Search Results (87)

Industrial Control Systems (ICSs), which are essential components of critical infrastructures, are inherently complex and vulnerable to cyberattacks. Advanced Persistent Threats (APTs) that target these systems are multi-stage, coordinated attacks that can lead not only to information loss but also to physical damage and loss of life. Traditional threat modeling approaches fall short in adapting to the dynamic nature of ICSs, necessitating new methodologies to predict and prevent such complex attacks. This work presents a digital twin-assisted dynamic threat modeling framework for ICS environments. The framework leverages a knowledge graph that integrates system data and cyber threat intelligence to predict potential attacks. In addition, the digital twin environment enables the validation of mitigation strategies before deployment in the physical system, while also supporting adaptive response and real-time mitigation. To predict the attacker’s next move, we propose a Relational Graph Convolutional Network (RGCN)-based model that utilizes enriched relational data such as tactics, campaigns, groups, techniques, and assets. The proposed RGCN model achieves a recall of 0.887, an F1-score of 0.893, and an AUC of 0.957 in predicting potential attack sequences. These results demonstrate that the model provides reliable and well-balanced predictive performance. Full article

Current Unmanned Aerial Vehicle (UAV) swarm designs prioritize physical reliability over network security, leaving systems vulnerable to increasingly sophisticated cyber threats in complex environments. Existing defense methods are mostly limited to peripheral network security technologies, such as encryption, authentication, and firewalls. Consequently, they lack deep integration at the formation architecture level. This separation results in a disconnect between system reliability design and security protection mechanisms, making it difficult to effectively deal with high-level security threats such as internal backdoor vulnerabilities. To this end, this paper proposes an endogenous security architecture for UAV swarm based on dynamic heterogeneous redundancy (DHR) and cooperative supervision. Firstly, a theoretical model of DHR system for UAV swarm was constructed, and discrete nodes are abstracted as dynamic heterogeneous resource pools. Through the formal definition of the heterogeneous executor space, redundancy adjudication mechanism, and dynamic scheduling method, we demonstrate how this architecture suppresses common mode failures by introducing internal and external uncertainties, thereby realizing the coordination and unification of safety and security. Secondly, a distributed security control strategy based on cooperative supervision is proposed, which uses cross-validation between neighbors to replace the centralized adjudication of traditional DHR, solves the problem of anomaly detection in a decentralized environment, and combines reactive cleaning and periodic disturbance scheduling to give the system the ability to self-heal against unknown threats. Simulations in various attack scenarios demonstrate the proposed method’s superiority over traditional architectures. Especially in the simulated dormant multi-mode Advanced Persistent Threat (APT) scenario, the system can still maintain availability of more than 81%, which effectively verifies the key role of the coordination mechanism of heterogeneity, redundancy and dynamics in enhancing the safety and security of UAV swarms. Full article

As smart grids evolve into complex cyber-physical systems, conventional static defenses struggle to address time-varying topologies and Advanced Persistent Threats (APTs). We propose the Security Framework for Resilient Smart Grids based on Self-Organizing Graph Neural Cellular Automata (SG-GNC). Specifically, a Neural Homeostatic Embedding (NHE) mechanism utilizes variational graph autoencoders to construct a continuous health manifold for unsupervised anomaly detection, while a Neural Cellular Automata (NCA) engine employs shared-weight local rules to empower nodes with decentralized self-healing capabilities. Finally, a Generative Adversarial Immunity (GAI) strategy facilitates active defense co-evolution, enhancing robustness against zero-day attacks. Experimental results on the IEEE 118 and 300-bus systems demonstrate an average detection accuracy of 98.23%, significantly outperforming benchmarks. In scenarios involving dynamic topology and zero-day attacks, the framework maintains over 96% accuracy with an inference latency of only 9.45 ms. These findings validate the capability of SG-GNC to provide resilient, endogenous defense in complex heterogeneous environments. Full article

Advanced Persistent Threats (APTs) are characterized by stealth, infrequency, and long cycles, evading traditional security to endanger critical infrastructure. Complex semantic links between system entities can be accurately modeled using representation learning techniques based on heterogeneous provenance graphs, providing a novel method for uncovering hidden APT attack chains. However, in large-scale practical implementations, this approach still faces three major challenges: combinatorial explosion of long-range meta-paths, loss of semantic evolution during graph compression, and high computational overhead for dynamic environments. To address these, we propose APT-LMSPS, a detection system leveraging Long-Range Meta-path Progressive Sampling Search (LMSPS). The LMSPS algorithm uses dynamic pruning and semantic contribution assessment to convert meta-path combination explosion into constant-scale computation, accurately modeling long-range dependencies. Second, the Maintaining Global Semantics (MGS) approach intelligently filters events by tracking node semantic state changes, achieving an 8:1 compression ratio while preserving over 90% of critical pathways’ semantic integrity. Lastly, the meta-path encoding database uses a caching approach to avoid repeated encoding, doubling encoding effectiveness and enabling efficient, accurate, system-wide APT detection in large-scale scenarios. Evaluated on DARPA, StreamSpot, and ATLAS datasets, APT-LMSPS maintains competitive accuracy (F1-score ≥ 0.98) and improves long-range processing efficiency by an order of magnitude over baselines. Full article

Provenance-based Intrusion Detection Systems (IDSs) model the causal relationships between security events through a provenance graph and learn contextual information to detect Advanced Persistent Threats (APTs) effectively. However, existing provenance graph representation methods fail to fully reflect the characteristics of security domain data and the semantic information embedded in system logs, resulting in limited learning efficiency and detection accuracy. This paper proposes a provenance representation method that effectively captures security context from system log data. The proposed method improves the performance of provenance-based IDSs by combining (1) a provenance graph construction technique that transforms meaningful string attributes—such as command lines, process names, and file paths—into vector representations to extract semantic information in the security context, (2) a hybrid time–position embedding technique for capturing causal relationships between events, and (3) an iterative refinement learning strategy tailored to the characteristics of system log data. Experimental results using the DARPA Transparent Computing Engagement 3 (E3) benchmark dataset for APT detection demonstrate that our method achieves improved accuracy compared to existing approaches while significantly accelerating convergence during iterative training. These results suggest that the proposed embedding technique can more effectively capture abnormal temporal patterns, such as the long dwell times characteristic of APT attacks. Full article

In recent years, numerous Advanced Persistent Threats (APTs) have carried out cyber-physical attacks on critical infrastructures. Ukraine has been the victim of several advanced campaigns against its power grids, exemplifying a growing trend of disruptive and potentially destructive attacks. Although frameworks like the MITRE ATT&CK^® (ATT&CK) document adversaries’ behaviour across various domains, they show limitations in representing the unique characteristics of cyber-physical attacks. Existing models often fail to capture the integration of physical processes, system states, and domain-specific impacts that are essential to understand threats in cyber-physical environments. This gap hinders the ability to fully model how APTs exploit physical components alongside cyber. This research investigates the limitations of the ATT&CK Industrial Control System (ICS) framework in the context of Cyber-Physical System (CPS). A capability analysis of selected Russian APTs known to target CPS was conducted, resulting in conceptual enhancements to better represent their relevant tactics and techniques. These enhancements were evaluated through semi-structured interviews with cybersecurity professionals. The findings indicate the need for improved representation of interactions in the physical domain, along with greater contextual detail on tactics and techniques. Although the study is exploratory, the enhancements provide a foundation for future research to strengthen CPS threat analysis. Full article

Distributed Denial-of-Service (DDoS) attacks remain the most pervasive and operationally disruptive cyber threat and are routinely weaponized in interstate conflict (e.g., Russia–Ukraine and Stuxnet). Although attack-chain models are standard for Advanced Persistent Threat (APT) analysis, they have seldom been applied to DDoS, which is often framed as a single-step volumetric assault. However, ubiquitous intelligence and ambient connectivity increasingly enable DDoS campaigns to unfold as multi-stage operations rather than isolated floods. In parallel, large language models (LLMs) create new opportunities to strengthen traditional DDoS defenses through richer contextual understanding. Reviewing incidents from 2019 to 2024, we propose a three-phase DDoS attack chain—preparation, development, and execution—that captures contemporary tactics and their dependencies on novel hardware, network architectures, and application protocols. We classify these patterns, contrast them with conventional DDoS, survey current defenses (anycast and scrubbing, BGP Flowspec, programmable data planes, adaptive ML detection, API hardening), and outline research directions in cross-layer telemetry, adversarially robust learning, automated mitigation orchestration, and cooperative takedown. Full article

In recent years, Advanced Persistent Threat (APT) malware, with its high stealth, has made it difficult for unimodal detection methods to accurately identify its disguised malicious behaviors. To address this challenge, this paper proposes an APT Malware Detection Model based on Heterogeneous Multimodal Semantic Fusion (HMSF-ADM). By integrating the API call sequence features of APT malware in the operating system and the RGB image features of PE files, the model constructs multimodal representations with stronger discriminability, thus achieving efficient and accurate identification of APT malicious behaviors. First, the model employs two encoders, namely a Transformer encoder equipped with the DPCFTE module and a CAS-ViT encoder, to encode sequence features and image features, respectively, completing local–global collaborative context modeling. Then, the sequence encoding results and image encoding results are interactively fused via two cross-attention mechanisms to generate fused representations. Finally, a TextCNN-based classifier is utilized to perform classification prediction on the fused representations. Experimental results on two APT malware datasets demonstrate that the proposed HMSF-ADM model outperforms various mainstream multimodal comparison models in core metrics such as accuracy, precision, and F1-score. Notably, the F1-score of the model exceeds 0.95 for the vast majority of APT malware families, and its accuracy and F1-score both remain above 0.986 in the task of distinguishing between ordinary malware and APT malware. Full article

Detecting anomalous events in high-dimensional behavioral data is a fundamental challenge in modern cybersecurity, particularly in scenarios involving stealthy advanced persistent threats (APTs). Traditional anomaly detection techniques rely on heuristic notions of distance or density yet rarely offer a mathematically coherent description of how sparse events can be formally empirically separated from the dominant behavioral structure. This study introduces a density–metric geometric space framework that unifies geometric, topological, and density-based perspectives into a single analytical model. Behavioral events are embedded in a five-dimensional Euclidean geometric space equipped with a neighborhood-based density operator. Anomalies are formally defined as points whose local density falls below a fixed threshold, and we show that such points occupy empirically distinct low-density regions of the induced metric space. The theoretical foundations are supported by experiments conducted on openly available cybersecurity datasets, including ADFA-LD and UNSW-NB15, where we demonstrate that low-density behavioral patterns correspond to structurally rare attack configurations. The proposed framework provides a mathematically grounded framework with empirical validation for why APT-like behaviors naturally emerge as sparse and weakly coherent regions in high-dimensional space. These results offer a principled basis for high-dimensional anomaly detection and open new directions for leveraging geometric learning in cybersecurity. Full article

Advanced Persistent Threats (APTs) exhibit covert behaviors, long attack cycles, and fragmented intelligence, creating challenges for correlation analysis and attribution. This work proposes a unified knowledge-graph-based framework for multi-level APT correlation. We construct an APT ontology and automatically extract entities and relations from threat reports using NER and relation extraction models. The resulting multi-source intelligence is normalized and integrated into a Neo4j knowledge graph containing 15,682 entities and 42,713 relations. Multi-level correlation analysis is then performed through explicit structural reasoning, semantic embedding models such as TransE and RotatE, and a temporal evolution module based on T-GCN to capture dynamic attack-path patterns. Experiments demonstrate that the proposed framework achieves an F1-score of 0.91 for relation extraction and improves APT correlation prediction accuracy by 17.3% over rule-based baselines. The system supports large-scale attack-chain reasoning and sector-oriented threat analysis, providing enhanced attribution and decision support for cybersecurity defense. Full article

Background: The maritime industry, vital for global trade, faces escalating cyber threats in 2025. Critical port infrastructures are increasingly vulnerable due to rapid digitalization and the integration of IT and operational technology (OT) systems. Methods: Using 112 incidents from the Maritime Cyber Attack Database (MCAD, 2020–2025), we developed a novel quantitative risk assessment model based on a Threat-Vulnerability-Impact (T-V-I) framework, calibrated with MITRE ATT&CK techniques and validated against historical incidents. Results: Our analysis reveals a 150% rise in incidents, with OT compromise identified as the paramount threat (98/100 risk score). Ports in Poland and Taiwan face the highest immediate risk (95/100), while the Panama Canal is assessed as the most probable next target (90/100). State-sponsored actors from Russia, China, and Iran are responsible for most high-impact attacks. Conclusions: This research provides a validated, data-driven framework for prioritizing defensive resources. Our findings underscore the urgent need for engineering-grade solutions, including network segmentation, zero-trust architectures, and proactive threat intelligence integration to enhance maritime cyber resilience against evolving threats. Full article

Small and Medium-sized Enterprises (SMEs) face disproportionately high risks from Advanced Persistent Threats (APTs), which often evade traditional cybersecurity measures. Existing frameworks catalogue adversary tactics and defensive solutions but provide limited quantitative guidance for allocating limited resources under uncertainty, a challenge amplified by the growing use of AI in both offensive operations and digital forensics. This paper proposes a game-theoretic model for improving digital forensic readiness (DFR) in SMEs. The approach integrates the MITRE ATT&CK and D3FEND frameworks to map APT behaviors to defensive countermeasures and defines 32 custom DFR metrics, weighted using the Analytic Hierarchy Process (AHP), to derive utility functions for both attackers and defenders. The main analysis considers a non-zero-sum attacker–defender bimatrix game and yields a single Nash equilibrium in which the attacker concentrates on Impact-oriented tactics and the defender on Detect-focused controls. In a synthetic calibration across ten organizational profiles, the framework achieves a median readiness improvement of 18.0% (95% confidence interval: 16.3% to 19.7%) relative to pre-framework baselines, with targeted improvements in logging and forensic preservation typically reducing key attacker utility components by around 15–30%. A zero-sum variant of the game is also analyzed as a robustness check and exhibits consistent tactical themes, but all policy conclusions are drawn from the empirical non-zero-sum model. Despite relying on expert-driven AHP weights and synthetic profiles, the framework offers SMEs actionable, equilibrium-informed guidance for strengthening forensic preparedness against advanced cyber threats. Full article

This research proposes a heterogeneous graph neural network (GNN) framework to attribute advanced persistent threat (APT) activity using enriched cyber threat intelligence (CTI). We construct a tripartite graph linking APT groups, contextualised Tactics, Techniques, and Procedures (TTPs), and their Cyber Kill Chain (CKC) stages. TTP nodes are embedded with Sentence-BERT (SBERT) vectors for semantic similarity, while CKC stages provide procedural context. This design captures both behavioural semantics and attack-stage relationships, enabling robust and interpretable attribution. Empirical evaluation on the APTNotes corpus achieves a Macro-F1 score of 0.84 and 85% accuracy, addressing limitations in baselines such as DeepOP (technique prediction without CKC integration) and APT-MMF (no procedural or temporal TTP modelling). The framework is suitable for Security Operations Centres (SOCs), enabling faster and more accurate decision-making during incident response. Overall, the study advances automated and explainable APT attribution for practical SOC deployment. Full article

The power system, as a critical national infrastructure, faces stealthy and persistent intrusions from Advanced Persistent Threat (APT) attacks. These attack chains span multiple stages and components, while heterogeneous data sources lack unified semantics, limiting the interpretability of current detection methods. To address this, we combine the W3C PROV-DM standard with power-specific semantics to map generic provenance data into standardized provenance graphs. On this basis, we propose a graph neural network framework that jointly models temporal dependencies and structural features. The framework constructs unified provenance graphs with snapshot partitioning, applies Functional Time Encoding (FTE) for temporal modeling, and employs a graph attention autoencoder with node masking and edge reconstruction to enhance feature representations. Through pooling, graph-level embeddings are obtained for downstream detection. Experiments on two public datasets show that our method outperforms baselines across multiple metrics and exhibits clear inter-class separability. In the context of scarce power-domain APT data, this study improves model applicability and interpretability, and it provides a practical path for provenance graph-based intelligent detection in critical infrastructure protection. Full article

Emerging complex multi-step attacks such as Advanced Persistent Threats (APTs) pose significant risks to national economic development, security, and social stability. Effectively detecting these sophisticated threats is a critical challenge. While deep learning methods show promise in identifying unknown malicious behaviors, they often struggle with fragmented modal information, limited feature representation, and generalization. To address these limitations, we propose GATransformer, a new dual-modal detection method that integrates topological structure analysis with temporal sequence modeling. Its core lies in a cross-attention semantic fusion mechanism, which deeply integrates heterogeneous features and effectively mitigates the constraints of unimodal representations. GATransformer reconstructs network behavior representation via a parallel processing framework in which graph attention captures intricate spatial dependencies, and self-attention focuses on modeling long-range temporal correlations. Experimental results on the CIDDS-001 and CIDDS-002 datasets demonstrate the superior performance of our method compared to baseline methods with detection accuracies of 99.74% (nodes) and 88.28% (edges) on CIDDS-001 and 99.99% and 99.98% on CIDDS-002, respectively. Full article