{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,20]],"date-time":"2026-06-20T16:54:01Z","timestamp":1781974441347,"version":"3.54.5"},"reference-count":35,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2023,3,20]],"date-time":"2023-03-20T00:00:00Z","timestamp":1679270400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,3,20]],"date-time":"2023-03-20T00:00:00Z","timestamp":1679270400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["SN COMPUT. SCI."],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Advanced persistent threat (APT) is a serious concern in cyber-security that has matured and grown over the years with the advent of technology. The main aim of this study is to establish an effective identification model for APT attacks to prevent and reduce their influence. Machine learning has the potential as well as substantial background to detect and predict cyber-security threats including APT. This study utilized several boosting-based machine learning methods to predict various types of APTs that are consistent in cyber-security domain. Furthermore, Explainable Artificial Intelligence (XAI) was coupled with the predictions to provide actionable insights to the domain stakeholders as well as practitioners in this domain. The results, particularly XGBoost with weighted F1 score of 0.97 and SHapley Additive exPlanations (SHAP)-based explanation, prove that boosting methods as well as machine learning models paired with XAI are indeed promising in handling cyber-security-related dataset problems which can be extrapolated towards new avenues of challenging research by effectively deploying boosting-based XAI models.<\/jats:p>","DOI":"10.1007\/s42979-023-01744-x","type":"journal-article","created":{"date-parts":[[2023,3,20]],"date-time":"2023-03-20T16:03:13Z","timestamp":1679328193000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":31,"title":["Advanced Persistent Threat Identification with Boosting and Explainable AI"],"prefix":"10.1007","volume":"4","author":[{"given":"Md. Mahadi","family":"Hasan","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Muhammad Usama","family":"Islam","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0735-9038","authenticated-orcid":false,"given":"Jasim","family":"Uddin","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2023,3,20]]},"reference":[{"issue":"5","key":"1744_CR1","doi-asserted-by":"publisher","first-page":"973","DOI":"10.1016\/j.jcss.2014.02.005","volume":"80","author":"J Jang-Jaccard","year":"2014","unstructured":"Jang-Jaccard J, Nepal S. A survey of emerging threats in cybersecurity. J Comput Syst Sci. 2014;80(5):973\u201393. https:\/\/doi.org\/10.1016\/j.jcss.2014.02.005.","journal-title":"J Comput Syst Sci"},{"issue":"4","key":"1744_CR2","first-page":"2013","volume":"4","author":"MK Daly","year":"2009","unstructured":"Daly MK. Advanced persistent threat. Usenix. 2009;4(4):2013\u20136.","journal-title":"Usenix"},{"key":"1744_CR3","doi-asserted-by":"publisher","first-page":"349","DOI":"10.1016\/j.future.2018.06.055","volume":"89","author":"I Ghafir","year":"2018","unstructured":"Ghafir I, Hammoudeh M, Prenosil V, Han L, Hegarty R, Rabie K, Aparicio-Navarro FJ. Detection of advanced persistent threat using machine-learning correlation analysis. Futur Gener Comput Syst. 2018;89:349\u201359. https:\/\/doi.org\/10.1016\/j.future.2018.06.055.","journal-title":"Futur Gener Comput Syst"},{"issue":"2","key":"1744_CR4","doi-asserted-by":"publisher","first-page":"1153","DOI":"10.1109\/COMST.2015.2494502","volume":"18","author":"AL Buczak","year":"2015","unstructured":"Buczak AL, Guven E. A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun Surv Tutor. 2015;18(2):1153\u201376. https:\/\/doi.org\/10.1109\/COMST.2015.2494502.","journal-title":"IEEE Commun Surv Tutor"},{"key":"1744_CR5","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1016\/j.cose.2014.09.006","volume":"48","author":"I Friedberg","year":"2015","unstructured":"Friedberg I, Skopik F, Settanni G, Fiedler R. Combating advanced persistent threats: from network event correlation to incident detection. Comput Secur. 2015;48:35\u201357. https:\/\/doi.org\/10.1016\/j.cose.2014.09.006.","journal-title":"Comput Secur"},{"key":"1744_CR6","doi-asserted-by":"publisher","unstructured":"Siddiqui S, Khan MS, Ferens K, Kinsner W. Detecting advanced persistent threats using fractal dimension based machine learning classification. In: Proceedings of the 2016 ACM on International Workshop on Security and Privacy Analytics, 2016;p. 64\u20139. https:\/\/doi.org\/10.1145\/2875475.2875484","DOI":"10.1145\/2875475.2875484"},{"key":"1744_CR7","doi-asserted-by":"publisher","unstructured":"Brogi G, Tong VVT. Terminaptor: Highlighting advanced persistent threats through information flow tracking. In: 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 2016;p. 1\u20135. https:\/\/doi.org\/10.1109\/NTMS.2016.7792480. IEEE.","DOI":"10.1109\/NTMS.2016.7792480"},{"issue":"3","key":"1744_CR8","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3386581","volume":"1","author":"G Laurenza","year":"2020","unstructured":"Laurenza G, Lazzeretti R, Mazzotti L. Malware triage for early identification of advanced persistent threat activities. Digit Threats. 2020;1(3):1\u201317. https:\/\/doi.org\/10.1145\/3386581.","journal-title":"Digit Threats"},{"issue":"13","key":"1744_CR9","doi-asserted-by":"publisher","first-page":"6816","DOI":"10.3390\/app12136816","volume":"12","author":"H Neuschmied","year":"2022","unstructured":"Neuschmied H, Winter M, Stojanovi\u0107 B, Hofer-Schmitz K, Bo\u017ei\u0107 J, Kleb U. Apt-attack detection based on multi-stage autoencoders. Appl Sci. 2022;12(13):6816. https:\/\/doi.org\/10.3390\/app12136816.","journal-title":"Appl Sci"},{"issue":"2","key":"1744_CR10","doi-asserted-by":"publisher","first-page":"757","DOI":"10.1109\/TDSC.2021.3130944","volume":"19","author":"H Li","year":"2021","unstructured":"Li H, Wu J, Xu H, Li G, Guizani M. Explainable intelligence-driven defense mechanism against advanced persistent threats: a joint edge game and AI approach. IEEE Trans Dependable Secure Comput. 2021;19(2):757\u201375. https:\/\/doi.org\/10.1109\/TDSC.2021.3130944.","journal-title":"IEEE Trans Dependable Secure Comput"},{"issue":"1","key":"1744_CR11","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1016\/j.jnca.2012.09.004","volume":"36","author":"H-J Liao","year":"2013","unstructured":"Liao H-J, Lin C-HR, Lin Y-C, Tung K-Y. Intrusion detection system: a comprehensive review. J Netw Comput Appl. 2013;36(1):16\u201324. https:\/\/doi.org\/10.1016\/j.jnca.2012.09.004.","journal-title":"J Netw Comput Appl"},{"issue":"1","key":"1744_CR12","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s42400-019-0038-7","volume":"2","author":"A Khraisat","year":"2019","unstructured":"Khraisat A, Gondal I, Vamplew P, Kamruzzaman J. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity. 2019;2(1):1\u201322. https:\/\/doi.org\/10.1186\/s42400-019-0038-7.","journal-title":"Cybersecurity"},{"key":"1744_CR13","doi-asserted-by":"publisher","unstructured":"Javaid A, Niyaz Q, Sun W, Alam M. A deep learning approach for network intrusion detection system. In: Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), 2016;p. 21\u20136. https:\/\/doi.org\/10.4108\/eai.3-12-2015.2262516","DOI":"10.4108\/eai.3-12-2015.2262516"},{"issue":"2","key":"1744_CR14","doi-asserted-by":"publisher","first-page":"1851","DOI":"10.1109\/COMST.2019.2891891","volume":"21","author":"A Alshamrani","year":"2019","unstructured":"Alshamrani A, Myneni S, Chowdhary A, Huang D. A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE Commun Surv Tutor. 2019;21(2):1851\u201377. https:\/\/doi.org\/10.1109\/COMST.2019.2891891.","journal-title":"IEEE Commun Surv Tutor"},{"key":"1744_CR15","doi-asserted-by":"publisher","unstructured":"Saud Z, Islam MH. Towards proactive detection of advanced persistent threat (apt) attacks using honeypots. In: Proceedings of the 8th International Conference on Security of Information and Networks, 2015;p. 154\u20137. https:\/\/doi.org\/10.1109\/COMST.2019.2891891","DOI":"10.1109\/COMST.2019.2891891"},{"key":"1744_CR16","doi-asserted-by":"publisher","first-page":"633","DOI":"10.1016\/j.ins.2020.08.095","volume":"546","author":"W Han","year":"2021","unstructured":"Han W, Xue J, Wang Y, Zhang F, Gao X. Aptmalinsight: identify and cognize apt malware based on system call information and ontology knowledge framework. Inf Sci. 2021;546:633\u201364. https:\/\/doi.org\/10.1016\/j.ins.2020.08.095.","journal-title":"Inf Sci"},{"key":"1744_CR17","doi-asserted-by":"publisher","unstructured":"Milajerdi SM, Gjomemo R, Eshete B, Sekar R, Venkatakrishnan V. Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), 2019;p. 1137\u201352. https:\/\/doi.org\/10.1109\/SP.2019.00026. IEEE","DOI":"10.1109\/SP.2019.00026"},{"key":"1744_CR18","doi-asserted-by":"publisher","DOI":"10.1155\/2017\/4916953","author":"W Niu","year":"2017","unstructured":"Niu W, Zhang X, Yang G, Zhu J, Ren Z. Identifying apt malware domain based on mobile DNS logging. Math Prob Eng. 2017. https:\/\/doi.org\/10.1155\/2017\/4916953.","journal-title":"Math Prob Eng"},{"key":"1744_CR19","doi-asserted-by":"publisher","unstructured":"Myneni S, Chowdhary A, Sabur A, Sengupta S, Agrawal G, Huang D, Kang M. Dapt 2020-constructing a benchmark dataset for advanced persistent threats. In: International Workshop on Deployable Machine Learning for Security Defense, 2020;p. 138\u201363. https:\/\/doi.org\/10.1007\/978-3-030-59621-7_8. Springer.","DOI":"10.1007\/978-3-030-59621-7_8"},{"issue":"3","key":"1744_CR20","doi-asserted-by":"publisher","first-page":"162","DOI":"10.1109\/LNET.2022.3185553","volume":"4","author":"J Liu","year":"2022","unstructured":"Liu J, Shen Y, Simsek M, Kantarci B, Mouftah HT, Bagheri M, Djukic P. A new realistic benchmark for advanced persistent threats in network traffic. IEEE Network Lett. 2022;4(3):162\u20136. https:\/\/doi.org\/10.1109\/LNET.2022.3185553.","journal-title":"IEEE Network Lett"},{"key":"1744_CR21","doi-asserted-by":"publisher","unstructured":"Shen Y, Simsek M, Kantarci B, Mouftah HT, Bagheri M, Djukic P. Prior knowledge based advanced persistent threats detection for IoT in a realistic benchmark. arXiv preprint arXiv:2208.05089 2022; https:\/\/doi.org\/10.48550\/arXiv.2208.05089.","DOI":"10.48550\/arXiv.2208.05089"},{"key":"1744_CR22","unstructured":"ReportLinker: Anomaly detection global market report 2022. ReportLinker (2022). https:\/\/www.globenewswire.com\/news-release\/2022\/09\/30\/2526074\/0\/en\/Anomaly-Detection-Global-Market-Report-2022.html."},{"key":"1744_CR23","doi-asserted-by":"publisher","unstructured":"Liu J, Shen Y, Simsek M, Kantarci B, Mouftah HT, Bagheri M, Djukic P. SCVIC-APT-2021. https:\/\/doi.org\/10.21227\/g2z5-ep97","DOI":"10.21227\/g2z5-ep97"},{"issue":"3","key":"1744_CR24","doi-asserted-by":"publisher","first-page":"349","DOI":"10.4310\/SII.2009.v2.n3.a8","volume":"2","author":"T Hastie","year":"2009","unstructured":"Hastie T, Rosset S, Zhu J, Zou H. Multi-class adaboost. Stat Interface. 2009;2(3):349\u201360. https:\/\/doi.org\/10.4310\/SII.2009.v2.n3.a8.","journal-title":"Stat Interface"},{"key":"1744_CR25","doi-asserted-by":"crossref","unstructured":"Friedman JH. Greedy function approximation: a gradient boosting machine. Ann Stat. 2001;1189\u2013232","DOI":"10.1214\/aos\/1013203451"},{"issue":"1","key":"1744_CR26","doi-asserted-by":"publisher","first-page":"6","DOI":"10.5281\/zenodo.3607805","volume":"13","author":"E Al Daoud","year":"2019","unstructured":"Al Daoud E. Comparison between xgboost, lightgbm and catboost using a home credit dataset. Int J Comput Inf Eng. 2019;13(1):6\u201310. https:\/\/doi.org\/10.5281\/zenodo.3607805.","journal-title":"Int J Comput Inf Eng"},{"key":"1744_CR27","doi-asserted-by":"publisher","first-page":"216","DOI":"10.1016\/j.patcog.2019.02.023","volume":"91","author":"A Luque","year":"2019","unstructured":"Luque A, Carrasco A, Mart\u00edn A, de Las Heras A. The impact of class imbalance in classification performance metrics based on the binary confusion matrix. Pattern Recogn. 2019;91:216\u201331. https:\/\/doi.org\/10.1016\/j.patcog.2019.02.023.","journal-title":"Pattern Recogn"},{"key":"1744_CR28","doi-asserted-by":"publisher","first-page":"45","DOI":"10.1007\/978-3-319-78503-5_6","volume-title":"Evaluation metrics and evaluation","author":"H Dalianis","year":"2018","unstructured":"Dalianis H. Evaluation metrics and evaluation. Cham: Springer; 2018. p. 45\u201353. https:\/\/doi.org\/10.1007\/978-3-319-78503-5_6."},{"issue":"1","key":"1744_CR29","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s12864-019-6413-7","volume":"21","author":"D Chicco","year":"2020","unstructured":"Chicco D, Jurman G. The advantages of the matthews correlation coefficient (mcc) over f1 score and accuracy in binary classification evaluation. BMC Genomics. 2020;21(1):1\u201313. https:\/\/doi.org\/10.1186\/s12864-019-6413-7.","journal-title":"BMC Genomics"},{"key":"1744_CR30","doi-asserted-by":"publisher","DOI":"10.1016\/j.jeap.2021.101026","volume":"53","author":"G Rau","year":"2021","unstructured":"Rau G, Shih Y-S. Evaluation of Cohen\u2019s kappa and other measures of inter-rater agreement for genre analysis and other nominal data. J Engl Acad Purp. 2021;53: 101026. https:\/\/doi.org\/10.1016\/j.jeap.2021.101026.","journal-title":"J Engl Acad Purp"},{"key":"1744_CR31","doi-asserted-by":"publisher","unstructured":"Yessou H, Sumbul G, Demir B. A comparative study of deep learning loss functions for multi-label remote sensing image classification. In: IGARSS 2020-2020 IEEE International Geoscience and Remote Sensing Symposium, 2020;p. 1349\u201352. https:\/\/doi.org\/10.1109\/IGARSS39084.2020.9323583. IEEE.","DOI":"10.1109\/IGARSS39084.2020.9323583"},{"key":"1744_CR32","doi-asserted-by":"publisher","unstructured":"Xu F, Uszkoreit H, Du Y, Fan W, Zhao D, Zhu J. Explainable AI: a brief survey on history, research areas, approaches and challenges. In: CCF International Conference on Natural Language Processing and Chinese Computing, p. 563\u201374 (2019). https:\/\/doi.org\/10.1007\/978-3-030-32236-6_51. Springer.","DOI":"10.1007\/978-3-030-32236-6_51"},{"key":"1744_CR33","doi-asserted-by":"publisher","unstructured":"Krajna A, Kovac M, Brcic M, \u0160ar\u010devi\u0107 A. Explainable artificial intelligence: an updated perspective. In: 2022 45th Jubilee International Convention on Information, Communication and Electronic Technology (MIPRO), 2022;p. 859\u201364 . https:\/\/doi.org\/10.23919\/MIPRO55190.2022.9803681. IEEE.","DOI":"10.23919\/MIPRO55190.2022.9803681"},{"key":"1744_CR34","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-96630-0_1","author":"MU Islam","year":"2022","unstructured":"Islam MU, Mottalib M, Hassan M, Alam ZI, Zobaed S, Rabby F, et al. The past, present, and prospective future of xai: a comprehensive review. Explain Artif Intell Cyber Secur. 2022. https:\/\/doi.org\/10.1007\/978-3-030-96630-0_1.","journal-title":"Explain Artif Intell Cyber Secur"},{"key":"1744_CR35","unstructured":"Lundberg SM, Lee S-I. A unified approach to interpreting model predictions. Adv Neural Inf Process Syst. 2017;30."}],"container-title":["SN Computer Science"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-023-01744-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s42979-023-01744-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-023-01744-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,4,30]],"date-time":"2023-04-30T10:19:02Z","timestamp":1682849942000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s42979-023-01744-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,20]]},"references-count":35,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2023,5]]}},"alternative-id":["1744"],"URL":"https:\/\/doi.org\/10.1007\/s42979-023-01744-x","relation":{},"ISSN":["2661-8907"],"issn-type":[{"value":"2661-8907","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,3,20]]},"assertion":[{"value":"17 October 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"4 January 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"20 March 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that there is no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of Interest"}}],"article-number":"271"}}