Explainable APT Attribution for Malware Using NLP Techniques
Qinqin Wang, Hanbing Yan, Zhihui Han
Abstract
APT attribution for malware refers to the process of identifying characteristics that are related to the APT group of an anonymous malware. This paper presents a novel approach for APT attribution. Our approach innovatively combines code features and string features for APT attribution, using paragraph vectors and bag-of-words vectors to represent function semantics and behavior reports, respectively. We apply the model interpretation to APT attribution for the first time, using Random Forest Classifier (RFC) and Local Interpretable Model-agnostic Explanations (LIME) to interpret the model results. We evaluate the method on a data set collected from threat intelligence reports. The results show that our method has advantages in feature selection, method application, and accuracy. Importantly, this article provides a detailed description and examples about the process of model interpretation. Model interpretation improves the trust of cyber security personnel in the model, and facilitates the analysis of network attacks and threat intelligence.