A novel intelligent cognitive computing-based APT malware detection for Endpoint systems

Abstract

Detecting and warning Advanced Persistent Threat (APT) malware in Endpoint is essential because the current trend of APT attacker groups is to find ways to spread malware to users and then escalate privileges in the system. In this study, to improve the ability to detect APT malware on Endpoint machines, we propose a novel intelligent cognitive calculation method based on a model combining graph embeddings and Attention using processes generated by executable files. The proposed intelligent cognitive computation method performs 3 main tasks: i) extracting behaviors of processes; ii) aggregating the malware behaviors based on the processes; iii) detecting APT malware based on behavior analysis. To carry out the task (i), we propose to use several data mining techniques: extracting processes from Event IDs in the operating system kernel; extracting abnormal behaviors of processes. For task (ii), a graph embedding (GE) model based on the Graph Convolutional Networks (GCN) network is proposed to be used. For task (iii), based on the results of task (ii), the paper proposes to use a combination of the Convolutional Neural Network (CNN) network and Attention network (called CNN-Attention). The novelty and originality of this study is an intelligent cognitive computation method based on the use, combination, and synchronization of many different data mining techniques to compute, extract, and represent relationships and correlations among APT malware behaviors from processes. Based on this new intelligent cognitive computation method, many meaningful anomalous features and behaviors of APT malware have been synthesized and extracted. The proposals related to data mining methods to extract malware’s features and the list of malware’s behaviors provided in this paper are new information that has not been published in previous studies. In the experimental section, to demonstrate the effectiveness of the proposed method in detecting APT malware, the study has compared and evaluated it with other approaches. Experimental results in the paper have shown the outstanding efficiency of the proposed method when ensuring all metrics from 96.6% or more (that are 2% to 6% higher than other approaches). Experimental results in the paper have proven that our proposed method not only has scientifically significant but also has practical meaning because the method has helped to improve the efficiency of analyzing and detecting APT malware on Endpoint devices. In addition, this research result also has opened up a new approach for the task of detecting other anomalies on the Endpoint such as malware, unauthorized intrusion, insider, etc.