novel framework leveraging optimized in-context learning (ICL) of large language models.
  arXiv  Detail & Related papers  (2024-10-28T14:18:32Z)
• Individual Packet Features are a Risk to Model Generalisation in ML-Based Intrusion Detection [3.3772986620114387]
  Individual packet features (IPF) are attributes extracted from a single network packet, such as timing, size, and source-destination information. We identify the limitations of IPF, showing they can produce misleadingly high detection rates. Our findings emphasize the need for approaches that consider packet interactions for robust intrusion detection.
  arXiv  Detail & Related papers  (2024-06-07T21:05:33Z)
• MultiFIX: An XAI-friendly feature inducing approach to building models from multimodal data [0.0]
  MultiFIX is a new interpretability-focused multimodal data fusion pipeline. An end-to-end deep learning architecture is used to train a predictive model. We apply MultiFIX to a publicly available dataset for the detection of malignant skin lesions.
  arXiv  Detail & Related papers  (2024-02-19T14:45:46Z)
• A Novel Energy based Model Mechanism for Multi-modal Aspect-Based Sentiment Analysis [85.77557381023617]
  We propose a novel framework called DQPSA for multi-modal sentiment analysis. PDQ module uses the prompt as both a visual query and a language query to extract prompt-aware visual information. EPE module models the boundaries pairing of the analysis target from the perspective of an Energy-based Model.
  arXiv  Detail & Related papers  (2023-12-13T12:00:46Z)
• MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning [13.988853466705256]
  MAGIC is a self-supervised APT detection approach capable of performing multi-granularity detection under different level of supervision. We evaluate MAGIC on three widely-used datasets, including both real-world and simulated attacks.
  arXiv  Detail & Related papers  (2023-10-15T13:27:06Z)
• PARFormer: Transformer-based Multi-Task Network for Pedestrian Attribute Recognition [23.814762073093153]
  We propose a pure transformer-based multi-task PAR network named PARFormer, which includes four modules. In the feature extraction module, we build a strong baseline for feature extraction, which achieves competitive results on several PAR benchmarks. In the viewpoint perception module, we explore the impact of viewpoints on pedestrian attributes, and propose a multi-view contrastive loss. In the attribute recognition module, we alleviate the negative-positive imbalance problem to generate the attribute predictions.
  arXiv  Detail & Related papers  (2023-04-14T16:27:56Z)
• CustOmics: A versatile deep-learning based strategy for multi-omics integration [0.0]
  This paper presents a novel strategy to build a customizable autoencoder model that adapts to the dataset used in the case of high-dimensional multi-source integration. We will assess the impact of integration strategies on the latent representation and combine the best strategies to propose a new method, CustOmics.
  arXiv  Detail & Related papers  (2022-09-12T14:20:29Z)
• Variational Distillation for Multi-View Learning [104.17551354374821]
  We design several variational information bottlenecks to exploit two key characteristics for multi-view representation learning. Under rigorously theoretical guarantee, our approach enables IB to grasp the intrinsic correlation between observations and semantic labels.
  arXiv  Detail & Related papers  (2022-06-20T03:09:46Z)
• BMD: A General Class-balanced Multicentric Dynamic Prototype Strategy for Source-free Domain Adaptation [74.93176783541332]
  Source-free Domain Adaptation (SFDA) aims to adapt a pre-trained source model to the unlabeled target domain without accessing the well-labeled source data. To make up for the absence of source data, most existing methods introduced feature prototype based pseudo-labeling strategies. We propose a general class-Balanced Multicentric Dynamic prototype strategy for the SFDA task.
  arXiv  Detail & Related papers  (2022-04-06T13:23:02Z)
• Cross-Supervised Joint-Event-Extraction with Heterogeneous Information Networks [61.950353376870154]
  Joint-event-extraction is a sequence-to-sequence labeling task with a tag set composed of tags of triggers and entities. We propose a Cross-Supervised Mechanism (CSM) to alternately supervise the extraction of triggers or entities. Our approach outperforms the state-of-the-art methods in both entity and trigger extraction.
  arXiv  Detail & Related papers  (2020-10-13T11:51:17Z)
• A Multi-Semantic Metapath Model for Large Scale Heterogeneous Network Representation Learning [52.83948119677194]
  We propose a multi-semantic metapath (MSM) model for large scale heterogeneous representation learning. Specifically, we generate multi-semantic metapath-based random walks to construct the heterogeneous neighborhood to handle the unbalanced distributions. We conduct systematical evaluations for the proposed framework on two challenging datasets: Amazon and Alibaba.
  arXiv  Detail & Related papers  (2020-07-19T22:50:20Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.