Search Results (78)

Advanced Persistent Threats (APTs) exhibit covert behaviors, long attack cycles, and fragmented intelligence, creating challenges for correlation analysis and attribution. This work proposes a unified knowledge-graph-based framework for multi-level APT correlation. We construct an APT ontology and automatically extract entities and relations from threat reports using NER and relation extraction models. The resulting multi-source intelligence is normalized and integrated into a Neo4j knowledge graph containing 15,682 entities and 42,713 relations. Multi-level correlation analysis is then performed through explicit structural reasoning, semantic embedding models such as TransE and RotatE, and a temporal evolution module based on T-GCN to capture dynamic attack-path patterns. Experiments demonstrate that the proposed framework achieves an F1-score of 0.91 for relation extraction and improves APT correlation prediction accuracy by 17.3% over rule-based baselines. The system supports large-scale attack-chain reasoning and sector-oriented threat analysis, providing enhanced attribution and decision support for cybersecurity defense. Full article

Background: The maritime industry, vital for global trade, faces escalating cyber threats in 2025. Critical port infrastructures are increasingly vulnerable due to rapid digitalization and the integration of IT and operational technology (OT) systems. Methods: Using 112 incidents from the Maritime Cyber Attack Database (MCAD, 2020–2025), we developed a novel quantitative risk assessment model based on a Threat-Vulnerability-Impact (T-V-I) framework, calibrated with MITRE ATT&CK techniques and validated against historical incidents. Results: Our analysis reveals a 150% rise in incidents, with OT compromise identified as the paramount threat (98/100 risk score). Ports in Poland and Taiwan face the highest immediate risk (95/100), while the Panama Canal is assessed as the most probable next target (90/100). State-sponsored actors from Russia, China, and Iran are responsible for most high-impact attacks. Conclusions: This research provides a validated, data-driven framework for prioritizing defensive resources. Our findings underscore the urgent need for engineering-grade solutions, including network segmentation, zero-trust architectures, and proactive threat intelligence integration to enhance maritime cyber resilience against evolving threats. Full article

Small and Medium-sized Enterprises (SMEs) face disproportionately high risks from Advanced Persistent Threats (APTs), which often evade traditional cybersecurity measures. Existing frameworks catalogue adversary tactics and defensive solutions but provide limited quantitative guidance for allocating limited resources under uncertainty, a challenge amplified by the growing use of AI in both offensive operations and digital forensics. This paper proposes a game-theoretic model for improving digital forensic readiness (DFR) in SMEs. The approach integrates the MITRE ATT&CK and D3FEND frameworks to map APT behaviors to defensive countermeasures and defines 32 custom DFR metrics, weighted using the Analytic Hierarchy Process (AHP), to derive utility functions for both attackers and defenders. The main analysis considers a non-zero-sum attacker–defender bimatrix game and yields a single Nash equilibrium in which the attacker concentrates on Impact-oriented tactics and the defender on Detect-focused controls. In a synthetic calibration across ten organizational profiles, the framework achieves a median readiness improvement of 18.0% (95% confidence interval: 16.3% to 19.7%) relative to pre-framework baselines, with targeted improvements in logging and forensic preservation typically reducing key attacker utility components by around 15–30%. A zero-sum variant of the game is also analyzed as a robustness check and exhibits consistent tactical themes, but all policy conclusions are drawn from the empirical non-zero-sum model. Despite relying on expert-driven AHP weights and synthetic profiles, the framework offers SMEs actionable, equilibrium-informed guidance for strengthening forensic preparedness against advanced cyber threats. Full article

This research proposes a heterogeneous graph neural network (GNN) framework to attribute advanced persistent threat (APT) activity using enriched cyber threat intelligence (CTI). We construct a tripartite graph linking APT groups, contextualised Tactics, Techniques, and Procedures (TTPs), and their Cyber Kill Chain (CKC) stages. TTP nodes are embedded with Sentence-BERT (SBERT) vectors for semantic similarity, while CKC stages provide procedural context. This design captures both behavioural semantics and attack-stage relationships, enabling robust and interpretable attribution. Empirical evaluation on the APTNotes corpus achieves a Macro-F1 score of 0.84 and 85% accuracy, addressing limitations in baselines such as DeepOP (technique prediction without CKC integration) and APT-MMF (no procedural or temporal TTP modelling). The framework is suitable for Security Operations Centres (SOCs), enabling faster and more accurate decision-making during incident response. Overall, the study advances automated and explainable APT attribution for practical SOC deployment. Full article

The power system, as a critical national infrastructure, faces stealthy and persistent intrusions from Advanced Persistent Threat (APT) attacks. These attack chains span multiple stages and components, while heterogeneous data sources lack unified semantics, limiting the interpretability of current detection methods. To address this, we combine the W3C PROV-DM standard with power-specific semantics to map generic provenance data into standardized provenance graphs. On this basis, we propose a graph neural network framework that jointly models temporal dependencies and structural features. The framework constructs unified provenance graphs with snapshot partitioning, applies Functional Time Encoding (FTE) for temporal modeling, and employs a graph attention autoencoder with node masking and edge reconstruction to enhance feature representations. Through pooling, graph-level embeddings are obtained for downstream detection. Experiments on two public datasets show that our method outperforms baselines across multiple metrics and exhibits clear inter-class separability. In the context of scarce power-domain APT data, this study improves model applicability and interpretability, and it provides a practical path for provenance graph-based intelligent detection in critical infrastructure protection. Full article

Emerging complex multi-step attacks such as Advanced Persistent Threats (APTs) pose significant risks to national economic development, security, and social stability. Effectively detecting these sophisticated threats is a critical challenge. While deep learning methods show promise in identifying unknown malicious behaviors, they often struggle with fragmented modal information, limited feature representation, and generalization. To address these limitations, we propose GATransformer, a new dual-modal detection method that integrates topological structure analysis with temporal sequence modeling. Its core lies in a cross-attention semantic fusion mechanism, which deeply integrates heterogeneous features and effectively mitigates the constraints of unimodal representations. GATransformer reconstructs network behavior representation via a parallel processing framework in which graph attention captures intricate spatial dependencies, and self-attention focuses on modeling long-range temporal correlations. Experimental results on the CIDDS-001 and CIDDS-002 datasets demonstrate the superior performance of our method compared to baseline methods with detection accuracies of 99.74% (nodes) and 88.28% (edges) on CIDDS-001 and 99.99% and 99.98% on CIDDS-002, respectively. Full article

Cyberattacks, especially Advanced Persistent Threats (APTs), have become more complex. These evolving threats challenge traditional defense systems, which struggle to counter long-lasting and covert attacks. Cybersecurity Knowledge Graphs (CKGs), enabled through the integration of multi-source CTI, introduce novel approaches for proactive defense. However, building CKGs faces challenges such as unclear terminology, overlapping entity relationships in attack chains, and differences in CTI across sources. To tackle these challenges, we propose the CyberKG framework, which improves entity recognition and relation extraction using a SecureBERT_Plus-BiLSTM-Attention-CRF joint architecture. Semantic features are captured using a domain-adapted SecureBERT_Plus model, while temporal dependencies are modeled through BiLSTM. Attention mechanisms highlight key cross-sentence relationships, while CRF incorporates ATT&CK rule constraints. Hierarchical clustering (HAC), based on contextual embeddings, facilitates dynamic entity disambiguation and semantic fusion. Experimental evaluations on the DNRTI and MalwareDB datasets demonstrate strong performance in extraction accuracy, entity normalization, and the resolution of overlapping relations. The constructed knowledge graph supports APT tracking, attack-chain provenance, proactive defense prediction. Full article

Over the last 15 years, cyberattacks have moved from attacking IT systems to targeted attacks on Operational Technology (OT) systems, also known as Cyber–Physical Systems (CPS). The first targeted OT cyberattack was Stuxnet in 2010, at which time the term Advanced Persistent Threat (APT) appeared. An APT often refers to a sophisticated two-stage cyberattack requiring an extensive reconnaissance period before executing the actual attack. Following Stuxnet, a sizable number of APTs have been discovered and documented. APTs are difficult to detect due to the many steps involved, the large number of attacker capabilities that are in use, and the timeline. Such attacks are carried out over an extended time period, sometimes spanning several years, which means that they cannot be recognized using signatures, anomalies, or similar patterns. APTs require detection capabilities beyond what current detection paradigms are capable of, such as behavior-based, signature-based, protocol-based, or other types of Intrusion Detection and Prevention Systems (IDS/IPS). This paper describes steps towards improving the detection of APTs by means of APT group digital fingerprints. An APT group fingerprint is a digital representation of the attacker’s capabilities, their relations and dependencies, and their technical implementation for an APT group. The fingerprint is represented as a directed graph, which models the relationships between the relevant capabilities. This paper describes part of the analysis behind establishing the APT group digital fingerprint for the Russian Cyberspace Operations Group - Sandworm. Full article

Advanced Persistent Threats (APT) are stealthy multi-step attacks, often executed over an extensive time period and tailored for a specific attack target. APTs represent a “low and slow” type of cyberattack, meaning that they most often remain undetected until the consequence of the attack becomes evident. Energy infrastructure, including power grids, oil and gas infrastructure, offshore wind installations, etc., form the basis of a modern digital nation. In addition to loss of power, financial systems, banking systems, digital national services, etc., become non-operational without electricity. Loss of power from an APT cyberattack could result in loss of life and the possibility of creating digital chaos. Digital payments becomes unavailable, digital identification is affected, and even POS terminals need to run on emergency power, which is limited in time, resulting in challenges in paying for food and beverages. Examples of Advanced Persistent Threats (APTs) targeting energy infrastructures include Triton, which in 2017 aimed to manipulate the safety systems of a petrochemical plant in Saudi Arabia, potentially leading to catastrophic physical consequences. Another significant incident is the Industroyer2 malware attack in 2022, which targeted a Ukrainian energy provider in an attempt to disrupt operations. The paper combines APT knowledge with energy infrastructure domain expertise, focusing on technical aspects while at the same time providing perspectives on societal consequences that could result from APTs. Full article

The construction of knowledge graphs in cyber threat intelligence (CTI) critically relies on automated entity–relation extraction. However, sequence tagging-based methods for joint entity–relation extraction are affected by the order-dependency problem. As a result, overlapping relations are handled ineffectively. To address this limitation, a parallel, ensemble-prediction–based model is proposed for joint entity–relation extraction in CTI. The joint extraction task is reformulated as an ensemble prediction problem. A joint network that combines Bidirectional Encoder Representations from Transformers (BERT) with a Bidirectional Gated Recurrent Unit (BiGRU) is constructed to capture deep contextual features in sentences. An ensemble prediction module and a triad representation of entity–relation facts are designed for joint extraction. A non-autoregressive decoder is employed to generate relation triad sets in parallel, thereby avoiding unnecessary sequential constraints during decoding. In the threat intelligence domain, labeled data are scarce and manual annotation is costly. To mitigate these constraints, the SecCti dataset is constructed by leveraging ChatGPT’s small-sample learning capability for labeling and augmentation. This approach reduces annotation costs effectively. Experimental results show a 4.6% absolute F1 improvement over the baseline on joint entity–relation extraction for threat intelligence concerning Advanced Persistent Threats (APTs) and cybercrime activities. Full article

Advanced Persistent Threats (APTs) pose significant cybersecurity challenges due to their multi-stage complexity. Knowledge graphs (KGs) effectively model APT attack processes through node-link architectures; however, the scarcity of high-quality, annotated datasets limits research progress. The primary challenge lies in balancing annotation cost and quality, particularly due to the lack of quality assessment methods for graph annotation data. This study addresses these issues by extending existing APT ontology definitions and developing a dynamic, trustworthy annotation framework for APT knowledge graphs. The framework introduces a self-verification mechanism utilizing large language model (LLM) annotation consistency and establishes a comprehensive graph data metric system for problem localization in annotated data. This metric system, based on structural properties, logical consistency, and APT attack chain characteristics, comprehensively evaluates annotation quality across representation, syntax semantics, and topological structure. Experimental results show that this framework significantly reduces annotation costs while maintaining quality. Using this framework, we constructed LAPTKG, a reliable dataset containing over 10,000 entities and relations. Baseline evaluations show substantial improvements in entity and relation extraction performance after metric correction, validating the framework’s effectiveness in reliable APT knowledge graph dataset construction. Full article

In the highly interconnected digital ecosystem, cyberspace has become the main battlefield for complex attacks such as Advanced Persistent Threat (APT). The complexity and concealment of APT attacks are increasing, posing unprecedented challenges to network security. Current APT detection methods largely depend on general datasets, making it challenging to capture the stages and complexity of APT attacks. Moreover, existing detection methods often suffer from suboptimal accuracy, high false alarm rates, and a lack of real-time capabilities. In this paper, we introduce LDR-RFECV, a novel feature selection (FS) algorithm that uses LightGBM, Decision Trees (DTs), and Random Forest (RF) as integrated feature evaluators instead of single evaluators in recursive feature elimination algorithms. This approach helps select the optimal feature subset, thereby significantly enhancing detection efficiency. In addition, a novel optimization algorithm called LWHO was proposed, which integrates the Levy flight mechanism with the Wild Horse Optimizer (WHO) to optimize the hyperparameters of the LightGBM model, ultimately enhancing performance in APT attack detection. More importantly, this optimization strategy significantly boosts the detection rate during the lateral movement phase of APT attacks, a pivotal stage where attackers infiltrate key resources. Timely identification is essential for disrupting the attack chain and achieving precise defense. Experimental results demonstrate that the proposed method achieves 97.31% and 98.32% accuracy on two typical APT attack datasets, DAPT2020 and Unraveled, respectively, which is 2.86% and 4.02% higher than the current research methods, respectively. Full article

Edge computing builds relevant services and applications on the edge server near the user side, which enables a faster service response. However, the lack of large-scale hardware resources leads to weak defense for edge devices. Therefore, proactive defense security mechanisms, such as Intrusion Detection Systems (IDSs), are widely deployed in edge computing. Unfortunately, most of those IDSs lack causal analysis capabilities and still suffer the threats from Advanced Persistent Threat (APT) attacks. To effectively detect APT attacks, we propose a heterogeneous graph neural networks threat detection model based on the provenance graph. Specifically, we leverage the powerful analysis and tracking capabilities of the provenance graph to model the long-term behavior of the adversary. Moreover, we leverage the predictive power of heterogeneous graph neural networks to embed the provenance graph by a node-level and semantic-level heterogeneous mutual attention mechanism. In addition, we also propose a provenance graph reduction algorithm based on the semantic similarity of graph substructures to improve the detection efficiency and accuracy of the model, which reduces and integrates redundant information by calculating the semantic similarity between substructures. The experimental results demonstrate that the prediction accuracy of our method reaches 99.8% on the StreamSpot dataset and achieves 98.13% accuracy on the NSL-KDD dataset. Full article

Advanced Persistent Threat (APT) attacks pose a serious challenge to traditional detection methods. These methods often suffer from high false-alarm rates and limited accuracy due to the multi-stage and covert nature of APT attacks. In this paper, we propose TSE-APT, a time-series ensemble model that addresses these two limitations. It combines multiple machine-learning models, such as Random Forest (RF), Multi-Layer Perceptron (MLP), and Bidirectional Long Short-Term Memory Network (BiLSTM) models, to dynamically capture correlations between multiple stages of the attack process based on time-series features. It discovers hidden features through the integration of multiple machine-learning models to significantly improve the accuracy and robustness of APT detection. First, we extract a collection of dynamic time-series features such as traffic mean, flow duration, and flag frequency. We fuse them with static contextual features, including the port service matrix and protocol type distribution, to effectively capture the multi-stage behaviors of APT attacks. Then, we utilize an ensemble-learning model with a dynamic weight-allocation mechanism using a self-attention network to adaptively adjust the sub-model contribution. The experiments showed that using time-series feature fusion significantly enhanced the detection performance. The RF, MLP, and BiLSTM models achieved 96.7% accuracy, considerably enhancing recall and the false positive rate. The adaptive mechanism optimizes the model’s performance and reduces false-alarm rates. This study provides an analytical method for APT attack detection, considering both temporal dynamics and context static characteristics, and provides new ideas for security protection in complex networks. Full article

Advanced persistent threats (APTs) pose significant risks to critical systems and infrastructures due to their stealth and persistence. While several studies have reviewed APT characteristics and defense mechanisms, this paper goes further by proposing a hybrid defense framework based on artificial intelligence and game theory. First, a literature review outlines the evolution, methodologies, and known incidents of APTs. Then, a novel conceptual framework is presented, integrating unsupervised anomaly detection (isolation forest) and strategic defense modeling (Stackelberg game). Experimental results on simulated data demonstrate the robustness and scalability of the approach. In addition to reviewing current APT detection techniques, this work presents a defense model that integrates machine learning-based anomaly detection with predictive game-theoretic modeling. Full article