Search Results (65)

Advanced Persistent Threat (APT) attacks pose a serious challenge to traditional detection methods. These methods often suffer from high false-alarm rates and limited accuracy due to the multi-stage and covert nature of APT attacks. In this paper, we propose TSE-APT, a time-series ensemble model that addresses these two limitations. It combines multiple machine-learning models, such as Random Forest (RF), Multi-Layer Perceptron (MLP), and Bidirectional Long Short-Term Memory Network (BiLSTM) models, to dynamically capture correlations between multiple stages of the attack process based on time-series features. It discovers hidden features through the integration of multiple machine-learning models to significantly improve the accuracy and robustness of APT detection. First, we extract a collection of dynamic time-series features such as traffic mean, flow duration, and flag frequency. We fuse them with static contextual features, including the port service matrix and protocol type distribution, to effectively capture the multi-stage behaviors of APT attacks. Then, we utilize an ensemble-learning model with a dynamic weight-allocation mechanism using a self-attention network to adaptively adjust the sub-model contribution. The experiments showed that using time-series feature fusion significantly enhanced the detection performance. The RF, MLP, and BiLSTM models achieved 96.7% accuracy, considerably enhancing recall and the false positive rate. The adaptive mechanism optimizes the model’s performance and reduces false-alarm rates. This study provides an analytical method for APT attack detection, considering both temporal dynamics and context static characteristics, and provides new ideas for security protection in complex networks. Full article

Advanced persistent threats (APTs) pose significant risks to critical systems and infrastructures due to their stealth and persistence. While several studies have reviewed APT characteristics and defense mechanisms, this paper goes further by proposing a hybrid defense framework based on artificial intelligence and game theory. First, a literature review outlines the evolution, methodologies, and known incidents of APTs. Then, a novel conceptual framework is presented, integrating unsupervised anomaly detection (isolation forest) and strategic defense modeling (Stackelberg game). Experimental results on simulated data demonstrate the robustness and scalability of the approach. In addition to reviewing current APT detection techniques, this work presents a defense model that integrates machine learning-based anomaly detection with predictive game-theoretic modeling. Full article

Advanced persistent threat (APT) attacks present significant challenges to cybersecurity due to their covert nature, high complexity, and ability to operate across multiple temporal and spatial scales. Existing detection techniques often struggle with issues like class imbalance, insufficient feature extraction, and the inability to capture complex attack dependencies. To address these limitations, we propose a dual-phase framework for APT detection, combining multi-feature-conditioned generative adversarial networks (MF-CGANs) for data reconstruction and a multi-scale convolution and channel attention-enhanced graph convolutional network (MC-GCN) for improved attack detection. The MF-CGAN model generates minority-class samples to resolve the class imbalance problem, while MC-GCN leverages advanced feature extraction and graph convolution to better model the intricate relationships within network traffic data. Experimental results show that the proposed framework achieves significant improvements over baseline models. Specifically, MC-GCN outperforms traditional CNN-based IDS models, with accuracy, precision, recall, and F1-score improvements ranging from 0.47% to 13.41%. The MC-GCN model achieves an accuracy of 99.87%, surpassing CNN (86.46%) and GCN (99.24%), while also exhibiting high precision (99.87%) and recall (99.88%). These results highlight the proposed model’s superior ability to handle class imbalance and capture complex attack behaviors, establishing it as a leading approach for APT detection. Full article

As Advanced Persistent Threats (APTs) continue to evolve, constructing a dynamic cybersecurity knowledge graph requires precise extraction of entity–relationship triples from unstructured threat intelligence. Existing approaches, however, face significant challenges in modeling low-frequency threat associations, extracting multi-relational entities, and resolving overlapping entity scenarios. To overcome these limitations, we propose the Symmetry-Aware Prototype Contrastive Learning (SAPCL) framework for joint entity and relation extraction. By explicitly modeling syntactic symmetry in attack-chain dependency structures and its interaction with asymmetric adversarial semantics, SAPCL integrates dependency relation types with contextual features using a type-enhanced Graph Attention Network. This symmetry–asymmetry fusion facilitates a more effective extraction of multi-relational triples. Furthermore, we introduce a triple prototype contrastive learning mechanism that enhances the robustness of low-frequency relations through hierarchical semantic alignment and adaptive prototype updates. A non-autoregressive decoding architecture is also employed to globally generate multi-relational triples while mitigating semantic ambiguities. SAPCL was evaluated on three publicly available CTI datasets: HACKER, ACTI, and LADDER. It achieved F1-scores of 56.63%, 60.21%, and 53.65%, respectively. Notably, SAPCL demonstrated a substantial improvement of 14.5 percentage points on the HACKER dataset, validating its effectiveness in real-world cyber threat extraction scenarios. By synergizing syntactic–semantic multi-feature fusion with symmetry-driven dynamic representation learning, SAPCL establishes a symmetry–asymmetry adaptive paradigm for cybersecurity knowledge graph construction, thus enhancing APT attack tracing, threat hunting, and proactive cyber defense. Full article

The rapid evolution of cyber threats, particularly Advanced Persistent Threats (APTs), poses significant challenges to the security of information systems. This paper explores the pivotal role of Artificial Intelligence (AI) in enhancing the detection and mitigation of APTs. By leveraging machine learning algorithms and data analytics, AI systems can identify patterns and anomalies that are indicative of sophisticated cyber-attacks. This study examines various AI-driven methodologies, including anomaly detection, predictive analytics, and automated response systems, highlighting their effectiveness in real-time threat detection and response. Furthermore, we discuss the integration of AI into existing cybersecurity frameworks, emphasizing the importance of collaboration between human analysts and AI systems in combating APTs. The findings suggest that the adoption of AI technologies not only improves the accuracy and speed of threat detection but also enables organizations to proactively defend against evolving cyber threats, probably achieving a 75% reduction in alert volume. Full article

In an era marked by the rapid growth of the Internet of Things (IoT), network security has become increasingly critical. Traditional Intrusion Detection Systems, particularly signature-based methods, struggle to identify evolving cyber threats such as Advanced Persistent Threats (APTs)and zero-day attacks. Such threats or attacks go undetected with supervised machine-learning methods. In this paper, we apply K-means clustering, an unsupervised clustering technique, to a newly created modern network attack dataset, UWF-ZeekDataFall22. Since this dataset contains labeled Zeek logs, the dataset was de-labeled before using this data for K-means clustering. The labeled data, however, was used in the evaluation phase, to determine the attack clusters post-clustering. In order to identify APTs as well as zero-day attack clusters, three different labeling heuristics were evaluated to determine the attack clusters. To address the challenges faced by Big Data, the Big Data framework, that is, Apache Spark and PySpark, were used for our development environment. In addition, the uniqueness of this work is also in using connection-based features. Using connection-based features, an in-depth study is done to determine the effect of the number of clusters, seeds, as well as features, for each of the different labeling heuristics. If the objective is to detect every single attack, the results indicate that 325 clusters with a seed of 200, using an optimal set of features, would be able to correctly place 99% of attacks. Full article

Advanced Persistent Threats (APTs) challenge cybersecurity due to their stealthy, multi-stage nature. For the provenance graph based on fine-grained kernel logs, existing methods have difficulty distinguishing behavior boundaries and handling complex multi-entity dependencies, which exhibit high false positives in dynamic environments. To address this, we propose a Hypergraph Attention Network framework for APT detection. First, we employ anomaly node detection on provenance graphs constructed from kernel logs to select seed nodes, which serve as starting points for discovering overlapping behavioral communities via node aggregation. These communities are then encoded as hyperedges to construct a hypergraph that captures high-order interactions. By integrating hypergraph structural semantics with nodes and hyperedge dual attention mechanisms, our framework achieves robust APT detection by modeling complex behavioral dependencies. Experiments on DARPA and Unicorn show superior performance: 97.73% accuracy, 98.35% F1-score, and a 0.12% FPR. By bridging hypergraph theory and adaptive attention, the framework effectively models complex attack semantics, offering a robust solution for real-time APT detection. Full article

Wireless Local Area Networks (WLANs), particularly Wi-Fi, serve as the backbone of modern connectivity, supporting billions of devices globally and forming a critical component in Internet of Things (IoT) ecosystems. However, the increasing ubiquity of WLANs also presents an expanding attack surface for adversaries—especially Advanced Persistent Threats (APTs), which operate with high levels of sophistication, resources, and long-term strategic objectives. This paper provides a holistic security analysis of WLANs under the lens of APT threat models, categorizing APT actors by capability tiers and examining their ability to compromise WLANs through logical attack surfaces. The study identifies and explores three primary attack surfaces: Radio Access Control interfaces, compromised insider nodes, and ISP gateway-level exposures. A series of empirical experiments—ranging from traffic analysis of ISP-controlled routers to offline password attack modeling—evaluate the current resilience of WLANs and highlight specific vulnerabilities such as credential reuse, firmware-based leakage, and protocol downgrade attacks. Furthermore, the paper demonstrates how APT resources significantly accelerate attacks through formal models of computational scaling. It also incorporates threat modeling frameworks, including STRIDE and MITRE ATT&CK, to contextualize risks and map adversary tactics. Based on these insights, this paper offers practical recommendations for enhancing WLAN resilience through improved authentication mechanisms, network segmentation, AI-based anomaly detection, and open firmware adoption. The findings underscore that while current WLAN implementations offer basic protections, they remain highly susceptible to well-resourced adversaries, necessitating a shift toward more robust, context-aware security architectures. Full article

Advanced Persistent Threat (APT) refers to a highly targeted, sophisticated, and prolonged form of cyberattack, typically directed at specific organizations or individuals. The primary objective of such attacks is the theft of sensitive information or the disruption of critical operations. APT attacks are characterized by their stealth and complexity, often resulting in significant economic losses. Furthermore, these attacks may lead to intelligence breaches, operational interruptions, and even jeopardize national security and political stability. Given the covert nature and extended durations of APT attacks, current detection solutions encounter challenges such as high detection difficulty and insufficient accuracy. To address these limitations, this paper proposes an innovative high-accuracy APT attack detection model, CNN-KOA-BiGRU, which integrates Convolutional Neural Networks (CNN), Bidirectional Gated Recurrent Units (BiGRU), and the Kepler optimization algorithm (KOA). The model first utilizes CNN to extract spatial features from network traffic data, followed by the application of BiGRU to capture temporal dependencies and long-term memory, thereby forming comprehensive temporal features. Simultaneously, the Kepler optimization algorithm is employed to optimize the BiGRU network structure, achieving globally optimal feature weights and enhancing detection accuracy. Additionally, this study employs a combination of sampling techniques, including Synthetic Minority Over-sampling Technique (SMOTE) and Tomek links, to mitigate classification bias caused by dataset imbalance. Evaluation results on the CSE-CIC-IDS2018 experimental dataset demonstrate that the CNN-KOA-BiGRU model achieves superior performance in detecting APT attacks, with an average accuracy of 98.68%. This surpasses existing methods, including CNN (93.01%), CNN-BiGRU (97.77%), and Graph Convolutional Network (GCN) (95.96%) on the same dataset. Specifically, the proposed model demonstrates an accuracy improvement of 5.67% over CNN, 0.91% over CNN-BiGRU, and 2.72% over GCN. Overall, the proposed model achieves an average improvement of 3.1% compared to existing methods. Full article

The escalating prevalence of cyber threats across industries underscores the urgent need for robust analytical frameworks to understand their clustering, prevalence, and distribution. This study addresses the challenge of quantifying and analyzing relationships between 95 distinct cyberattack types and 29 industry sectors, leveraging a dataset of 9261 entries filtered from over 1 million news articles. Existing approaches often fail to capture nuanced patterns across such complex datasets, justifying the need for innovative methodologies. We present a rigorous mathematical framework integrating chi-square tests, Bayesian inference, Gaussian Mixture Models (GMMs), and Spectral Clustering. This framework identifies key patterns, such as 1150 Zero-Day Exploits clustered in the IT and Telecommunications sector, 732 Advanced Persistent Threats (APTs) in Government and Public Administration, and Malware with a posterior probability of 0.287 dominating the Healthcare sector. Temporal analyses reveal periodic spikes, such as in Zero-Day Exploits, and a persistent presence of Social Engineering Attacks, with 1397 occurrences across industries. These findings are quantified using significance scores (mean: 3.25 ± 0.7) and posterior probabilities, providing evidence for industry-specific vulnerabilities. This research offers actionable insights for policymakers, cybersecurity professionals, and organizational decision makers by equipping them with a data-driven understanding of sector-specific risks. The mathematical formulations are replicable and scalable, enabling organizations to allocate resources effectively and develop proactive defenses against emerging threats. By bridging mathematical theory to real-world cybersecurity challenges, this study delivers impactful contributions toward safeguarding critical infrastructure and digital assets. Full article

As the Industrial Internet of Things (IIoT) increasingly integrates with traditional networks, advanced persistent threats (APTs) pose significant risks to critical infrastructure. Traditional Intrusion Detection Systems (IDSs) and Anomaly Detection Systems (ADSs) are often inadequate in countering sophisticated multi-step APT attacks. This highlights the necessity of studying attacker strategies and developing predictive models to mitigate potential threats. To address these challenges, we propose DeepOP, a hybrid framework for attack sequence prediction that combines deep learning and ontological reasoning. DeepOP leverages the MITRE ATT&CK framework to standardize attacker behavior and predict future attacks with fine-grained precision. Our framework’s core is a novel causal window self-attention mechanism embedded within a transformer-based architecture. This mechanism effectively captures local causal relationships and global dependencies within attack sequences, enabling accurate multi-step attack predictions. In addition, we construct a comprehensive dataset by extracting causally connected attack events from cyber threat intelligence (CTI) reports using ontological reasoning, mapping them to the ATT&CK framework. This approach addresses the challenge of insufficient data for fine-grained attack prediction and enhances the model’s ability to generalize across diverse scenarios. Experimental results demonstrate that the proposed model effectively predicts attacker behavior, achieving competitive performance in multi-step attack prediction tasks. Furthermore, DeepOP bridges the gap between theoretical modeling and practical security applications, providing a robust solution for countering complex APT threats. Full article

Testing the vulnerability of information systems to cyberattacks is essential to ensure the operational security of organizations and industrial processes. In particular, it is essential to ensure the resilience of industrial processes, as a possible cyberattack can lead to process malfunctions and even process shutdowns, which can lead to substantial economic losses. The possibility of various attacks, e.g., ransomware, phishing, or advanced persistent threats (APTs), requires the evaluation of the effectiveness of cyberattack detection and incident response mechanisms. In industry, it is often impossible to carry out this type of test without risking system disruption, making it difficult to assess the true effectiveness of security features. This article discusses the issues concerned with testing the cyber resilience of a system operating in a real coal mine. First, this work briefly presents the hardware and software architecture used in the coal mine. Secondly, it describes the problem of replicating a real system in the laboratory and the necessary tools and methods used to implement a resilient system architecture. Finally, the scenarios of cyberattacks are detailed, and the obtained results are discussed. Full article

With the continuous development of network security situations, the types of attacks increase sharply, but can be divided into symmetric attacks and asymmetric attacks. Symmetric attacks such as phishing and DDoS attacks exploit fixed patterns, resulting in system crashes and data breaches that cause losses to businesses. Asymmetric attacks such as Advanced Persistent Threat (APT), a highly sophisticated and organized form of cyber attack, because of its concealment and complexity, realize data theft through long-term latency and pose a greater threat to organization security. In addition, there are challenges in the processing of missing data, especially in the application of symmetric and asymmetric data filling, the former is simple but not flexible, and the latter is complex and more suitable for highly complex attack scenarios. Since asymmetric attack research is particularly important, this paper proposes a method that combines causal discovery with graph autoencoder to solve missing data, classify potentially malicious nodes, and reveal causal relationships. The core is to use graphic autoencoders to learn the underlying causal structure of APT attacks, with a special focus on the complex causal relationships in asymmetric attacks. This causal knowledge is then applied to enhance the robustness of the model by compensating for data gaps. In the final phase, it also reveals causality, predicts and classifies potential APT attack nodes, and provides a comprehensive framework that not only predicts potential threats, but also provides insight into the logical sequence of the attacker’s actions. Full article

Malware triage is essential for the security of cyber-physical systems, particularly against Advanced Persistent Threats (APTs). Proper data for this task, however, are hard to come by, as organizations are often reluctant to share their network data due to security concerns. To tackle this issue, this paper presents a secure and distributed framework for the collaborative training of a global model for APT triage without compromising privacy. Using this framework, organizations can share knowledge of APTs without disclosing private data. Moreover, the proposed design employs robust aggregation protocols to safeguard the global model against potential adversaries. The proposed framework is evaluated using real-world data with 15 different APT mechanisms. To make the simulations more challenging, we assume that edge nodes have partial knowledge of APTs. The obtained results demonstrate that participants in the proposed framework can privately share their knowledge, resulting in a robust global model that accurately detects APTs with significant improvement across different model architectures. Under optimal conditions, the designed framework detects almost all APT scenarios with an accuracy of over 90 percent. Full article

Cyberattacks are rapidly evolving both in terms of techniques and frequency, from low-level attacks through to sophisticated Advanced Persistent Threats (APTs). There is a need to consider how testbed environments such as cyber ranges can be readily deployed to improve the examination of attack characteristics, as well as the assessment of defences. Whilst cyber ranges are not new, they can often be computationally expensive, require an extensive setup and configuration, or may not provide full support for areas such as logging or ongoing learning. In this paper, we propose GoibhniUWE, a container-based cyber range that provides a flexible platform for investigating the full lifecycle of a cyberattack. Adopting a modular approach, users can seamlessly switch out existing, containerised vulnerable services and deploying multiple different services at once, allowing for the creation of complex and realistic deployments. The range is fully instrumented with logging capabilities from a variety of sources including Intrusion Detection Systems (IDSs), service logging, and network traffic captures. To demonstrate the effectiveness of our approach, we deploy the GoibhniUWE range under multiple conditions to simulate various vulnerable environments, reporting on and comparing key metrics such as CPU and memory usage. We simulate complex attacks which span multiple services and networks, with logging at multiple levels, modelling an Advanced Persistent Threat (APT) and their associated Tactics, Techniques, and Procedures (TTPs). We find that even under continuous, active, and targeted deployment, GoibhniUWE averaged a CPU usage of less than 50%, in an environment using four single-core processors, and memory usage of less than 4.5 GB. Full article