DeepAPT: Nation-state APT attribution using end-to-end deep neural networks

Ishai Rosenberg; Guillaume Sicard; Eli Omid David

doi:10.1007/978-3-319-68612-7_11

DeepAPT: Nation-state APT attribution using end-to-end deep neural networks

Ishai Rosenberg, Guillaume Sicard, Eli Omid David

Deep Instinct Ltd.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

32 Scopus citations

Abstract

In recent years numerous advanced malware, aka advanced persistent threats (APT) are allegedly developed by nation-states. The task of attributing an APT to a specific nation-state is extremely challenging for several reasons. Each nation-state has usually more than a single cyber unit that develops such advanced malware, rendering traditional authorship attribution algorithms useless. Furthermore, those APTs use state-of-the-art evasion techniques, making feature extraction challenging. Finally, the dataset of such available APTs is extremely small. In this paper we describe how deep neural networks (DNN) could be successfully employed for nation-state APT attribution. We use sandbox reports (recording the behavior of the APT when run dynamically) as raw input for the neural network, allowing the DNN to learn high level feature abstractions of the APTs itself. Using a test set of 1,000 Chinese and Russian developed APTs, we achieved an accuracy rate of 94.6%.

Original language	English
Title of host publication	Artificial Neural Networks and Machine Learning – ICANN 2017 - 26th International Conference on Artificial Neural Networks, Proceedings
Editors	Alessandra Lintas, Alessandro E. Villa, Stefano Rovetta, Paul F. Verschure
Publisher	Springer Verlag
Pages	91-99
Number of pages	9
ISBN (Print)	9783319686110
DOIs	https://doi.org/10.1007/978-3-319-68612-7_11
State	Published - 2017
Externally published	Yes
Event	26th International Conference on Artificial Neural Networks, ICANN 2017 - Alghero, Italy Duration: 11 Sep 2017 → 14 Sep 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10614 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	26th International Conference on Artificial Neural Networks, ICANN 2017
Country/Territory	Italy
City	Alghero
Period	11/09/17 → 14/09/17

Bibliographical note

Publisher Copyright:
© Springer International Publishing AG 2017.

Access to Document

10.1007/978-3-319-68612-7_11

Cite this

Rosenberg, I., Sicard, G., & David, E. O. (2017). DeepAPT: Nation-state APT attribution using end-to-end deep neural networks. In A. Lintas, A. E. Villa, S. Rovetta, & P. F. Verschure (Eds.), Artificial Neural Networks and Machine Learning – ICANN 2017 - 26th International Conference on Artificial Neural Networks, Proceedings (pp. 91-99). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10614 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-68612-7_11

Rosenberg, Ishai ; Sicard, Guillaume ; David, Eli Omid. / DeepAPT : Nation-state APT attribution using end-to-end deep neural networks. Artificial Neural Networks and Machine Learning – ICANN 2017 - 26th International Conference on Artificial Neural Networks, Proceedings. editor / Alessandra Lintas ; Alessandro E. Villa ; Stefano Rovetta ; Paul F. Verschure. Springer Verlag, 2017. pp. 91-99 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{986d58cfe21a4d43b30f243cbc4ca413,

title = "DeepAPT: Nation-state APT attribution using end-to-end deep neural networks",

abstract = "In recent years numerous advanced malware, aka advanced persistent threats (APT) are allegedly developed by nation-states. The task of attributing an APT to a specific nation-state is extremely challenging for several reasons. Each nation-state has usually more than a single cyber unit that develops such advanced malware, rendering traditional authorship attribution algorithms useless. Furthermore, those APTs use state-of-the-art evasion techniques, making feature extraction challenging. Finally, the dataset of such available APTs is extremely small. In this paper we describe how deep neural networks (DNN) could be successfully employed for nation-state APT attribution. We use sandbox reports (recording the behavior of the APT when run dynamically) as raw input for the neural network, allowing the DNN to learn high level feature abstractions of the APTs itself. Using a test set of 1,000 Chinese and Russian developed APTs, we achieved an accuracy rate of 94.6%.",

author = "Ishai Rosenberg and Guillaume Sicard and David, {Eli Omid}",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing AG 2017.; 26th International Conference on Artificial Neural Networks, ICANN 2017 ; Conference date: 11-09-2017 Through 14-09-2017",

year = "2017",

doi = "10.1007/978-3-319-68612-7_11",

language = "אנגלית",

isbn = "9783319686110",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "91--99",

editor = "Alessandra Lintas and Villa, {Alessandro E.} and Stefano Rovetta and Verschure, {Paul F.}",

booktitle = "Artificial Neural Networks and Machine Learning – ICANN 2017 - 26th International Conference on Artificial Neural Networks, Proceedings",

address = "גרמניה",

}

Rosenberg, I, Sicard, G & David, EO 2017, DeepAPT: Nation-state APT attribution using end-to-end deep neural networks. in A Lintas, AE Villa, S Rovetta & PF Verschure (eds), Artificial Neural Networks and Machine Learning – ICANN 2017 - 26th International Conference on Artificial Neural Networks, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10614 LNCS, Springer Verlag, pp. 91-99, 26th International Conference on Artificial Neural Networks, ICANN 2017, Alghero, Italy, 11/09/17. https://doi.org/10.1007/978-3-319-68612-7_11

DeepAPT: Nation-state APT attribution using end-to-end deep neural networks. / Rosenberg, Ishai; Sicard, Guillaume; David, Eli Omid.
Artificial Neural Networks and Machine Learning – ICANN 2017 - 26th International Conference on Artificial Neural Networks, Proceedings. ed. / Alessandra Lintas; Alessandro E. Villa; Stefano Rovetta; Paul F. Verschure. Springer Verlag, 2017. p. 91-99 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10614 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - DeepAPT

T2 - 26th International Conference on Artificial Neural Networks, ICANN 2017

AU - Rosenberg, Ishai

AU - Sicard, Guillaume

AU - David, Eli Omid

N1 - Publisher Copyright: © Springer International Publishing AG 2017.

PY - 2017

Y1 - 2017

N2 - In recent years numerous advanced malware, aka advanced persistent threats (APT) are allegedly developed by nation-states. The task of attributing an APT to a specific nation-state is extremely challenging for several reasons. Each nation-state has usually more than a single cyber unit that develops such advanced malware, rendering traditional authorship attribution algorithms useless. Furthermore, those APTs use state-of-the-art evasion techniques, making feature extraction challenging. Finally, the dataset of such available APTs is extremely small. In this paper we describe how deep neural networks (DNN) could be successfully employed for nation-state APT attribution. We use sandbox reports (recording the behavior of the APT when run dynamically) as raw input for the neural network, allowing the DNN to learn high level feature abstractions of the APTs itself. Using a test set of 1,000 Chinese and Russian developed APTs, we achieved an accuracy rate of 94.6%.

AB - In recent years numerous advanced malware, aka advanced persistent threats (APT) are allegedly developed by nation-states. The task of attributing an APT to a specific nation-state is extremely challenging for several reasons. Each nation-state has usually more than a single cyber unit that develops such advanced malware, rendering traditional authorship attribution algorithms useless. Furthermore, those APTs use state-of-the-art evasion techniques, making feature extraction challenging. Finally, the dataset of such available APTs is extremely small. In this paper we describe how deep neural networks (DNN) could be successfully employed for nation-state APT attribution. We use sandbox reports (recording the behavior of the APT when run dynamically) as raw input for the neural network, allowing the DNN to learn high level feature abstractions of the APTs itself. Using a test set of 1,000 Chinese and Russian developed APTs, we achieved an accuracy rate of 94.6%.

UR - http://www.scopus.com/inward/record.url?scp=85034267319&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-68612-7_11

DO - 10.1007/978-3-319-68612-7_11

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85034267319

SN - 9783319686110

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 91

EP - 99

BT - Artificial Neural Networks and Machine Learning – ICANN 2017 - 26th International Conference on Artificial Neural Networks, Proceedings

A2 - Lintas, Alessandra

A2 - Villa, Alessandro E.

A2 - Rovetta, Stefano

A2 - Verschure, Paul F.

PB - Springer Verlag

Y2 - 11 September 2017 through 14 September 2017

ER -

Rosenberg I, Sicard G, David EO. DeepAPT: Nation-state APT attribution using end-to-end deep neural networks. In Lintas A, Villa AE, Rovetta S, Verschure PF, editors, Artificial Neural Networks and Machine Learning – ICANN 2017 - 26th International Conference on Artificial Neural Networks, Proceedings. Springer Verlag. 2017. p. 91-99. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-68612-7_11

DeepAPT: Nation-state APT attribution using end-to-end deep neural networks

Abstract

Publication series

Conference

Bibliographical note

Access to Document

Other files and links

Fingerprint

Cite this