Detecting Advanced Persistent Threat Malware Based On System Call

Advanced persistent threat(APT)malware is developed by apt attackers to achieve some specific purposes or target a specific target.It is usually used by apt attackers to launch apt attacks.Each APT malware is often unique to an APT organization.The unique harmful behavior of APT malware usually reflects the attack method or means of the APT organization to which it belongs.Therefore,we can enhance the understanding and cognition of APT attacks by comprehending the behavior of APT malware.Most of the current research only focus on the classification or recognition algorithm of apt malware,and have obtained a high accuracy.However,most of the models of similar studies lacks an explanation about it and cannot quantify the effect of model detection.To defend against APT attacks and inquire about the similarity of different APT malware families,this study proposes an APT malware classification method based on system call features,combination of multiple deep learning algorithms and transfer learning by collecting malware used in several famous APT groups in public.The main work of this paper is as follows:1.Firstly extracting the application programming interface(API)system calls as the feature,and uses the method in the field of Natural Language Processing(NLP)to process the feature,the accuracy of APT malware detection and classification is improved.2.With the vector representation of system call features by combining dynamic LSTM and attention algorithm,we can obtain API at different APT families classification contributions trained dynamic,make the training results more intuitive.3.We used transfer learning to perform multiple classifications of the APT family,to solve the problem of small number of multi classification samples and small feature quantity.This study aims to reduce the burden of network security staff from reviewing a large number of suspicious files or malware when defending against APT attacks.Additionally,it can effectively intercept them in the initial invasion stage of APT to perform targeted defense against specific APT attacks by identifying apt malware.The experimental result shows that the proposed method can achieve 99.2% to distinguish common malware from APT malware and assign APT malware to different APT families at an accuracy of 95.5%,superior to similar work.