Using knowledge graphs and contrastive learning for detecting APT Malware on Endpoint systems

Abstract

Advanced persistent threat (APT) attacking campaigns have been a common method for cyber-attackers to attack and exploit end-user computers (workstations) in recent years. In this study, to enhance the effectiveness of the APT malware detection, a combination of deep graph networks and contrastive learning is proposed. The idea is that several deep graph networks such as Graph Convolution Networks (GCN), Graph Isomorphism Networks (GIN), are combined with some popular contrastive learning models like N-pair Loss, Contrastive Loss, and Triplet Loss, in order to optimize the process of APT malware detection and classification in endpoint workstations. The proposed approach consists of three main phases as follows. First, the behaviors of APT malware are collected and represented as graphs. Second, GIN and GCN networks are used to extract feature vectors from the graphs of APT malware. Finally, different contrastive learning models, i.e. N-pair Loss, Contrastive Loss, and Triplet Loss are applied to determine which feature vectors belong to APT malware, and which ones belong to normal files. This combination of deep graph networks and contrastive learning algorithm is a novel approach, that not only enhances the ability to accurately detect APT malware but also reduces false alarms for normal behaviors. The experimental results demonstrate that the proposed model, whose effectiveness ranges from 88% to 94% across all performance metrics, is not only scientifically effective but also practically significant. Additionally, the results show that the combination of GIN and N-pair Loss performs better than other combined models. This provides a base malware detection system with flexible parameter selection and mathematical model choices for optimal real-world applications.

Keywords

APT malware detection end-point workstations event ID deep graph networks contrastive learning

1 Introduction

1.1 The problems

The APT attacks have long been considered as one of the most dangerous attack techniques in cyber-attacks [1 –6]. All organizations and government agencies can be easy victims of this kind of attacks [3]. As a result, detecting and early warning APT attacks have been a hot topic for many researchers throughout the world recently. According to the study in [3], there are multiple common stages and cycles of an APT attack campaign, including reconnaissance, attack, privilege escalation, data exfiltration, and maintenance. This information can be exploited to early detect APT attacks, as presented in [7 –9]. One of the techniques often used by attackers during the APT attack campaigns is to distribute small parts of malicious codes to the endpoint workstations, and then gradually escalate into the system [7, 8]. Apart from technical ways, human factor can also be exploited in APT attacks since this is the most important but also the weakest role in the cyber system. Several approaches on detecting malware in general and on detecting APT malware in particular can be found in [10 –13]. As discussed in studies [12, 13], the use of artificial intelligence models to analyze the anomalous behaviors of malware is currently yielding better results than many traditional approaches. Besides, Cho et al. [16] also pointed out some issues of traditional approaches that need to be improved for a better APT attack detection system as follows.

–Anomalous behavior collection issues: in traditional approaches, Sandbox environment is commonly used to collect the behaviors of the malware. This approach is shown to be effective for regular types of malware, but not for APT malware, since APT malware can detect the Sandbox and cease its operations when running in that environment. Additionally, APT malware may have a dormant mechanism that can last for weeks or even several months, making it impractical for the Sandbox to capture its behaviors. As a result, using a Sandbox to collect APT malware is not very feasible and practical.

–Preprocessing and feature extraction issues: since it is challenging to collect data for the behaviors of APT malware, selecting and extracting specific and meaningful features from the malware becomes more difficult. To address this problem, researchers tend to construct and mainly rely on a synthetic dataset in the laboratory setting and extract features from that dataset. While this approach can be effective in simulated cases for detecting malware, it may not be practically useful for real-world APT attack detection scenarios because those attributes are difficult to generalize in practice. Although anomalous behavior analysis is a promising approach for the APT malware detection [12, 13] thanks to the combination of static analysis tools, dynamic analysis tools, machine learning and deep learning models, there are still two main problems that need to be addressed, including:

Feature selection: malware features collected from Sandbox have been useful for simple malware detection cases. However, they don’t work well with APT malware detection systems. As a result, there needs to have another efficient way to select features from APT malware other than the Sandbox mechanism.

Feature extraction : During the attack, APT malware often applies many data mining and exfiltration techniques at different points of time to hide their unusual behaviors. Therefore, traditional feature extraction methods are not able to compute and extract useful features representing the malware behaviors. In other words, current APT malware detection systems opt to consider these recorded behaviors as benign even though they are all the hidden and concealment behaviors of the malware. Studies [14 –17] also showed that one of the problems that makes detecting APT attacks much more difficult than other kinds of malware is the lack of correlation between the events of the attack.

1.2 The proposed approach

Based on the analysis above, it can be seen that collecting behaviors of APT malware, together with constructing, extracting, and calculating the correlations between these behaviors play an important role for a successful APT malware detection system. In this paper, a new APT detection approach based on deep graph networks and contrastive learning is proposed. The new method in the paper includes three main phases as follows.

Phase 1: Building correlation of APT malware behaviors: This phase includes two steps.

Step 1: Collecting and extracting behaviors of malware processes. In this paper, anomalous behaviors of the APT malware are collected based on the Event IDs generated by the kernel of the operating system using the Sysmon tool [18]. The details and different identifying processes within the Event IDs can be found in [16]. This way, even if APT malware performs under hidden actions or with erasing traces, their behaviors can still be collected and aggregated through the Event IDs.

Step 2: Aggregating and building the malware behavior profiles based on the malware processes: The malware processes can be represented by their behaviors. Therefore, it is useful to build and collect these processes into a representative profile using an executable file. In this paper, we propose a method to construct the characteristic profile of APT malware in the form of a graph. Here, each executable file is constructed as a feature profile based on the malware processes. This helps demonstrate the correlation between the events generated by APT malware. Although these events and processes may be considered as normal by monitoring systems individually, when they are combined to form graphs, the behavioral sequence of the malware can be highlighted. As a result, this enables capturing and representing the sequence of events and processes of the malware at different points of time.

Phase 2: Extracting APT malware features: The purpose of this stage is to transform the feature profile built in Step 2 of Phase 1 into a single feature vector. Here, the Graph Isomorphism Network (GIN) and Graph Convolutional Network (GCN) are adopted to implement deep graph learning, which is then used to analyze and extract APT malware features from the behaviors obtained from the Step 1 of Phase 1. The details of using Graph Convolution Networks (GCN), and Graph Isomorphism Networks (GIN) are further presented in section 3.3. The outputs of this phase are APT malware features and characteristics presented in a graph form. The feature extraction approach in this study also helps calculate the correlation between discrete malware processes, which is useful for classifying APT malware files from normal files.

Phase 3: Classifying APT malware using contrastive learning. This phase utilizes the information provided by the malware features extracted from phase 2 in order to evaluate and classify the APT malware behaviors. Different from current malware detection systems, which apply machine learning or deep learning model to classify the malware behaviors, here, some contrastive learning models are adopted to improve the performance of the classification process. The classification models are optimized using some different loss functions, including N-pair Loss, Contrastive Loss, and Triplet Loss.

1.3 The scientific basis of the proposed method

There have been many different methods and techniques introduced in the literature to detect APT malware. The standouts of the APT malware detection approach in this study are based on two main factors as follows.

–Deep graph networks are suitable for analyzing and extracting APT malware features. In this paper, the malware processes are aggregated into executable files, which are generated by the kernels in the operating system. These processes are then built into graphs to highlight the relationships among them. By doing this, although the processes of executable files are generated at different times, all the processes generated from the same executable file can be aggregated and linked together by a parent-child relationship. Here, different APT malware may have different number of behaviors, which leads to the fact that the number of processes in each executable file can be different. For example, several files may have tens, hundreds, or even tens of thousands of processes, while some other files may have only one single process. It is very challenging to standardize the number of processes in all executable files since it is almost impossible to identify whether the process generated previously or the process generated later is more important, or to define the suitable number of processes in each file. Besides, it is noticed that feature graphs can be characterized by non-Euclidean data, which cannot be defined in a feature space. Fortunately, GNN graph networks are suitable to fully exploit the information of this data type. GIN and GCN are the well-known representatives of the GNN graph networks.

–The contrastive learning models are suitable for classifying the APT behaviors. Studies [7, 8] showed that one of the difficulties in detecting APT malware is the lack of actual APT attack data. To solve this situation, some studies have self-generated test datasets in the laboratory or intentionally created balanced datasets between APT malware files and normal files. Obviously, with such an approach, these studies can bring good experimental results. However, these models may not be effective for real applications, where the number of normal processes as well as normal files often is many times larger than the samples of the APT malware. This leads to detection systems prone to overfitting in those cases. In this paper, there is no need to balance the experimental dataset. Instead, new classification techniques based on contrastive learning are adopted to improve the efficiency of the classification process. Contrastive learning is useful for clustering similar data points based on the mechanism to pull the similar data points closer and while to push the dissimilar data points away in the embedding space. As a result, the data points of the two labels can easily be separated, which helps to significantly improve the classification performance of the model.

1.4 Contributions of paper

The novelty and scientific contributions of this study are three folds as follows.

–To propose an architecture model to detect APT malware on endpoint workstations. The model proposed in this study is built based on a flexible combination of deep graph networks and contrastive learning models. This is a novel APT malware detection model, which has not been proposed by any research.

–To propose a method to extract features of APT malware using the deep graph networks. The use of graph networks to analyze and evaluate behavior profiles to detect APT malware is a new approach. Here, this study has succeeded in extracting the APT malware behaviors in many types of malware processes. This proposal not only makes scientific sense but also has many practical meanings for the APT malware detection task. Specifically, this new system not only can tackle a difficult challenge in representing relationships between malware processes but also can deal with unbalanced training data where the number of available APT attack malware behaviors is limited.

–To propose the use of the contrastive learning technique to optimize the APT malware detection on workstations. This is the novel optimization method for the APT malware detection task. The experimental results in the paper have proven that our proposal is correct and reasonable when the efficiency of this method is much higher than that of other approaches.

2 Related studies

Cho et al. [19] proposed an APT attack detection method based on the behavior profile analysis technique. Specifically, in their study, the research team proposed to build behavior profiles based on abnormal features and behaviors of IPs and Domains on Network traffic. In the experimental part, the authors used the Random Forest (RF) algorithm to prove the effectiveness of the APT attack detection method by behavior profiles. In addition, behavior profile analysis technique can also be found in another APT attack detection model proposed by Cho [8]. Accordingly, the APT attack behavior profile was proposed by the research team based on a multi-layer analysis technique. Specifically, the authors used 2 main layers to build APT attack behavior profiles based on Network traffic. In the first layer, the authors used the machine learning method to detect APT IPs. In the second layer, the authors used the Suricata tool to analyze network traffic into components such as DNS log, HTTP log, log file, TLS log, etc. and then extracted abnormal behaviors of these components. Finally, behavior profiles of the APT attack were built based on the results of layer 1 and layer 2. In the experimental section, the authors have demonstrated that APT attack detection based on behavior profiles provided better performance than detection methods on individual components. With the same idea, studies [20 –22] proposed the method to detect APT IPs based on the behavior profile of each IP in network traffic. Their approach applies the combination of a deep learning model and the Attention network to detect normal IPs and APT IPs. In addition, Amit Sharma et al. [23] presented a study on various techniques for hiding, erasing traces, and identifying sandbox recognition methods of APT malware. In that research, the authors attempted to define a list of some sandbox detection behaviors of certain APT malware families. These results are considered an initial foundation for further studies to define the anomalous behaviors of APT attacks. Additionally, the DMMal model [24] is proposed based on multi-view images of known malware. However, the success of that approach is mostly based on complex computations as well as large amounts of training data. The studies in [15 –17] proposed some methods of detecting APT malware on Workstations based on anomalous behaviors and graph analysis techniques. Specifically, the authors used 4 main feature groups: “Process” Events, Registry Events, Network connection, and File Deletion Events to extract abnormal behaviors of APT malware. Next, deep graph networks are used to extract behaviors and, then, to detect the malware. In addition, Mohamed et al. [25] proposed the FWA-FS model for detecting malware on the Android operating system. The authors extracted and analyzed the anomalous features of Android malware through APK files. In the experimental section, the authors demonstrated that the model’s malware detection accuracy increased from 6% to 25%. Built from the same idea, research [54] proposed a malware method based on attributes in APK files and deep learning algorithms. However, both methods have not yet proposed new attributes nor have they developed techniques for representation and synthesis of information. Yong Fang [26] proposed an APT attack detection method based on the LMTracker model. Accordingly, in the LMTracker model, the authors used the heterogeneous graph to analyze and predict APT attack behavior in event logs and traffic. Ullah [27] proposed an approach for malware detection through the extraction of attributes from API-Call Graphs (ACGs) with byte-level image representation. In the experimental section, the authors utilized the CIC-InvesAndMal2019 dataset and achieved over 99% accuracy, yielding effective results. Studies [28, 29] proposed Log2vec and Sec2graph methods to detect APT attacks in organizations. With the same idea, Xiaohu Liu [30] proposed a method to detect APT based on analyzing the graph of HTTP traffic.

In the study [31], the authors proposed a GCN model for the Android malware detection task based on anomalous behaviors of malware running on applications. Similarly, Jiaqi Yan et al. [32] proposed a malware detection method based on Control Flow Graphs (CFGs) using DGCNN. The research [33] proposed to use Deep Eigensapce Learning to embed CFGs of OpCodes in the executable file. In the experimental section, based on a dataset consisting of 1,078 normal files and 128 IoT malware samples, the CNN algorithm provides an accuracy of up to 99.68%. However, that model can only be successful with such a limited dataset, since it is evaluated with a lot of bias.

3 The proposed model

3.1 Overall architecture

Figure 1 shows the architecture and flow of the proposed model. Accordingly, the main components in the proposed model include:

Event ID Block: this block consists of behavior data collected from the operating system kernel. This data is the basis for the model to analyze and evaluate which are the behaviors of an APT malware and which are normal files.

Graph Embedding Block: This block is responsible for linking and building process trees of each file based on the Event ID collected above. The process trees are graphs of data, in which each node corresponds to a child process while the edges are the behaviors extracted from each Event ID.

Feature Extraction Block: the function of this block is to extract APT malware features based on the process trees in each file built in the previous Graph Embedding block. Here, the paper proposes to use some deep graph networks such as GIN and GCN.

Classification Model Block: Based on the features extracted and aggregated in the previous Feature Extraction block, this block is responsible for classifying normal files and APT malware files. In this study, the use the contrastive learning technique is proposed to improve the efficiency of detecting abnormal behaviors from normal ones.

Fig. 1

The architecture of the APT malware detection model that combines deep graph network and contrastive learning.

3.2 Graph embedding

The Event IDs have once been exploited in some other studies [15 –17], where Cho et al. proposed a method to select and extract APT malware features. Accordingly, the 4 main feature groups used by the authors, which include the “Process” Event, Registry Event, File Deletion Event, and Network connection. These are important features and characteristics to depict the behaviors of the APT malware. In this research, we continue to use these feature groups as the basis for the APT malware detection system. After extracting the APT malware features based on the above 4 feature groups, the research proceeds to build process trees of each file. The procedure of building a process tree is as follows: nodes of process trees are malware processes, and each edge of the graph represents a call from the parent process to the child process.

3.3 Feature extraction

As stated above, the purpose of the Feature Extraction phase is to find a way to embed the process tree into a uniform feature vector. Accordingly, each process tree, together with its label, is analyzed and standardized into a fixed vector. This is a very important phase because if the standardization is successful and complete, it will contribute to improving the efficiency of the APT malware detection process. However, because the characteristics of the APT malware files and the normal files are so different, which lead to the difference in the architectures and lengths of all the process trees. Therefore, it is very difficult to standardize and embed these process trees of different lengths into vectors of an equal length. To achieve the set goal, this study proposes to use some deep graph networks [34 –37]. These networks are further discussed in the next section of this paper.

3.3.1 Graph Convolutional Network (GCN)

Graph Convolutional Network (GCN), which was introduced by Thomas Kipf and Max Welling, is one variant of Graph Neural Networks [38]. GCN uses local spectral filters on the graph to extract subgroups from the graph, thereby clearly showing the graph structure. According to the working principle, the ‘convolution’ method in the GCN layer aims to extract features on the neighboring components similar to the CNN layer. However, since the CNN network has been shown to be less effective on non-Euclidean datasets, in its architecture, the GCN network looks for ways to extract features from the neighboring nodes. The following formula (1) shows the feature propagation process of a GCN layer in the GCN model. $X^{(i + 1)} = σ (D^{- 1 / 2} (I + A) D^{- 1 / 2} X^{(i)} W + b)$ (1)

Where:

A is the adjacency matrix.

X is the feature matrix.

I is the unit matrix of the same size as A

f is the activation function.

D is the degree matrix of (A + I).

W is the weight matrix.

b is the bias matrix.

H(i) is the output of layer i.

H(0)=X.

3.3.2 Introduction to GIN

The GIN network [39] is a GNN variant in the form of Spatial Graph Convolutional Networks. Basically, the GIN also uses a propagation formula similar to that of the GCN, so GIN can be considered as a variant of the GCN. The difference between GIN and GCN is that GCN computes on a normalized adjacency matrix, while GIN uses matrix (c(k)I+A) which helps optimize the computation speed on the network. Research [39] pointed out that although GIN’s propagation formula is somewhat simpler than Spectral Convolution methods, it still worked well in classification tasks, especially graph classification. The reason is that GIN acts as a dual representation of CNN classifier on the graph signal space where the shift operation is defined by the adjacency matrix. The propagation formula used in the GIN network is described in formula (2) below: $Z^{(k)} = σ (c^{(k)} (I + A) Z^{(k - 1)} W^{(k)})$ (2)

Where:

A is the adjacency matrix

X is the feature matrix

I is the unit matrix with the same size as A

σ is the activation function

W is the weight matrix

c = 1 + e (where e is a learnable parameter)

Z(i) is the output of layer i.

The main components of the GIN network include [39]:

GIN layers recursively update the features on each node according to the propagation formula (3) similar to GCN. Thus, with the input as behavior profiles, the GIN network performs the feature extraction of the graph associating output processes of the GIN layers. This is the hidden feature representation representing the connection between the nodes in the graph. The first GIN layer is responsible for looking at the neighboring nodes for each node to re-update the features of that node. The next GIN layers have the function of recursively updating features of the nodes in the graph. The special point of GIN making it different from the GCN is that, at each layer, the features of each node are not only recursively updated, but embedded node features are also aggregated. Finally, the resulting information is concatenated into features of the graph which is the representation of the graph in the embedded space. This makes GIN not only optimize the computation speed but also work well in the task of classifying the graph. After the final features of the graph are synthesized in GIN layers, they continue to be learned in many Fully Connected Layers and Softmax Layers. The formulas below show the processing steps in the GIN layer block.

p_{v}^{(k)} = MLP (k) ((1 + ɛ^{(k)}) . p_{v}^{(k - 1)} + \sum_{u \in N (v)} p_{u}^{(k - 1)})

(3)

p_{G}^{(k)} = s u m (p_{0}^{(k)}, p_{1}^{(k)}, \dots, p_{N}^{(k)})

(4)

p_{G} = concatenate ({p_{G}^{(k)}} k = 0, 1, \dots, k)

(5)

Where:

P_v is the feature vector at the v-th node

P_G is the final graph feature

MLP is the multi-layer perceptron

N(v) is the neighborhood of the v-th node

ɛ is a learnable parameter

Fully Connected Layer: This layer can be considered as a multilayer perceptron network. It is responsible for learning the features that are processed through GCN Layers.

Softmax Layer: This layer is responsible for calculating the probability of the output label. The file is assigned to the class with the highest probability.

3.4 Optimizing APT malware detection based on contrastive learning

In this study, based on the feature vector of each file built in section 3.3, a method to improve the efficiency of the detection process for normal and abnormal files is proposed. Accordingly, a combination between the MLP network and the contrastive learning with suitable loss functions is implemented to support classification.

3.4.1 The MLP network

MLP network is a simplest form of deep learning models with 3 layers: an input layer, an output layer, and hidden layers [40]. The input layer receives the input signal to be processed. The prediction and classification outcomes are provided by the output layer. An arbitrary number of hidden layers placed between the input and output layers is the computational engine of the MLP. Similar to the feedforward networks, in MLP, data flows in the forward direction from the input layer, through the hidden layer, toward the output layer. The neurons in the MLP are usually trained with backpropagation algorithm. Specifically, the working principle of MLP is as follows [40, 41]. The neurons at the input layer receive input signals for processing (multiplying with the corresponding weights, summing up the products, then sending to the transfer function). The results from the transfer functions of all the neurons in the input layer are transmitted to first array of neurons in the hidden layer. These neurons process the input information, then send their results to the second array of the hidden layer. The process continues until the results hit neurons in the output layer, then the outputs are provided.

3.4.2 Contrastive learning

a) Contrastive loss

Contrastive loss is a deep learning algorithm useful for learning the general features of an unlabeled dataset by teaching the model to distinguish similar or dissimilar data points. Contrastive loss was first introduced in 2005 with its initial applications in dimensionality reduction [42]. The characteristic of the contrastive learning model is to find pairs of features with similarity (positive) or contrast (negative) in the data set. It is implemented by pulling similar data pairs together as well as pushing contrasting data pairs away from each other. In this approach, it is necessary to use similarity metrics to calculate the distance between the embedding vectors representing the data points. For example, the cosine distance of the vectors can be used to calculate the distance as the predicted difference probability between them, which can be done using a typical classifier network. The distance of negative samples can be considered as the output probability using cross-entropy loss. In practice, when performing supervised classification, the outputs of the network are usually provided by a softmax function represented by the following formula [43 –45]: $\begin{matrix} σ {(z)}_{i} = \frac{e^{z_{i}}}{\sum_{j = 1}^{K} e^{z_{i}}} for i = 1, \dots ., K \\ and z = (z_{1}, \dots, z_{k}) \in R^{K} \end{matrix}$ (6)

The loss function is calculated using the following formula: $l_{i, j} = - log \frac{exp (sim (z_{i}, z_{j}) / T)}{[k \neq i] exp (sim (z_{i}, z_{j}) / T)}$ (7)

The formula (7) shows that contrastive loss is quite similar to the softmax function. The difference between them is that the values in the denominator are the total cosine distances from the positive samples to the negative samples.

b) Triplet loss

Triplet loss was first introduced in 2015 [47] and it has been one of the most popular loss functions for supervised or similar learning since then. Triplet loss assumes that the distance between any different data pairs must be at least a certain threshold away from the distance of any similar pair. Mathematically, the triplet loss value can be calculated as follows. $L = (d (a, p)) - d (a, n) + m, 0)$ (8)

Where:

p is the sample with the same label as a

n is the sample with the different label as a

d is the function to measure the distance between these three samples

m is the margin value to keep negative samples apart

c) N-Pair Loss

Since triplet loss tends to amplify the distance between negative samples making it larger than the distance between positive samples. As a result, current patterns may focus only on negative samples, making it less effective to identify a data sample from other positive ones. To improve the performance in this situation, N-pair loss [47] is introduced. N-pair loss function is represented as follows:

$\begin{matrix} L ({x, x^{+}, {x_{i}}_{i = 1}^{N - 1}}; f) \\ = \sum_{i = 0}^{N - 1} expr (f^{T}) f^{T} f_{i} - f^{T} f^{+}) \end{matrix}$ (9)

The formula (9) shows that N-pair Loss is a generalized version of Triplet loss. If N = 2, it is similar to Triplet loss.

4 Experiments and evaluations

4.1 Experimental dataset

The dataset was collected from [48 –52]. Table 1 lists the details of the datasets we have collected. The dataset is randomly divided into two subsets, including 70% of the samples are used for training, and the remaining 30% of samples are for evaluation.

Table 1
Statistics on the number of samples of the experimental dataset

Dataset Normal APT malware

Test dataset 94,229 32,218

Training dataset 23,214 8,142

Total 117,443 40,360

Dataset	Normal	APT malware
Test dataset	94,229	32,218
Training dataset	23,214	8,142
Total	117,443	40,360

4.2 Evaluation metrics

The following formulas 10, 11, 12, and 13 are used as the evaluation metrics for the APT malware detection model at endpoint workstations.

Accuracy: The accuracy score indicates what percentage of the data is correctly classified. This value does not indicate specifically how each class is classified, which class is most correctly classified, or which class data is most often incorrectly classified into the other class. Accuracy is calculated according to the following formula:

$accuracy = \frac{TP + TN}{TP + TN + FP + FN} \times 100$ (10)

Where:

TP –True positive: The number of APT malware samples that are correctly classified as malware.

FN –False negative: The number of APT malware samples that are incorrectly classified as normal.

TN –True negative: The number of normal samples that are correctly classified as normal.

FP –False positive: The number of normal samples that are incorrectly classified as APT malware.

Precision: The Precision value indicates how many positive predictions are actually true. The precision calculation formula is as follows:

$precision = \frac{TruePositive}{TruePositive + FalsePositive}$ (11)

From the above formula, it can be seen that larger Precision value is equivalent to higher accuracy of finding correct samples among all returned positive results.

Recall: The Recall value measures the rate of correctly predicting positive cases across all ground-truth positive samples. The formula for calculating the value of Recall is shown below.

$Recall = \frac{TruePositive}{TruePositive + FalseNegative}$ (12)

It can be seen that a high Recall score means a low rate of missing positive points.

F1-score: in fact, in classification problems, the higher the Precision and Recall values are, the better the performance of the prediction model is. However, when the model is fine-tuned to increase the Recall value too much, it may lead to a decrease in the Precision value, and vice versa. The F1-score value is introduced as a neutralization parameter between the two scores above, and recent classification models are mostly based on this score to define whether it is good or bad. Formula to calculate F1-score value is as follows.

$F 1_Score = 2 \frac{Precision * Recall}{Precision + Recall}$ (13)

Higher F1-score value means better performance of the model. The highest possible value of F1-core is 1.

4.3 Experimental scenarios

In this paper, we conduct experiments with some scenarios to evaluate the effectiveness of the proposed method as follows:

–Scenario 1: Conducting experiments to detect APT malware based on some different combination setup between graph deep learning models and contrastive learning algorithms. Based on this scenario, the study not only shows the effectiveness of the proposed method, but also shows which combination of deep graph networks with contrastive learning algorithms gives the best performance.

–Scenario 2: Conducting experiments using different individual deep graph networks to analyze the data, extract the features, and classify APT malware.

4.4 Experimental results

4.4.1 Results of the scenario 1

In this scenario, performance of different models using different ways to combine deep graph networks with contrastive learning methods are investigated. For an objective evaluation, during the combination setups, some parameters of each model are fine-tuned to ensure the best possible outputs are obtained. Specifically, different number of Embedding vectors in the deep graph network are used, i.e. 128, 256, and 512, respectively. Besides, dropout probability in contrastive learning techniques is also adjusted.

a) The combination of GIN and N-pair Loss

The experimental results in Table 2 and Fig. 2 show that when changing the Embedding vector value in GIN and dropout probability, prediction results also change. However, the difference between the results is not too significant (only about 1%). The model giving the best result is the combined model whose Embedding vector parameters in GIN are [3, 128] and the dropout probability value τ=0.1. Accordingly, the model combining GIN with N-pair Loss yields an Accuracy of 94%, Precision of 88%, Recall of 88%, and F1_score of 88%. In general, with this result, this model has also brought significant efficiency to the task of classifying normal files and APT malware. Next, the study tests the predictive ability of this model with the testing dataset. Figure 3 below shows the results of the confusion matrix of the model combining GIN with N-pair Loss with parameters for the best results described in Table 2.

Table 2
Results of the model combining GIN with N-pair Loss

Embedding τ The number of GIN layers

vector 2 layer 3 layers 4 layers

Acc Pre Rec F1 Acc Pre Rec F1 Acc Pre Rec F1

128 0.05 0.93 0.88 0.87 0.87 0.94 0.88 0.87 0.88 0.94 0.85 0.89 0.87

0.1 0.93 0.85 0.88 0.87 0.94 0.88 0.88 0.88 0.94 0.87 0.88 0.88

0.2 0.94 0.88 0.87 0.88 0.94 0.87 0.88 0.88 0.94 0.88 0.88 0.88

256 0.05 0.93 0.86 0.88 0.87 0.93 0.86 0.88 0.87 0.94 0.87 0.88 0.88

0.1 0.93 0.87 0.88 0.87 0.94 0.88 0.87 0.88 0.93 0.87 0.88 0.87

0.2 0.93 0.86 0.88 0.87 0.93 0.87 0.88 0.87 0.93 0.88 0.87 0.88

512 0.05 0.93 0.87 0.87 0.87 0.93 0.87 0.87 0.87 0.93 0.87 0.88 0.87

0.1 0.93 0.88 0.87 0.87 0.93 0.87 0.88 0.87 0.93 0.86 0.88 0.87

0.2 0.93 0.87 0.87 0.87 0.93 0.87 0.88 0.87 0.93 0.87 0.87 0.87

Embedding	τ	The number of GIN layers
		Acc	Pre	Rec	F1	Acc	Pre	Rec	F1	Acc	Pre	Rec	F1
128	0.05	0.93	0.88	0.87	0.87	0.94	0.88	0.87	0.88	0.94	0.85	0.89	0.87
	0.1	0.93	0.85	0.88	0.87	0.94	0.88	0.88	0.88	0.94	0.87	0.88	0.88
	0.2	0.94	0.88	0.87	0.88	0.94	0.87	0.88	0.88	0.94	0.88	0.88	0.88
256	0.05	0.93	0.86	0.88	0.87	0.93	0.86	0.88	0.87	0.94	0.87	0.88	0.88
	0.1	0.93	0.87	0.88	0.87	0.94	0.88	0.87	0.88	0.93	0.87	0.88	0.87
	0.2	0.93	0.86	0.88	0.87	0.93	0.87	0.88	0.87	0.93	0.88	0.87	0.88
512	0.05	0.93	0.87	0.87	0.87	0.93	0.87	0.87	0.87	0.93	0.87	0.88	0.87
	0.1	0.93	0.88	0.87	0.87	0.93	0.87	0.88	0.87	0.93	0.86	0.88	0.87
	0.2	0.93	0.87	0.87	0.87	0.93	0.87	0.88	0.87	0.93	0.87	0.87	0.87

Fig. 2

Line plot of the model combining GIN with N-pair Loss.

Fig. 3

Confusion Matrix of the model combining GIN with N-pair Loss with parameters for best results.

Evaluating the results in Fig. 3, it can be seen that the obtained results of the model combining GIN with N-pair Loss are relatively good. Specifically, the number of detected APT malware reaches a relatively high rate: this model correctly predicts 7,226 APT malware cases out of a total of 8,142 malware files, reaching a rate of about 89%. For the task of classifying normal samples, this model also gives very good performance when it only wrongly predicts 1,039 normal samples.

b) The combination of GIN and Triplet Loss

The results in Table 3 and Fig. 4 show that the model combining GIN with Triplet Loss also gives relatively good results and this model gives the best results with the number of GIN layers of 4, τ of 0.5, and Embedding vector of 256. From the results of Tables 2 3, it shows that the model combining GIN with N-pair Loss gives higher results than the model combining GIN with Triplet loss on all measures. However, this difference is not too large. The reason is that the N-pair loss model is a generalized version of the Triplet loss model (as stated above, N-pair loss is similar to Triplet loss when N = 2) so it gives better performance due to its flexibility in the classification problem. In addition, increasing the Embedding vector from 128 to 256 also reduces the predictive ability of the model. Figure 5 below depicts the results of testing the model combining GIN with Triplet loss through the confusion matrix.

Table 3

Results of the model combining GIN with Triplet Loss

Embedding	τ	The number of GIN layers
vector		2 layer				3 layers				4 layers
		Acc	Pre	Rec	F1	Acc	Pre	Rec	F1	Acc	Pre	Rec	F1
128	0.5	0.93	0.81	0.90	0.85	0.93	0.83	0.88	0.85	0.92	0.82	0.87	0.84
	1.0	0.93	0.81	0.89	0.85	0.92	0.84	0.86	0.85	0.92	0.82	0.88	0.85
	2.0	0.92	0.81	0.89	0.85	0.92	0.82	0.87	0.85	0.92	0.81	0.88	0.84
256	0.5	0.93	0.87	0.87	0.87	0.93	0.87	0.88	0.87	0.93	0.88	0.87	0.87
	1.0	0.93	0.82	0.89	0.85	0.92	0.83	0.87	0.85	0.93	0.88	0.85	0.86
	2.0	0.93	0.82	0.88	0.85	0.92	0.81	0.89	0.85	0.93	0.86	0.86	0.86
512	0.5	0.93	0.86	0.87	0.86	0.93	0.87	0.86	0.87	0.93	0.86	0.87	0.86
	1.0	0.92	0.93	0.85	0.84	0.91	0.86	0.79	0.83	0.90	0.86	0.79	0.82
	2.0	0.92	0.82	0.86	0.84	0.92	0.83	0.86	0.84	0.82	0.65	0.64	0.65

Fig. 4

Line plot of the model combining GIN with Triplet Loss.

Fig. 5

Confusion Matrix of the model combining GIN with Triplet Loss with parameters for best results.

Comparing Figs. 5 3, it can be seen that the ability to detect APT malware of the model combining GIN with N-pair Loss is approximately 0.71% better than that of the model combining GIN with Triplet Loss (specifically 7,226–7,175 = 51 files). Regarding the ability to accurately predict normal files, the model combining GIN with N-pair Loss is also more accurate than the model combining GIN with Triplet Loss (more than 190 files) This result once again proves the superior efficiency of the model combining GIN with N-pair Loss compared to the remaining models.

c) The combination of GIN and Contrastive loss

From Table 4 and Fig. 6, it can be seen the model combining GIN with Contrastive loss also brings a relatively good effect. However, when changing the model’s parameters, there is a relatively high disparity between the results, and the difference between metrics is inconsistent. Specifically, the difference between the best and worst Accuracy results is about 1%, this difference with Precision, Recall, and F1-score measures is 8%, 4%, and 3%, respectively.

Table 4

Results of the model combining GIN with Contrastive loss

Embedding	τ	The number of GIN layers
vector		2 layer				3 layers				4 layers
		Acc	Pre	Rec	F1	Acc	Pre	Rec	F1	Acc	Pre	Rec	F1
128	0.01	0.93	0.87	0.87	0.87	0.93	0.85	0.88	0.87	0.93	0.85	0.88	0.87
	0.05	0.93	0.88	0.86	0.87	0.93	0.86	0.87	0.87	0.93	0.86	0.87	0.87
	0.1	0.93	0.85	0.88	0.86	0.93	0.81	0.91	0.85	0.93	0.86	0.87	0.86
256	0.01	0.92	0.81	0.88	0.84	0.92	0.80	0.89	0.84	0.92	0.80	0.89	0.85
	0.05	0.92	0.81	0.89	0.85	0.93	0.81	0.90	0.86	0.92	0.80	0.89	0.85
	0.1	0.93	0.82	0.89	0.85	0.92	0.82	0.88	0.85	0.93	0.85	0.87	0.86
512	0.01	0.92	0.79	0.89	0.84	0.92	0.81	0.87	0.84	0.92	0.80	0.89	0.84
	0.05	0.92	0.79	0.90	0.84	0.92	0.80	0.89	0.84	0.92	0.81	0.87	0.84
	0.1	0.92	0.81	0.89	0.85	0.92	0.82	0.88	0.85	0.92	0.82	0.87	0.84

Fig. 6

Line plot of the model combining GIN with Contrastive loss.

Comparing the results of Table 2 with Table 4, it can be seen that the model combining GIN with Contrastive loss does not bring high efficiency compared to the model combining GIN with N-pair Loss, although this difference is not too large. This is shown through 3 measures: Accuracy, Recall, and F1-Score. Accuracy higher than 1% indicates that the classification ability of the model combining GIN with N-pair Loss is better. Recall higher than 2% shows that the ability to accurately detect APT malware of the model combining GIN with N-pair Loss is better. This further reinforces the hypothesis that the use of the Loss function leads to a decrease in the number of detected malware. Finally, F1-Score is higher than 1%.

Figure 7 below describes the Confusion Matrix results of the model combining GIN with Contrastive loss with best parameters (the number of GIN layers of 2, τ of 0.05, and Embedding vector of 128).

Comparing Figs. 7 5, we can see that the ability to detect malware of the model combining GIN with N-pair Loss is better than that of the model combining GIN with Contrastive loss. This difference is approximately 1.53% with 109 malware files (7,226–7,117). Similarly, with the correct prediction of normal files of 22,375 files, the model combining GIN with Contrastive loss is also less efficient than the model combining GIN with N-pair Loss model by about 66 files.

Fig. 7

Confusion Matrix of the model combining GIN with Contrastive loss with parameters for best results.

d) The combination of GCN and N-pair Loss

The results of Tables 2 5 show that the model combining GIN with N-pair Loss gives higher results than the model combining GCN with N-pair Loss at all performance measures. Specifically, according to Accuracy and Precision metrics, the difference is 4%. As for the Recall and F1-Score metrics, these differences are 8% and 6%, respectively. From this result, it is shown that when replacing GIN with GCN, the ability to aggregate and extract features is less efficient than that of combined models using GIN. In addition, Figure 8 presents the experimental results with different parameter setups of the GCN and N-pair Loss. The results show that changing the parameters of the GIN and N-pair Loss will lead to a significant change in the prediction results.

Table 5

Results of the model combining GCN with N-pair Loss

Embedding vector	τ	The number of GCN layers
		1 layer				2 layers				3 layers
		Acc	Pre	Rec	F1	Acc	Pre	Rec	F1	Acc	Pre	Rec	F1
32	0.05	0.88	0.88	0.72	0.79	0.9	0.81	0.80	0.80	0.88	0.58	0.93	0.71
	0.1	0.88	0.81	0.73	0.77	0.9	0.81	0.79	0.80	0.88	0.57	0.93	0.71
	0.2	0.89	0.88	0.75	0.81	0.9	0.81	0.79	0.80	0.88	0.59	0.93	0.72
64	0.05	0.90	0.84	0.80	0.82	0.9	0.81	0.79	0.80	0.88	0.60	0.93	0.73
	0.1	0.89	0.87	0.74	0.80	0.9	0.82	0.79	0.80	0.88	0.60	0.93	0.73
	0.2	0.90	0.91	0.75	0.82	0.9	0.81	0.79	0.80	0.88	0.60	0.93	0.73
128	0.05	0.89	0.90	0.75	0.82	0.9	0.81	0.79	0.80	0.88	0.60	0.93	0.73
	0.1	0.90	0.90	0.75	0.82	0.9	0.82	0.79	0.80	0.89	0.60	0.93	0.73
	0.2	0.90	0.92	0.74	0.82	0.9	0.82	0.79	0.80	0.89	0.61	0.93	0.74

Fig. 8

Line plot of the model combining GCN with N-pair Loss.

4.4.2 Results of the scenario 2

The results in Table 6 have shown that the model using only GIN [17] gives better performance than the model using only GCN [53]. This result once again confirms that GIN [17] is more effective than GCN [53] in the terms of analyzing and extracting APT malware features. Comparing the results of Table 2 with Table 6, it can be seen that the model combining deep graph networks with contrastive learning is completely better than using only individual deep graph networks, GIN [17] and GCN [53]. Figure 9 presents some comparison results between our newly proposed method with other approaches. The experimental results from Figure 9 show that our proposed approach in has yielded better results than other approaches on all performance measures.

Table 6
The results of the model using only deep graph networks

Deep graph network Evaluation

Acc Pre Rec F1

GIN [17] 0.90 0.81 0.80 0.80

GCN [53] 0.89 0.79 0.80 0.79

Our method 0.94 0.88 0.88 0.88

Deep graph network	Evaluation
GIN [17]	0.90	0.81	0.80	0.80
GCN [53]	0.89	0.79	0.80	0.79
Our method	0.94	0.88	0.88	0.88

Fig. 9

Bar chart of the model using only deep graph networks.

4.5 Discussion

Based on the two experimental scenarios presented in section 4.4, it can be seen that the scientific and practical contributions of the proposal in this paper have been clearly confirmed. Specifically, with scenario 1, the paper has presented some models combining deep graph networks with contrastive learning methods. This scenario has proven that the model combining GIN with N-pair loss is more effective than other combined models. This result also has shown the suitability of GIN and N-pair Loss for the task of extracting and classifying APT malware. For scenario 2, the paper has compared the approach proposed in this study with some approaches using GCN [53] and GIN [17]. Obviously, with the flexible combination of layers of deep graph networks with contrastive learning algorithms, we have created a complete model that not only promotes the efficiency of feature extraction but also supports the task of classifying and predicting abnormal behavior of malware. Finally, from the 2 experimental scenarios presented in the paper, we have shown why our proposed method is superior to other methods. The results have not only confirmed the novelty and scientific meanings in the study, which is the first to propose a model combining deep graph networks with contrastive learning for the APT malware detection task, but also opened up a new solution trending to the problems of detecting anomalies, malware, insider attack, etc. on endpoint workstations. Besides, this study has also suggested a new approach to classification problems using imbalanced datasets.

5 Conclusion

With the purpose of improving the ability to detect APT malware on workstations, we have proposed in this study 3 main scientific contents: the architecture of the detection model combining a deep graph network with a contrastive learning algorithm, extracting APT malware features using a deep graph network, and optimizing the APT malware detection and classification process based on contrastive learning. Accordingly, with the flexible combination of deep graph networks and contrastive learning, a complete model is formed with the functions of analyzing input data, extracting APT features, and detecting APT malware on workstations. This is a novel combined model that has not been proposed and used by any research. In addition, the experimental results on scenarios 1 and 2 have proved that the combined model proposed in the paper has a significantly better performance than individual deep graph models, or other approaches. During the experiments, we tried to tune and clarify different parameters to clearly see the change in detection results associating with different model setups. Here, the results of almost all optimal and suitable parameter settings are presented and compared. The results also show that the use of deep graph networks has been very effective for the process of aggregating and extracting APT malware behaviors based on the correlation between the processes collected from workstations. Finally, with the support of contrastive learning techniques, the process of classifying and predicting APT malware has been greatly improved. This result has once again proved the correctness and the scientific meaning of the new model in the paper. Apart from the aforementioned advantages, this research is somewhat efficiently solving one of the challenging issues in machine learning, which is the imbalance in the experimental dataset. In reality, to detect APT malware, researchers have to deal with training datasets that have a significant amount difference between clean data and APT malware data. To this end, there is a need to improve the feature extraction mechanism, which can highlight the information of the data in both classes. This is such a crucial issue in this field of study. In this paper, these features are extracted and optimized using deep graph learning. It is suggested that, in the future, there can be some different research directions to enhance the prediction accuracy of APT malware from the normal files, as follows: i) to develop a better method of extracting APT malware features from malware processes; ii) to construct a better behavior profile of the APT malware in imbalanced datasets; iii) to improve the loss functions in contrastive learning or to use unsupervised contrastive learning.

Footnotes

Acknowledgments

This work has been sponsored by the Ministry of Information and Communications, Vietnam, grant number DT.18/23.

References

Manar Abu Talib , Qassim Nasir , Ali Bou Nassif , Takua Mokhamed , Nafisa Ahmed , Bayan Mahfood , APT beaconing detection: A systematic review, Computers & Security 122 (2022), 102875. https://doi.org/10.1016/j.cose.2022.102875

BinHui Tang , JunFeng Wang , Zhongkun Yu , Bohan Chen , Wenhan Ge , Jian Yu , TingTing Lu , , Advanced Persistent Threat intelligent profiling technique: A survey, Computers and Electrical Engineering 103 (2022), 108261. https://doi.org/10.1016/j.compeleceng.2022.108261

Akbar

K.A.

, et al., Advanced Persistent Threat Detection Using Data Provenance and Metric Learning, in IEEE Transactions on Dependable and Secure Computing, 2022. doi: 10.1109/TDSC.2022.3221789

Liu

, Gu

, Shen

, Liao

and Yu

, MSCA: An Unsupervised Anomaly Detection System for Network Security in Backbone Network, in IEEE Transactions on Network Science and Engineering 10(1) (2023), 223–238. doi: 10.1109/TNSE.2022.3206353

Choxuan Do , Nguyen Quang Dam , Nguyen Tung Lam , , Optimization of network traffic anomaly detection using machine learning, International Journal of Electrical and Computer Engineering; Yogyakarta 11(3) (2021), 2360–2370. DOI: 10.11591/ijece.v11i3.pp2360–2370

Nisha

T.N.

, Dhanya Pramod , Insider Intrusion Detection Techniques: A State-of-the-Art Review, Journal of Computer Information Systems (2023), 1–18. 10.1080/08874417.2023.2175337

Cho Do Xuan , Hoang Mai Dao , Hoa Dinh Nguyen , APT attack detection based on flow network analysis techniques using deep learning, Journal of Intelligent & Fuzzy Systems 39 (2020), 4785–4801. https://doi.org/10.3233/JIFS-200694

Cho Do Xuan , Duc Duong , Hoang Xuan Dau , A Multi-Layer Approach for Advanced Persistent Threat Detection Using Machine Learning Based on Network Traffic, Journal of Intelligent & Fuzzy Systems 40 (2021), 11311–11329. https://doi.org/10.3233/JIFS-202465

Do Xuan Cho , Ha Hai Nam , , A Method of Monitoring and Detecting APT Attacks Based on Unknown Domains, Procedia Computer Science 150 (2019), 316–323. https://doi.org/10.1016/j.procs.2019.02.058

10.

Sowmya Myneni , Kritshekhar Jha , Abdulhakim Sabur , Garima Agrawal , Yuli Deng , Ankur Chowdhary , Dijiang Huang , Unraveled—A semi-synthetic dataset for Advanced Persistent Threats, Computer Networks (2023), 109688. https://doi.org/10.1016/j.comnet.2023.109688

11.

Eke

H.N.

, Petrovski

, Ahriz

, Al-Kadri

M.O.

, Framework for Detecting APTs Based on Steps Analysis and Correlation, In: M. Abbaszadeh, Zemouche, A. (eds) Security and Resilience in Cyber-Physical Systems, Springer, Cham, (2022). https://doi.org/10.1007/978-3-030-97166-3_6

12.

Levshun

, Kotenko

, A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities, Artif Intell Rev (2023). https://doi.org/10.1007/s10462-022-10381-4

13.

Gopinath

, Sibi Chakkaravarthy Sethuraman , A comprehensive survey on deep learning based malware detection techniques, Computer Science Review 47 (2023), 100529. https://doi.org/10.1016/j.cosrev.2022.100529

14.

Do Xuan

, Duong

L.V.

and Nikolaevich

T.V.

, Detecting C&C Server in the APT Attack based on Network Traffic using Machine Learning, International Journal of Advanced Computer Science and Applications 11 (2020), 22–27. https://10.14569/IJACSA.2020.0110504

15.

Cho Do Xuan , Huong

D.T.

, Toan Nguyen , A Novel Intelligent Cognitive Computing-based APT Malware Detection for Endpoint Systems’, Journal of Intelligent & Fuzzy Systems 43(3) (2022), 3527–3547.

16.

Cho Do Xuan , Huong

D.T.

, Duc Duong , ‘New Approach for APT Malware Detection on the Workstation Based on Process Profile’, Journal of Intelligent & Fuzzy Systems 43(4) (2022), 4815–4834.

17.

Do Xuan

and Huong

, A new approach for APT malware detection based on deep graph network for endpoint systems, Appl Intell 52 (2022), 14005–14024. https://doi.org/10.1007/s10489-021-03138-z

18.

Mark Russinovich, Thomas Garnier, Sysmon v12.03, (2023). https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon. Accessed 26 Mar 2021.

19.

Cho Do Xuan , , Detecting APT Attacks Based on Network Traffic Using Machine Learning, Journal of Web Engineering 20 (2021), 171–190. https://doi.org/10.13052/jwe1540-9589.2019

20.

Hoa Cuong Nguyen , et al., A New Framework for APT Attack Detection Based on Network Traffic, Journal of Intelligent & Fuzzy Systems 44(3) (2023), 3459–3474.

21.

Do Xuan

and Dao

M.H.

, A novel approach for APT attack detection based on combined deep learning model, Neural Comput & Applic 33 (2021), 13251–13264. https://doi.org/10.1007/s00521-021-05952-5

22.

Cho Do Xuan and Duc Duong , Optimization of APT Attack Detection Based on a Model Combining ATTENTION and Deep Learning, Journal of Intelligent & Fuzzy Systems 42(4) (2022), 4135–4151.

23.

Amit Sharma , Brij Gupta

, Awadhesh Kumar Singh and Saraswat

V.K.

, Orchestration of APT Malware Evasive Manoeuvers Employed for Eluding Anti-virus and Sandbox Defense, Computers & Security 115(6), 102627. https://doi.org/10.1016/j.ins.2020.08.095

24.

Chai

, Qiu

, Yin

, Zhang

, Gupta

B.B.

and Tian

, From Data and Model Levels: Improve the Performance of Few-Shot Malware Classification, in IEEE Transactions on Network and Service Management 19(4) (2022), 4248–4261. doi: 10.1109/TNSM.2022.3200866

25.

Mohamed Guendouz and Abdelmalek Amine , A New Wrapper-Based Feature Selection Technique with Fireworks Algorithm for Android Malware Detection, Int J Softw Sci Comput Intell 14(1) (2022), 1–19. https://doi.org/10.4018/IJSSCI.312554

26.

Xueyuan Han , Thomas Pasquier , Adam Bates , James Mickens , Margo Seltzer , UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats (2020). arXiv:2001.01525

27.

Ullah

, Srivastava

and Ullah

, A malware detection system using a hybrid approach of multi-heads attention-based control flow traces and image visualization, J Cloud Comp 11 (2022), 75. https://doi.org/10.1186/s13677-022-00349-8

28.

Julian Busch , Anton Kocheturov , Volker Tresp , Thomas Seidl , NF-GNN: Network Flow Graph Neural Networks for Malware Detection and Classification, arXiv, arXiv:2103.03939 (2021).

29.

Angelo Schranko de Oliveira , Renato José Sassi , Behavioral Malware Detection Using Deep Graph Convolutional Neural Networks, TechRxiv, Preprint, (2019). https://doi.org/10.36227/techrxiv.10043099.v1

30.

Fei Xiao , Zhaowen Lin , Yi Sun , Yan Ma , Malware Detection Based on Deep Learning of Behavior Graphs, Mathematical Problems in Engineering (2019). doi: https://doi.org/10.1155/2019/8195395

31.

Minghui Cai , Yuan Jiang , Cuiying Gao , Heng Li , Wei Yuan , Learning features from enhanced function call graphs for Android malware detection, Neurocomputing 423 (2021), 301–307. https://doi.org/10.1016/j.neucom.2020.10.054

32.

Yan

, Yan

, Jin

, Classifying Malware Represented as Control Flow Graphs using Deep Graph Convolutional Neural Network, 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2019, (2019), 52–63. https://doi.org/10.1109/DSN.2019.00020

33.

Azmoodeh

, Dehghantanha

and Choo

K.R.

, Robust Malware Detection for Internet of (Battlefield) Things Devices Using Deep Eigenspace Learning, IEEE Transactions on Sustainable Computing 4(1) (2019), 88–95

10.1109/TSUSC.2018.2809665

34.

Jie Zhou , Ganqu Cui , Shengding Hu , et al., , Graph neural networks: A review of methods and applications, AI Open 1 (2020), 57–81. https://doi.org/10.1016/j.aiopen.2021.01.001

35.

Ilya Makarov , Dmitrii Kiselev , Nikita Nikitinsky , Lovro Subelj , Survey on graph embeddings and their applications to machine learning problems on graphs, PeerJ Computer Science 7(3) (2021). https://doi.org/10.7717/peerj-cs.357

36.

Palash Goy , Emilio Ferrara , Graph embedding techniques, applications, and performance: A survey, Knowledge-Based Systems 151 (2018), 78–94. https://doi.org/10.1016/j.knosys.2018.03.022

37.

Keyulu Xu , Weihua Hu , Jure Leskovec , Stefanie Jegelka , How Powerful are Graph Neural Networks? arXiv, arXiv:1810.00826, (2018).

38.

Kipf

, Max Welling, Semi-Supervised Classification with Graph Convolutional Networks, arXiv, arXiv:1609.02907, (2016).

39.

Byung-Hoon Kim , Jong Chul Ye , Understanding Graph Isomorphism Network for rs-fMRI Functional Connectivity Analysis, Front Neurosci (2020). https://doi.org/10.3389/fnins.2020.00630

40.

aniel Svozil , Vladimír Kvasnicka , Jií Pospichal , Introduction to multi-layer feed-forward neural networks, Chemometrics and Intelligent Laboratory Systems 39(1) (1997). https://doi.org/10.1016/S0169-7439(97)00061-0

41.

Samaneh Mahdavifar and Ali Ghorbani

, Application of deep learning to cybersecurity: A survey, Neurocomputing 347 (2019), 149–176. https://doi.org/10.1016/j.neucom.2019.02.056

42.

Hadsell

, Chopra

, LeCun

, Dimensionality Reduction by Learning an Invariant Mapping, 2006 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR’06), New York, NY, USA, 2006, pp. 1735–1742, doi: 10.1109/CVPR.2006.100

43.

Prannay Khosla , Piotr Teterwak , Chen Wang , Aaron Sarna , Yonglong Tian , Phillip Isola , Aaron Maschinot , Ce Liu , Dilip Krishnan , Supervised Contrastive Learning, arXiv:2004.11362, https://doi.org/10.48550/arXiv.2004.11362

44.

Ghojogh

, Sikaroudi

, Shafiei

, Tizhoosh

H.R.

, Karray

, Crowley

, Fisher Discriminant Triplet and Contrastive Losses for Training Siamese Networks, 2020 International Joint Conference on Neural Networks (IJCNN), Glasgow, UK, 2020, pp. 1–7. doi: 10.1109/IJCNN48605.2020.9206833

45.

Feng Wang , Huaping Liu , Understanding the Behaviour of Contrastive Loss, arXiv:2012.09740. https://doi.org/10.48550/arXiv.2012.09740

46.

Schroff

, Kalenichenko

, Philbin

, FaceNet: A unified embedding for face recognition and clustering, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2015, pp. 815–823. doi: 10.1109/CVPR.2015.7298682

47.

Kihyuk Sohn , Improved deep metric learning with multi-class N-pair loss objective, Proceedings of the 30th International Conference on Neural Information Processing Systems, December 2016, Pages 1857–1865.

48.

Interactive Online Malware Sandbox, https://app.any.run/. Accessed 2 Mar 2023.

49.

Vietnam Cyberspace Security Technology JSC (VNCS). http://www.vncert.gov.vn/index.php. Accessed 2 Mar 2023.

50.

Viettel cyberspace center. https://viettelcyber-security.com/#/home. Accessed Accessed 2 Mar 2023.

51.

CyRadar. https://cyradar.com/#. Accessed Accessed 2 Mar 2023.

52.

National Cyber Security Center – NCSC. https://khonggianmang.vn/intro. Accessed Accessed 2 Mar 2023.

53.

Pei Xinjun , Yu Long , Tian Shengwei , , AMalNet: A deep learning framework based on graph convolutional networks for malware detection, Computers & Security 93 (2020), 101792. DOI: 10.1016/j.cose.2020.101792

54.

Lai Van Duong , Cho Do Xuan , , Detecting Malware based on Analyzing Abnormal behaviors of PE File, International Journal of Advanced Computer Science and Applications 12(3) (2021). DOI: 10.14569/IJACSA.2021.0120355

Using knowledge graphs and contrastive learning for detecting APT Malware on Endpoint systems

Abstract

Keywords

1 Introduction

1.1 The problems

1.2 The proposed approach

1.3 The scientific basis of the proposed method

1.4 Contributions of paper

2 Related studies

3 The proposed model

3.1 Overall architecture

3.3 Feature extraction

3.3.1 Graph Convolutional Network (GCN)

3.4.1 The MLP network

3.4.2 Contrastive learning

4.1 Experimental dataset

Table 1 Statistics on the number of samples of the experimental dataset Dataset Normal APT malware Test dataset 94,229 32,218 Training dataset 23,214 8,142 Total 117,443 40,360

4.4 Experimental results

4.4.1 Results of the scenario 1

Table 6 The results of the model using only deep graph networks Deep graph network Evaluation Acc Pre Rec F1 GIN [17] 0.90 0.81 0.80 0.80 GCN [53] 0.89 0.79 0.80 0.79 Our method 0.94 0.88 0.88 0.88

5 Conclusion

Footnotes

Acknowledgments

References

Table 1
Statistics on the number of samples of the experimental dataset

Dataset Normal APT malware

Test dataset 94,229 32,218

Training dataset 23,214 8,142

Total 117,443 40,360

Table 6
The results of the model using only deep graph networks

Deep graph network Evaluation

Acc Pre Rec F1

GIN [17] 0.90 0.81 0.80 0.80

GCN [53] 0.89 0.79 0.80 0.79

Our method 0.94 0.88 0.88 0.88