Advanced Persistent Threat Detection Research Articles

Genetic programming for enhanced detection of Advanced Persistent Threats through feature construction

Advanced Persistent Threats (APTs) pose considerable challenges in the realm of cybersecurity, characterized by their evolving tactics and complex evasion techniques. These characteristics often outsmart traditional security measures and necessitate the development of more sophisticated detection methods. This study introduces Feature Evolution using Genetic Programming (FEGP), a novel method that leverages multi-tree Genetic Programming (GP) to construct and enhance features for APT detection. While GP has been widely utilized for tackling various problems in different domains, our study focuses on the adaptation of GP to the multifaceted landscape of APT detection. The proposed method automatically constructs discriminative features by combining the original features using mathematical operators. By leveraging GP, the system adapts to the evolving tactics employed by APTs, enhancing the identification of APT activities with greater accuracy and reliability. To assess the efficacy of the proposed method, comprehensive experiments were conducted on widely used and publicly accessible APT datasets. Using the combination of constructed and original features on the DAPT-2020 dataset, FEGP achieved a balanced accuracy of 79.28%, surpassing the best comparative methods by an average of 2.12% in detecting APT stages. Additionally, utilizing only constructed features on the Unraveled dataset, FEGP achieved a balanced accuracy of 83.14%, demonstrating a 3.73% improvement over the best comparative method. The findings presented in this paper underscore the importance of GP-based feature construction for APT detection, providing a pathway toward improved accuracy and efficiency in identifying APT activities. The comparative analysis of the proposed method against existing feature construction methods demonstrates FEGP’s effectiveness as a state-of-the-art method for multi-class APT classification. In addition to the performance evaluation, further analysis was conducted, encompassing feature importance analysis, and a detailed time analysis.

A Survey on Advanced Persistent Threat Detection: A Unified Framework, Challenges, and Countermeasures

In recent years, frequent Advanced Persistent Threat (APT) attacks have caused disastrous damage to critical facilities, leading to severe information leakages, economic losses, and even social disruptions. Via sophisticated, long-term, and stealthy network intrusions, APT attacks are often beyond the capabilities of traditional intrusion detection methods. Existing methods employ various techniques to enhance APT detection at different stages, but this makes it difficult to fairly and objectively evaluate the capability, value, and orthogonality of available techniques. Overly focusing on hardening specific APT detection stages cannot address some essential challenges from a global perspective, which would result in severe consequences. To holistically tackle this problem and explore effective solutions, we abstract a unified framework that covers the complete process of APT attack detection, with standardized summaries of state-of-the-art solutions and analysis of feasible techniques. Further, we provide an in-depth discussion of the challenges and countermeasures faced by each component of the detection framework. In addition, we comparatively analyze public datasets and outline the capability criteria to provide a reference for standardized evaluations. Finally, we discuss insights into potential areas for future research.

RT-APT: A real-time APT anomaly detection method for large-scale provenance graph

Advanced Persistent Threats (APTs) are prevalent in the field of cyber attacks, where attackers employ advanced techniques to control targets and exfiltrate data without being detected by the system. Existing APT detection methods heavily rely on expert rules or specific training scenarios, resulting in the lack of both generality and reliability. Therefore, this paper proposes a novel real-time APT attack anomaly detection system for large-scale provenance graphs, named RT-APT. Firstly, a provenance graph is constructed with kernel logs, and the WL subtree kernel algorithm is utilized to aggregate contextual information of nodes in the provenance graph. In this way we obtain vector representations. Secondly, the FlexSketch algorithm transforms the streaming provenance graph into a sequence of feature vectors. Finally, the K-means clustering algorithm is performed on benign feature vector sequences, where each cluster represents a different system state. Thus, we can identify abnormal behaviors during system execution. Therefore RT-APT enables to detect unknown attacks and extract long-term system behaviors. Experiments have been carried out to explore the optimal parameter settings under which RT-APT can perform best. In addition, we compare RT-APT and the state-of-the-art approaches on three datasets, Laboratory, StreamSpot and Unicorn. Results demonstrate that our proposed method outperforms the state-of-the-art approaches from the perspective of runtime performance, memory overhead and CPU usage.

Provenance-based APT campaigns detection via masked graph representation learning

Advanced Persistent Threats (APTs) are well-planned, persistent, and highly stealthy cyberattacks designed to steal confidential information or disrupt specific target systems. Recent studies have used system audit logs to construct provenance graphs that describe system interactions to detect potentially malicious activities. Although they are effective, they still suffer from problems such as the need for a priori knowledge, lack of attack data, and high computational overhead that limit their application. In this paper, we propose a self-supervised learning-based APT detection model, APT-MGL, which learns the embedded representations of nodes through a graph mask self-encoder and transforms the detection problem into an outlier detection problem for malicious nodes. APT-MGL characterizes the behavior of nodes based on node type, action, and interaction frequency, and fuses the features through a multi-head self-attention mechanism. Then the node embedding is obtained by combining graph features and structural information using masked graph representation learning. Finally, the unsupervised outlier detection method is used to analyze the computed embeddings and obtain the final detection results. The experimental results show that APT-MGL outperforms existing monitoring models and achieves a small overhead.

Explainable deep learning approach for advanced persistent threats (APTs) detection in cybersecurity: a review

In recent years, Advanced Persistent Threat (APT) attacks on network systems have increased through sophisticated fraud tactics. Traditional Intrusion Detection Systems (IDSs) suffer from low detection accuracy, high false-positive rates, and difficulty identifying unknown attacks such as remote-to-local (R2L) and user-to-root (U2R) attacks. This paper addresses these challenges by providing a foundational discussion of APTs and the limitations of existing detection methods. It then pivots to explore the novel integration of deep learning techniques and Explainable Artificial Intelligence (XAI) to improve APT detection. This paper aims to fill the gaps in the current research by providing a thorough analysis of how XAI methods, such as Shapley Additive Explanations (SHAP) and Local Interpretable Model-agnostic Explanations (LIME), can make black-box models more transparent and interpretable. The objective is to demonstrate the necessity of explainability in APT detection and propose solutions that enhance the trustworthiness and effectiveness of these models. It offers a critical analysis of existing approaches, highlights their strengths and limitations, and identifies open issues that require further research. This paper also suggests future research directions to combat evolving threats, paving the way for more effective and reliable cybersecurity solutions. Overall, this paper emphasizes the importance of explainability in enhancing the performance and trustworthiness of cybersecurity systems.

Bon-APT: Detection, attribution, and explainability of APT malware using temporal segmentation of API calls

Advanced Persistent Threats (APTs) are highly sophisticated cyberattacks that are aimed at achieving strategic goals and are usually backed by a well-funded entity. In this paper, we tackle the challenges of detecting and attributing APTs by proposing Bon-APT, a temporal learning method that analyzes and segment the occurrences of API calls invoked during the dynamic analysis of the examined PE. Those segments can be used to profile the temporal behavior of an APT, provide insights into its modus operandi, and induce an accurate machine-learning based model for the detection and attribution of APTs. Moreover, Bon-APT provides a human comprehensible explainability regarding the relations among segments as well as the behavior of the APT in each of them. This not only improves transparency and reliability from a human expert perspective, but it can also enrich the security experts with new knowledge regarding APTs' behavior. To evaluate Bon-APT, we built a unique collection of 12,655 APTs, belonging to 188 different cyber-groups and 17 different nations, which, to the best of our knowledge, is the largest collection of its kind. We conducted four experiments to evaluate the proposed method and compared its performance to the performance of state-of-the-art methods on the tasks of APT detection and authorship attribution (for both group and nation). Bon-APT achieved promising results in each of the tasks while outperforming the state-of-the-art methods. Bon-APT also provides a simple and concise explanation regarding its decisions and the APT behavior, as well as an easy, straightforward visual and quantitative behavioral comparison.

Detection of advanced persistent threats using hashing and graph-based learning on streaming data

Detection of advanced persistent threats using hashing and graph-based learning on streaming data

ConGraph: Advanced Persistent Threat Detection Method Based on Provenance Graph Combined with Process Context in Cyber-Physical System Environment

With the wide use of Cyber-Physical Systems (CPS) in many applications, targets of advanced persistent threats (APTs) have been extended to the IoT and industrial control systems. Provenance graph analysis based on system audit logs has become a promising way for APT detection and investigation. However, we cannot afford to ignore that existing provenance-based APT detection systems lack the process–context information at system runtime, which seriously limits detection performance. In this paper, we proposed ConGraph, an approach for detecting APT attacks using provenance graphs combined with process context; we presented a module for collecting process context to detect APT attacks. This module collects file access behavior, network access behavior, and interactive relationship features of processes to enrich semantic information of the provenance graph. It was the first time that the provenance graph was combined with multiple process–context information to improve the detection performance of APT attacks. ConGraph extracts process activity features from the provenance graphs and submits the features to a CNN-BiLSTM model to detect underlying APT activities. Compared to some state-of-the-art models, our model raised the average precision rate, recall rate, and F-1 score by 13.12%, 25.61%, and 24.28%, respectively.

Cyber Guardian : Intelligent Threat Surveillance

Advanced persistent threats (APTs) are cyberattacking that use covert strategies to target specific groups. As a result of the rapid growth of computing technology and the widespread connectivity of devices, there has been a boom in data transfer across networks. Because APTs' attack tactics are always changing, it can be difficult to detect them. This has led cybersecurity experts to develop creative solutions. We found gaps in the research on APT detection by doing a systematic literature review (SLR) covering the years 2012 to 2022 and finding 75 studies related to computer, mobile, and Internet of Things technologies. The most sophisticated cyberattack, known as an advanced persistent threat, involves malevolent individuals breaking into a network without authorization and staying hidden for an extended period. Advancement persistent threat attacks and organizational threats are becoming more frequent. Machine learning is one technique used to detect attacks by sophisticated persistent threats. The need for improved detection methods is highlighted by our findings, and we offer suggestions to guide the creation of early APT detection models and progress in cybersecurity. We propose a conceptual model known as Cyber Guardian that uses Random Forest classifier and attention techniques to create a self-translation machine through an encoder-decoder framework. These advanced attention algorithms are intended to improve the machine's capacity to examine and decipher intricate patterns found in HTTP requests, enhancing APT detection capabilities, and providing cybersecurity experts with cutting-edge instruments to proactively detect and neutralize new threats in real-time. This all-encompassing strategy is a major advancement in the ongoing fight against Advanced Persistent Threats (APTs) and emphasizes how crucial it is for the cybersecurity community to continuously innovate and collaborate in order to remain ahead of changing cyberthreats.

APT-KGL: An Intelligent APT Detection System Based on Threat Knowledge and Heterogeneous Provenance Graph Learning

APTs (Advanced Persistent Threats) have caused serious security threats worldwide. Most existing APT detection systems are implemented based on sophisticated forensic analysis rules. However, the design of these rules requires in-depth domain knowledge and the rules lack generalization ability. On the other hand, deep learning technique could automatically create detection model from training samples with little domain knowledge. However, due to the persistence, stealth, and diversity of APT attacks, deep learning technique suffers from a series of problems including difficulties of capturing contextual information, low scalability, dynamic evolving of training samples, and scarcity of training samples. Aiming at these problems, this paper proposes APT-KGL, an intelligent APT detection system based on provenance data and graph neural networks. First, APT-KGL models the system entities and their contextual information in the provenance data by a HPG (Heterogeneous Provenance Graph), and learns a semantic vector representation for each system entity in the HPG in an offline way. Then, APT-KGL performs online APT detection by sampling a small local graph from the HPG and classifying the key system entities as malicious or benign. In addition, to conquer the difficulty of collecting training samples of APT attacks, APT-KGL creates virtual APT training samples from open threat knowledge in a semi-automatic way. We conducted a series of experiments on two provenance datasets with simulated APT attacks. The experiment results show that APT-KGL outperforms other current deep learning based models, and has competitive performance against state-of-the-art rule-based APT detection systems.

An APT Attack Detection Method of a New-type Power System Based on STSA-transformer

Background: Complex structures such as a high proportion of power electronic equipment has brought new challenges to the safe and stable operation of new-type power system, increasing the possibility of the system being attacked, especially the more complex Advanced Persistent Threat (APT). This kind of attack has a long duration and strong concealment. Objective: Traditional detection methods target a relatively single attack mode, and the time span of APT processed is relatively short. None of them can effectively capture the long-term correlation in the attack, and the detection rate is low. These methods can’t meet the safety requirements of the new-type power system. In order to solve this problem, this paper proposes an improved transformer model called STSA-transformer algorithm, and applies it to the detection of APT in new-type power systems. Methods: In the STSA-transformer model, the network traffic collected from the power system is first converted into a sequence of feature vectors, and the location information and local feature of the sequence, is extracted by combining position encoding with convolutional embedding operations, and then global characteristics of attack sequences is captured using the multi-head selfattention mechanism of the transformer encoder, the higher-frequency features of the attention are extracted through the self-learning threshold operation, combined with the PowerNorm algorithm to standardize the samples, and finally classify the network traffic of the APT. Results: After multiple rounds of training on the model, the expected effect can be achieved and applied to the APT detection of a new-type power system. Conclusion: The experimental results show that the proposed STSA-transformer algorithm has better detection accuracy and lower detection false-alarm rate than traditional deep learning algorithms and machine learning algorithms.

Fuzzy inference based feature selection and optimized deep learning for Advanced Persistent Threat attack detection

SummaryOne of the attacks that have rapidly happen is Advanced Persistent Threat (APT). APT attacks contain different sophisticated approaches and methods of attacking targets for stealing confidential as well as sensitive information. This research introduced novel and effective APT attack detection techniques, namely Smart Flower Cosine Algorithm‐driven Deep Convolutional Neural Network (SFCA‐DeepCNN). Here, the APT attack detection is done by the DeepCNN, wherein the weight of DeepCNN is updated by the proposed SFCA. The SFCA is modeled by unifying the Smart Flower Optimization Algorithm (SFOA) and Sine Cosine Algorithm (SCA). Additionally, the pre‐processing process is done by Quantile normalization, and the features are chosen based on the fuzzy‐based distance measures. Moreover, data augmentation is done to increase the size of data by performing the oversampling that avoids the overfitting problems. Furthermore, the proposed optimized deep learning scheme detects the accurate APT detection outcome. The performance improvement of the proposed method for testing accuracy is 9.417%, 10.47%, 4.232%, and 3.068% higher than the existing methods, such as, Deep Learning, Support Vector Machine (SVM), Bidirectional Long Short‐Term Memory (Bi‐LSTM), and Hidden Markov Model (HMM).

APTSHIELD: A Stable, Efficient and Real-Time APT Detection System for Linux Hosts

Advanced Persistent Threat (APT) attack usually refers to the form of long-term, covert and sustained attack on specific targets, with an adversary using advanced attack techniques to destroy the key facilities of an organization. APT attacks have caused serious security threats and massive financial loss worldwide. Academics and industry thereby have proposed a series of solutions to detect APT attacks, such as dynamic/static code analysis, traffic detection, sandbox technology, endpoint detection and response (EDR), etc. However, existing defenses are failed to accurately and effectively defend against the current APT attacks that exhibit strong persistent, stealthy, diverse and dynamic characteristics due to the weak data source integrity, large data processing overhead and poor real-time performance in the process of real-world scenarios. To overcome these difficulties, in this paper we propose APTSHIELD, a stable, efficient and real-time APT detection system for Linux hosts. In the aspect of data collection, audit is selected to stably collect kernel data of the operating system so as to carry out a complete portrait of the attack based on comprehensive analysis and comparison of existing logging tools; In the aspect of data processing, redundant semantics skipping and non-viable node pruning are adopted to reduce the amount of data, so as to reduce the overhead of the detection system; In the aspect of attack detection, an APT attack detection framework based on ATT&CK model is designed to carry out real-time attack response and alarm through the transfer and aggregation of labels. Experimental results on both laboratory and Darpa Engagement show that our system can effectively detect web vulnerability attacks, file-less attacks and remote access trojan attacks, and has a low false positive rate, which adds far more value than the existing frontier work.

A prospective approach to detect advanced persistent threats: Utilizing hybrid optimization technique

Advanced Persistent Threat (APT) attacks pose significant challenges for AI models in detecting and mitigating sophisticated and highly effective cyber threats. This research introduces a novel concept called Hybrid HHOSSA which is the grouping of Harris Hawk Optimization (HHO) and Sparrow Search Algorithm (SSA) characteristics for optimizing the feature selection and data balancing in the context of APT detection. In addition, the light GBM as well as the weighted average Bi-LSTM are optimized by the proposed hybrid HHOSSA optimization. The HHOSSA-based attribute selection is used to choose the most important attributes from the provided dataset in the early step of the quasi-identifier detection. The HHOSSA-SMOTE algorithm effectively balances the unbalanced data, such as the lateral movements and the data exfiltration in the DAPT 2020 database, which further improves the classifier performance. The light GBM and the Bi-LSTM classifier hyperparameters are well attuned and classified by the HHOSSA optimization for the precise classification of the attacks. The outcome of both the optimized light GBM and the Bi-LSTM classifier generates the final prediction of the attacks existing in the network. According to the research findings, the HHOSSA-hybrid classifier achieves high accuracy in detecting attacks, with an accuracy rate of 94.468 %, a sensitivity of 94.650 %, and a specificity of 95.230 % with a K-fold value of 10. Also, the HHOSSA-hybrid classifier achieves the highest AUC percentage of 97.032, highlighting its exceptional performance in detecting APT attacks.

System-level data management for endpoint advanced persistent threat detection: Issues, challenges and trends

Advanced persistent threat (APT) attacks pose significant security threats to governments and large enterprises. Endpoint detection and response (EDR) methods, which are standard solutions to combat APT attacks, can efficaciously respond to associated security threats by leveraging the semantic richness of provenance graphs and clear causality relations to resist illegal tampering. However, the large number of audit logs produced over time, which provide key supporting information for EDR methods, lead to substantial computational overhead and increased storage costs. Therefore, a robust data management framework must be developed. However, most existing reviews discuss data collection, compression, and storage methods independently. Due to the lack of a comprehensive, structured survey of data management strategies, current data management analyses tend to be separated into individual modules, making it difficult to obtain prompt and precise guidance for higher-level security analysis tasks from these analyses. In this paper, a comprehensive and structured survey of data management strategies based on provenance graphs is conducted, the core ideas of the mainstream approaches to each aspect of data management are summarized, and existing approaches are systematically classified and compared. Then, the problems with individual data management modules are investigated, and potential complementary and collaborative strategies are examined based on the insights and challenges of existing work as a basis for recommending best practices for practical deployment. Finally, an ideal data management framework is described to guide future research.

Machine Learning for APT Detection

Nowadays, countries face a multitude of electronic threats that have permeated almost all business sectors, be it private corporations or public institutions. Among these threats, advanced persistent threats (APTs) stand out as a well-known example. APTs are highly sophisticated and stealthy computer network attacks meticulously designed to gain unauthorized access and persist undetected threats within targeted networks for extended periods. They represent a formidable cybersecurity challenge for governments, corporations, and individuals alike. Recognizing the gravity of APTs as one of the most critical cybersecurity threats, this study aims to reach a deeper understanding of their nature and propose a multi-stage framework for automated APT detection leveraging time series data. Unlike previous models, the proposed approach has the capability to detect real-time attacks based on stored attack scenarios. This study conducts an extensive review of existing research, identifying its strengths, weaknesses, and opportunities for improvement. Furthermore, standardized techniques have been enhanced to enhance their effectiveness in detecting APT attacks. The learning process relies on datasets sourced from various channels, including journal logs, traceability audits, and systems monitoring statistics. Subsequently, an efficient APT detection and prevention system, known as the composition-based decision tree (CDT), has been developed to operate in complex environments. The obtained results demonstrate that the proposed approach consistently outperforms existing algorithms in terms of detection accuracy and effectiveess.

A Systematic Literature Review and a Conceptual Framework Proposition for Advanced Persistent Threats (APT) Detection for Mobile Devices Using Artificial Intelligence Techniques

Advanced persistent threat (APT) refers to a specific form of targeted attack used by a well-organized and skilled adversary to remain undetected while systematically and continuously exfiltrating sensitive data. Various APT attack vectors exist, including social engineering techniques such as spear phishing, watering holes, SQL injection, and application repackaging. Various sensors and services are essential for a smartphone to assist in user behavior that involves sensitive information. Resultantly, smartphones have become the main target of APT attacks. Due to the vulnerability of smartphone sensors, several challenges have emerged, including the inadequacy of current methods for detecting APTs. Nevertheless, several existing APT solutions, strategies, and implementations have failed to provide comprehensive solutions. Detecting APT attacks remains challenging due to the lack of attention given to human behavioral factors contributing to APTs, the ambiguity of APT attack trails, and the absence of a clear attack fingerprint. In addition, there is a lack of studies using game theory or fuzzy logic as an artificial intelligence (AI) strategy for detecting APT attacks on smartphone sensors, besides the limited understanding of the attack that may be employed due to the complex nature of APT attacks. Accordingly, this study aimed to deliver a systematic review to report on the extant research concerning APT detection for mobile sensors, applications, and user behavior. The study presents an overview of works performed between 2012 and 2023. In total, 1351 papers were reviewed during the primary search. Subsequently, these papers were processed according to their titles, abstracts, and contents. The resulting papers were selected to address the research questions. A conceptual framework is proposed to incorporate the situational awareness model in line with adopting game theory as an AI technique used to generate APT-based tactics, techniques, and procedures (TTPs) and normal TTPs and cognitive decision making. This framework enhances security awareness and facilitates the detection of APT attacks on smartphone sensors, applications, and user behavior. It supports researchers in exploring the most significant papers on APTs related to mobile sensors, services, applications, and detection techniques using AI.

Blockchain-Based AI-Enabled Industry 4.0 CPS Protection Against Advanced Persistent Threat

Industry 4.0 is all about doing things in a concurrent, secure, and fine-grained manner. IoT edge-sensors and their associated data play a predominant role in today's industry ecosystem. Breaching data or forging source devices after injecting advanced persistent threats (APT) damages the industry owners' money and loss of operators' lives. The existing challenges include APT injection attacks targeting vulnerable edge devices, insecure data transportation, trust inconsistencies among stakeholders, incompliant data storing mechanisms, etc. Edge-servers often suffer because of their lightweight computation capacity to stamp out unauthorized data or instructions, which in essence, makes them exposed to attackers. When attackers target edge servers while transporting data using traditional PKI-rendered trusts, consortium blockchain (CBC) offers proven techniques to transfer and maintain those sensitive data securely. With the recent improvement of edge machine learning, edge devices can filter malicious data at their end which largely motivates us to institute a Blockchain and AI aligned APT detection system. The unique contributions of the paper include efficient APT detection at the edge and transparent recording of the detection history in an immutable blockchain ledger. In line with that, the certificateless data transfer mechanism boost trust among collaborators and ensure an economical and sustainable mechanism after eliminating existing certificate authority. Finally, the edge-compliant storage technique facilitates efficient predictive maintenance. The respective experimental outcomes reveal that the proposed technique outperforms the other competing systems and models.

E-APTDetect: Early Advanced Persistent Threat Detection in Critical Infrastructures with Dynamic Attestation

Advanced Persistent Threats (APTs) represent a complex series of techniques directed against a particular organization, where the perpetrator is able to hide its presence for a longer period of time (e.g., months, years). Previous such attacks have demonstrated the exceptional impact that a cyber attack may have on the operation of Supervisory Control And Data Acquisition Systems (SCADA), and, more specifically, on the underlying physical process. Existing techniques for the detection of APTs focus on aggregating results originating from a collection of anomaly detection agents. However, such approaches may require an extensive time period in case the process is in a steady-state. Conversely, this paper documents E-APTDetect, an approach that uses dynamic attestation and multi-level data fusion for the early detection of APTs. The methodology leverages sensitivity analysis and Dempster-Shafer’s Theory of Evidence as its building blocks. Extensive experiments are performed on a realistic Vinyl Acetate Monomer (VAM) process model. The model contains standard chemical unit operations and typical industrial characteristics, which make it suitable for a large variety of experiments. The experimental results conducted on the VAM process demonstrate E-APTDetect’s ability to efficiently detect APTs, but also highlight key aspects related to the attacker’s advantage. The experiments also highlight that the adversary’s advantage is affected by two major factors: the number of compromised components; and, the precision of manipulation.

APT Attack Detection Scheme Based on CK Sketch and DNS Traffic.

In recent years, Advanced Persistent Threat (APT) attacks against sensors have emerged as a prominent security concern. Due to the low level of protection provided by sensors, APT attack organizations are able to develop intrusion schemes that allow them to infiltrate, attack, lurk, spread, and steal information from the target over an extended period of time. Through extensive research on the APT attack process and current defense mechanisms, it has been found that analyzing Domain Name Server (DNS) traffic in the communication control phase is an effective way of detecting APT attacks. However, analyzing APT attacks based on traffic usually involves the detection of a vast amount of DNS traffic, and current data preprocessing methods do not scale down data effectively, leading to low detection efficiency. In previous work, most efforts have been focused on calculating the features of request messages or corresponding messages without considering the association between request messages and corresponding messages. To address these issues, we propose a sketch-based APT attack traffic detection scheme. The scheme leverages the sketch structure to count and compress network traffic, improving the efficiency of APT detection. Our work also analyzes the limitations of traditional sketches in network traffic and proposes an improved sketch scheme. In addition, we propose several effective features for detecting APT attacks. We validate and evaluate our solution using 1,088,280 DNS traffic from a lab network and APT suspicious traffic from netresec and contagio, using eight machine learning models. The experimental results show that for the ExtraTrees model, our solution has a processing time of 0.0638 s and an accuracy of 0.97920, reducing the processing time by approximately 50 times and improving detection accuracy by a small margin compared to a dataset without sketch processing.