APTMalInsight: Identify and Cognize APT Malware based on System Call Information and Ontology Knowledge Framework

Abstract APT attacks have posed serious threats to the security of cyberspace nowadays which are usually tailored for specific targets. Identification and understanding of APT attacks remains a key issue for society. Attackers often utilize malware as the weapons to launch cyber-attacks. For this reason, detecting APT malware and gaining an insight of its malicious behaviors can strengthen the power to understand and counteract APT attacks. Based on the above motivation, this paper proposes a novel APT malware detection and cognition framework named APTMalInsight aiming at identifying and cognizing APT malware by leveraging system call information and ontology knowledge. We systematically study APT malware and extracts dynamic system call information to describe its behavioral characteristics. With respect to the established feature vectors, the APT malware can be detected and clustered into their belonging families accurately. Furthermore, a horizontal comparison between APT malware and the traditional malware is conducted from the perspective of behavior types, to understand the behavioral characteristics of APT malware in depth. On the above basis, the ontology model is introduced to construct the APT malware knowledge framework to represent its typical malicious behaviors, thereby implementing the systematic cognition of APT malware and providing contextual understanding of APT attacks. The evaluation results based on real APT malware samples demonstrate that the detection and clustering accuracy can reach up to 99.28% and 98.85% respectively. In addition, APTMalInsight supplies an effective cognition framework for APT malware and enhances the capability to understand APT attacks.