Domain Adaptation for Windows Advanced Persistent Threat Detection

Abstract Like many cyber security domains, data availability influences many active decisions and research trajectories in the advanced persistent threat (APT) landscape. Current solutions relying on many temporal constrains have limited generalization for new threats. In this paper, these two challenges are addressed, whereby we introduce domain adaptation to broaden the availability of data to improve APT detection while determining the relevance of separating samples based on their reported use. With the ability to introduce new data, namely in the APT-Executable (APT-EXE) dataset, we propose a new method to adapt over 4500 APT malware log samples to our target domain and achieve superior detection performance. A combination of transductive and inductive adaptation is applied by adapting the distribution of APT file system interaction. Adaptation is applied to retrieve system driven access and usage structure and functionality interaction footprints. The aligned distribution of log entries is projected within a Riemannian manifold. A weighted geodesics distance between APT samples and unseen log entries is measured, and APT driven Bayes net (APT-BN) is probed for queries for respective techniques respectively for adaptation and footprint methods. The proposed method is evaluated on 183 different Windows APT samples for 207 processes from 20 documented APT campaigns 2018 and onward. Comparisons are made based on the proposed method, multiple state-of-the-art log embedding techniques, and established text processing techniques. The proposed method outperforms all techniques in reducing false positives to less than 100 in 100,000 processes and a true positive rate of 0.80%. Thus, domain adaptation methods are promising to mitigate the challenges of detecting APTs.