APT-MMF: An advanced persistent threat actor attribution method based on multimodal and multilevel feature fusion

TL;DR

This paper introduces APT-MMF, a novel method for attributing APT threat actors by fusing multimodal and multilevel features from heterogeneous threat intelligence data using advanced graph neural networks.

Contribution

It proposes a comprehensive feature fusion approach with multilevel graph attention networks to improve APT attribution accuracy and interpretability.

Findings

Outperforms existing attribution methods in accuracy.

Effectively integrates heterogeneous threat intelligence data.

Demonstrates good interpretability for attribution analysis.

Abstract

Threat actor attribution is a crucial defense strategy for combating advanced persistent threats (APTs). Cyber threat intelligence (CTI), which involves analyzing multisource heterogeneous data from APTs, plays an important role in APT actor attribution. The current attribution methods extract features from different CTI perspectives and employ machine learning models to classify CTI reports according to their threat actors. However, these methods usually extract only one kind of feature and ignore heterogeneous information, especially the attributes and relations of indicators of compromise (IOCs), which form the core of CTI. To address these problems, we propose an APT actor attribution method based on multimodal and multilevel feature fusion (APT-MMF). First, we leverage a heterogeneous attributed graph to characterize APT reports and their IOC information. Then, we extract and fuse multimodal features, including attribute type features, natural language text features and topological relationship features, to construct comprehensive node representations. Furthermore, we design multilevel heterogeneous graph attention networks to learn the deep hidden features of APT report nodes; these networks integrate IOC type-level, metapath-based neighbor node-level, and metapath semantic-level attention. Utilizing multisource threat intelligence, we construct a heterogeneous attributed graph dataset for verification purposes. The experimental results show that our method not only outperforms the existing methods but also demonstrates its good interpretability for attribution analysis tasks.