DeepAPT: Nation-State APT Attribution Using End-to-End Deep Neural Networks

  • Ishai Rosenberg
  • Guillaume Sicard
  • Eli (Omid) David
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10614)


In recent years numerous advanced malware, aka advanced persistent threats (APT) are allegedly developed by nation-states. The task of attributing an APT to a specific nation-state is extremely challenging for several reasons. Each nation-state has usually more than a single cyber unit that develops such advanced malware, rendering traditional authorship attribution algorithms useless. Furthermore, those APTs use state-of-the-art evasion techniques, making feature extraction challenging. Finally, the dataset of such available APTs is extremely small.

In this paper we describe how deep neural networks (DNN) could be successfully employed for nation-state APT attribution. We use sandbox reports (recording the behavior of the APT when run dynamically) as raw input for the neural network, allowing the DNN to learn high level feature abstractions of the APTs itself. Using a test set of 1,000 Chinese and Russian developed APTs, we achieved an accuracy rate of 94.6%.


  1. 1.
    Alrabaee, S., Saleem, N., Preda, S., Wang, L., Debbabi, M.: Oba2: an onion approach to binary code authorship attribution. Digit. Invest. 11, S94–S103 (2014)CrossRefGoogle Scholar
  2. 2.
    Alrabaee, S., Shirani, P., Debbabi, M., Wang, L.: On the feasibility of malware authorship attribution. arXiv preprint arXiv:1701.02711 (2017)
  3. 3.
    Bencsath, B., Pek, G., Buttyan, L., Felegyhazi, M.: The cousins of stuxnet: duqu, flame, and gauss. In: Proceedings of Future Internet (2012)Google Scholar
  4. 4.
    Marquis-Boire, M., Marschalek, M., Guarnieri, C.: Big game hunting: the peculiarities in nation-state malware research. In: Proceedings of Black Hat USA (2015)Google Scholar
  5. 5.
    Caliskan-Islam, A., Yamaguchi, F., Dauber, E., Harang, R., Rieck, K., Greenstadt, R., Narayanan, A.: When coding style survives compilation: de-anonymizing programmers from executable binaries. arXiv preprint arXiv:1512.08546 (2015)
  6. 6.
    Collobert, R., Weston, J., Bottou, L., Karlen, M., Kavukcuoglu, K., Kuksa, P.: Natural language processing (Almost) from scratch. J. Mach. Learn. Res. 12, 2493–2537 (2011)zbMATHGoogle Scholar
  7. 7.
    David, O.E., Netanyahu N.S.: DeepSign: deep learning for automatic malware signature generation and classification. In: Proceedings of the International Joint Conference on Neural Networks (IJCNN), pp. 1–8 (2015)Google Scholar
  8. 8.
    Glorot, X., Bordes, A., Bengio. Y.: Deep sparse rectifier neural networks. In: Proceedings of 14th International Conference on Artificial Intelligence and Statistics, pp. 315–323 (2011)Google Scholar
  9. 9.
    Goodfellow, I.J., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A.C., Bengio, Y.: Generative adversarial nets. In: Advances in Neural Information Processing Systems (NIPS), pp. 2672–2680 (2014)Google Scholar
  10. 10.
    Hathaway, O.A., Crootof, R.: The Law of Cyber-Attack. Faculty Scholarship Series. Paper 3852 (2012)Google Scholar
  11. 11.
    Olden, J.D., Jackson, D.A.: Illuminating the ‘black-box’: a randomization approach for understanding variable contributions in artificial neural networks. Ecol. Model. 154, 135–150 (2002)CrossRefGoogle Scholar
  12. 12.
    Pfeffer, A., Call, C., Chamberlain, J., Kellogg, L., Ouellette, J., Patten, T., Zacharias, G., Lakhotia, A., Golconda, S., Bay, J., Hall, R., Scofield, D.: Malware analysis and attribution using genetic information. In: Proceedings of the 7th IEEE International Conference on Malicious and Unwanted Software (2012)Google Scholar
  13. 13.
    Rosenblum, N., Zhu, X., Miller, B.P.: Who wrote this code? identifying the authors of program binaries. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 172–189. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23822-2_10 CrossRefGoogle Scholar
  14. 14.
    Srivastava, N., Hinton, G., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.: Dropout: a simple way to prevent neural networks from overfitting. J. Mach. Learn. Res. 15, 1929–1958 (2014)zbMATHMathSciNetGoogle Scholar
  15. 15.
    Stamatatos, E.: A survey of modern authorship attribution methods. J. Am. Soc. Inf. Sci. Technol. 60(3), 538–556 (2009). ISSN 1532–2882CrossRefGoogle Scholar
  16. 16.
    Virvilis N., Gritzalis D.: The big four - what we did wrong in protecting critical ICT infrastructures from advanced persistent threat detection? In: Proceedings of the 8th International Conference on Availability, Reliability & Security, pp. 248–254. IEEE (2013)Google Scholar
  17. 17.
    Zeiler, M.D., Fergus, R.: Visualizing and understanding convolutional networks. In: Fleet, D., Pajdla, T., Schiele, B., Tuytelaars, T. (eds.) ECCV 2014. LNCS, vol. 8689, pp. 818–833. Springer, Cham (2014). doi: 10.1007/978-3-319-10590-1_53 Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Ishai Rosenberg
    • 1
  • Guillaume Sicard
    • 1
  • Eli (Omid) David
    • 1
  1. 1.Deep Instinct Ltd.Tel AvivIsrael

Personalised recommendations