DeepAPT: Nation-State APT Attribution Using End-to-End Deep Neural Networks

TL;DR

This paper demonstrates that deep neural networks can effectively attribute nation-state APTs by analyzing sandbox reports, achieving high accuracy despite challenges like small datasets and evasion techniques.

Contribution

It introduces a novel end-to-end deep learning approach for nation-state APT attribution using sandbox behavior reports, overcoming traditional limitations.

Findings

Achieved 94.6% accuracy on a test set of 1,000 APTs.

Successfully employed DNNs to learn high-level features from sandbox data.

Proved deep learning can handle small datasets and evasion tactics in APT attribution.

Abstract

In recent years numerous advanced malware, aka advanced persistent threats (APT) are allegedly developed by nation-states. The task of attributing an APT to a specific nation-state is extremely challenging for several reasons. Each nation-state has usually more than a single cyber unit that develops such advanced malware, rendering traditional authorship attribution algorithms useless. Furthermore, those APTs use state-of-the-art evasion techniques, making feature extraction challenging. Finally, the dataset of such available APTs is extremely small. In this paper we describe how deep neural networks (DNN) could be successfully employed for nation-state APT attribution. We use sandbox reports (recording the behavior of the APT when run dynamically) as raw input for the neural network, allowing the DNN to learn high level feature abstractions of the APTs itself. Using a test set of 1,000 Chinese and Russian developed APTs, we achieved an accuracy rate of 94.6%.