Research On Behavior Detection And Source Tracing Of APT Malware Based On Machine Learning

Advanced Persistent Threat(APT)has become one of the most serious security threats in cyberspace.APT attacks usually have a political or economic purpose and have a significant impact on both countries and enterprises.In most APT attacks,malware is used almost throughout the entire attack chain,and traces of malware are often left on the attacked systems,which also become important evidence for discovering APT attack behaviors and traceability analysis.Therefore,APT malware behavior detection and traceability based on malware is an important research problem.However,as APT attackers continue to upgrade their weapons,on the one hand,most detection systems in the face of APT attacks cannot accurately detect suspicious files as APT malware;and relying on security experts to perform manual analysis is inefficient and time-consuming.On the other hand,it is also impossible to determine the association between these suspicious samples and APT organizations,i.e.,they cannot be effectively traced back to the source,resulting in the lack of more targeted measures in dealing with APT attacks.To address the above problems,this paper proposes a machine learning-based method for APT malware behavior detection and traceability based on the dynamic behavior data of malware.The contributions of the work in this paper are as follows:(1)An APT malware behavior detection method based on XGBoost is proposed.Starting from the dynamic behavioral data of APT malware and common malware samples,firstly,the behavioral data of malicious samples are represented by features using 3-gram,secondly,the features are extracted and selected on the proposed TFIDF-chi algorithm,and finally,the XGBoost algorithm is used for training,and the best model and feature vectors are obtained by tuning as well as validation.The experimental results show that the method can identify APT malware behaviors efficiently and accurately.(2)A CNN-based method for APT malware behavior tracing is proposed.Starting from the dynamic behavioral data of malware from multiple APT organizations,firstly,the behavioral data of each sample is transformed into a matrix represented by word vectors through the Word2 vec method.Secondly,for the problem of sample imbalance under APT organizations,a dataset sampling algorithm is proposed to obtain a balanced feature vector dataset.Finally,the training is performed on the designed CNN model.The experimental results show that the method can effectively classify APT malware behaviors into the APT organizations they belong to,and prove the superiority of the method.(3)A prototype system for APT malware behavior detection and traceability was designed and implemented.The system detects whether the malware uploaded by users belongs to APT and its relationship with an APT organization,and visualizes the results.The above work can reduce the burden of network security personnel to review a large number of suspicious files when preventing APT attacks,and can be combined with threat intelligence for targeted defense and effective interception of attacks from different APT organizations.