Cyber threat attribution with multi-view heuristic analysis

Abstract

Over the years, a lot of malware variants have emerged and many of them are known to have originated from different Advanced Persistent Threats (APTs). The APT groups are the nation-state actors or well-resourced groups that target to compromise and exploit individuals and public or private organizations. If the source of the malware can be identified at an early stage, then it will significantly help the cybersecurity specialists to know what they are dealing with and in making decisions about the best approach to remediate. APT groups can be attributed to their attack campaigns by observing their methods, Tactics, Techniques, and Procedures (TTP). A heuristic analysis of malware by taking multiple characteristics of the malware files corresponding to Opcode sequence, Bytecode sequences, and headers can provide a better comprehension of the TTP used in the campaign. Multi-view analysis can help attribute the malware to its source with higher accuracy. The experiment uses a multi-view approach similar to a recent work that implements a Fuzzy Consensus Clustering Model for threat attribution. Our experiment is conducted with 3594 malware samples corresponding to 12 different APT groups. Five different Machine Learning classifiers i.e. SVM, Decision Tree, KNN, Deep Learning (MLP), and Fair Clustering are used to evaluate all the views and provided an overall accuracy of 99%.