{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T11:12:13Z","timestamp":1775905933951,"version":"3.50.1"},"reference-count":38,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2025,8,30]],"date-time":"2025-08-30T00:00:00Z","timestamp":1756512000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,8,30]],"date-time":"2025-08-30T00:00:00Z","timestamp":1756512000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Manipal Academy of Higher Education, Manipal"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Big Data"],"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Advanced Persistent Threats (APTs) are among the most dangerous cyberattacks due to their stealth, persistence, and ability to evade traditional intrusion detection systems. This study proposes a novel and optimized hybrid ensemble-based machine learning model for detecting APTs, using the realistically simulated Unraveled dataset, which captures long-term, stealthy attack behaviors often missed by conventional datasets. Existing machine learning models often fall short in identifying such threats, particularly due to their inability to capture temporal dependencies and their reliance on monolithic feature spaces that limit adaptability. The model integrates Long Short-Term Memory (LSTM) networks, K-Nearest Neighbors (KNN), and Logistic Regression (LR) algorithms to leverage the unique strengths of each. A key novelty lies in the logical division of the top 21 predictive features across the three classifiers based on their suitability for temporal, statistical, and relational patterns. Feature selection techniques, including Information Value (IV), Weight of Evidence (WoE), and XGBoost were employed to identify these features. The initial ensemble model achieved 97.12% accuracy, demonstrating its effectiveness even before optimization. After fine-tuning LSTM and LR, the accuracy improves to 99.94%. This 2.82% gain confirms the impact of model-specific tuning and feature partitioning. This significant performance improvement highlights the critical role of strategic feature partitioning and individualized model tuning in enhancing APT detection capabilities. The proposed approach offers a scalable and interpretable solution to address the complex nature of APTs and strengthens the robustness of modern intrusion detection systems.<\/jats:p>","DOI":"10.1186\/s40537-025-01272-w","type":"journal-article","created":{"date-parts":[[2025,8,30]],"date-time":"2025-08-30T07:02:35Z","timestamp":1756537355000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["An optimized hybrid ensemble machine learning model combining multiple classifiers for detecting advanced persistent threats in networks"],"prefix":"10.1186","volume":"12","author":[{"given":"Nadim","family":"Ibrahim","sequence":"first","affiliation":[]},{"given":"N. R.","family":"Rajalakshmi","sequence":"additional","affiliation":[]},{"given":"V.","family":"Sivakumar","sequence":"additional","affiliation":[]},{"given":"L.","family":"Sharmila","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,8,30]]},"reference":[{"issue":"July 2022","key":"1272_CR1","doi-asserted-by":"publisher","first-page":"108548","DOI":"10.1016\/j.compeleceng.2022.108548","volume":"105","author":"NE Park","year":"2023","unstructured":"Park NE, et al. Performance evaluation of a fast and efficient intrusion detection framework for advanced persistent threat-based cyberattacks. Comput Electr Eng. 2023;105(July 2022):108548. https:\/\/doi.org\/10.1016\/j.compeleceng.2022.108548.","journal-title":"Comput Electr Eng"},{"key":"1272_CR2","doi-asserted-by":"publisher","first-page":"316","DOI":"10.1016\/j.procs.2019.02.058","volume":"150","author":"DX Cho","year":"2019","unstructured":"Cho DX, Nam HH. A method of monitoring and detecting APT attacks based on unknown domains. Procedia Comput Sci. 2019;150:316\u201323. https:\/\/doi.org\/10.1016\/j.procs.2019.02.058.","journal-title":"Procedia Comput Sci"},{"key":"1272_CR3","doi-asserted-by":"publisher","DOI":"10.3390\/app10113874","author":"S Quintero-Bonilla","year":"2020","unstructured":"Quintero-Bonilla S, del Rey AM. A new proposal on the advanced persistent threat: a survey. Appl Sci. 2020. https:\/\/doi.org\/10.3390\/app10113874.","journal-title":"Appl Sci"},{"key":"1272_CR4","doi-asserted-by":"publisher","unstructured":"Rot A, Olszewski B. Advanced persistent threats attacks in cyberspace. Threats, vulnerabilities, methods of protection, Position papers of the 2017 federated conference on computer science and information systems, vol. 12. 2017, p. 113\u2013117. https:\/\/doi.org\/10.15439\/2017f488.","DOI":"10.15439\/2017f488"},{"issue":"S4","key":"1272_CR5","doi-asserted-by":"publisher","first-page":"439","DOI":"10.62441\/nano-ntp.v20iS4.33","volume":"20","author":"N Ibrahim","year":"2024","unstructured":"Ibrahim N, Rajalakshmi NR, Hammadeh K. Exploration of defensive strategies, detection mechanisms, and response tactics against advanced persistent threats APTs. Nanotechnol Perceptions. 2024;20(S4):439\u201355. https:\/\/doi.org\/10.62441\/nano-ntp.v20iS4.33.","journal-title":"Nanotechnol Perceptions"},{"issue":"11 Special Issu","key":"1272_CR6","doi-asserted-by":"publisher","first-page":"1281","DOI":"10.35940\/ijitee.K1258.09811S19","volume":"8","author":"G Arulkumaran","year":"2019","unstructured":"Arulkumaran G, Rajalakshmi NR. Named data networking (NDN), internet architecture design and security attacks. Int J Innov Technol Explor Eng. 2019;8(11 Special Issue):1281\u20134. https:\/\/doi.org\/10.35940\/ijitee.K1258.09811S19.","journal-title":"Int J Innov Technol Explor Eng"},{"key":"1272_CR7","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2021.107937","author":"L Shang","year":"2021","unstructured":"Shang L, Guo D, Ji Y, Li Q. Discovering unknown advanced persistent threat using shared features mined by neural networks. Comput Netw. 2021. https:\/\/doi.org\/10.1016\/j.comnet.2021.107937.","journal-title":"Comput Netw."},{"key":"1272_CR8","unstructured":"Khan MA. HCRNNIDS\u202f: hybrid convolutional recurrent neural. Multidiscip Digit Publ Inst 2021."},{"key":"1272_CR9","doi-asserted-by":"publisher","unstructured":"Wang F, Li R, Zhang Z. APTSID: an ensemble learning method for APT attack stage identification. In: Proceedings of 2021 5th Asian conference on artificial intelligence technology, ACAIT 2021. 2021. p. 190\u2013195. https:\/\/doi.org\/10.1109\/ACAIT53529.2021.9731169.","DOI":"10.1109\/ACAIT53529.2021.9731169"},{"issue":"July 2022","key":"1272_CR10","doi-asserted-by":"publisher","first-page":"109688","DOI":"10.1016\/j.comnet.2023.109688","volume":"227","author":"S Myneni","year":"2023","unstructured":"Myneni S, et al. Unraveled\u2014a semi-synthetic dataset for Advanced Persistent Threats. Comput Netw. 2023;227(July 2022):109688. https:\/\/doi.org\/10.1016\/j.comnet.2023.109688.","journal-title":"Comput Netw"},{"issue":"3","key":"1272_CR11","doi-asserted-by":"publisher","first-page":"19","DOI":"10.14569\/IJACSA.2023.0140303","volume":"14","author":"F Shen","year":"2023","unstructured":"Shen F, Liu Z, Perigo L. Strategic monitoring for efficient detection of simultaneous APT attacks with limited resources. Int J Adv Comput Sci Appl. 2023;14(3):19\u201324. https:\/\/doi.org\/10.14569\/IJACSA.2023.0140303.","journal-title":"Int J Adv Comput Sci Appl"},{"key":"1272_CR12","doi-asserted-by":"publisher","first-page":"82512","DOI":"10.1109\/ACCESS.2019.2923640","volume":"7","author":"X Gao","year":"2019","unstructured":"Gao X, Shan C, Hu C, Niu Z, Liu Z. An adaptive ensemble machine learning model for intrusion detection. IEEE Access. 2019;7:82512\u201321. https:\/\/doi.org\/10.1109\/ACCESS.2019.2923640.","journal-title":"IEEE Access"},{"issue":"5","key":"1272_CR13","doi-asserted-by":"publisher","first-page":"1","DOI":"10.3390\/electronics11050742","volume":"11","author":"SH Javed","year":"2022","unstructured":"Javed SH, Bin Ahmad M, Asif M, Almotiri SH, Masood K, AlGhamdi MA. An intelligent system to detect advanced persistent threats in industrial internet of things (I-IoT). Electron. 2022;11(5):1\u201325. https:\/\/doi.org\/10.3390\/electronics11050742.","journal-title":"Electron"},{"key":"1272_CR14","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102875","author":"M Abu Talib","year":"2022","unstructured":"Abu Talib M, Nasir Q, Bou Nassif A, Mokhamed T, Ahmed N, Mahfood B. APT beaconing detection: a systematic review. Comput Secur. 2022. https:\/\/doi.org\/10.1016\/j.cose.2022.102875.","journal-title":"Comput Secur"},{"key":"1272_CR15","doi-asserted-by":"publisher","DOI":"10.1007\/s44196-023-00369-5","author":"W Ren","year":"2023","unstructured":"Ren W, et al. APT attack detection based on graph convolutional neural networks. Int J Comput Intell Syst. 2023. https:\/\/doi.org\/10.1007\/s44196-023-00369-5.","journal-title":"Int J Comput Intell Syst"},{"issue":"18","key":"1272_CR16","doi-asserted-by":"publisher","DOI":"10.3390\/su151813820","volume":"15","author":"AS AL-Aamri","year":"2023","unstructured":"AL-Aamri AS, Abdulghafor R, Turaev S, Al-Shaikhli I, Zeki A, Talib S. Machine learning for APT detection. Sustainability. 2023;15(18): 13820. https:\/\/doi.org\/10.3390\/su151813820.","journal-title":"Sustainability"},{"issue":"5","key":"1272_CR17","doi-asserted-by":"publisher","first-page":"326","DOI":"10.22266\/ijies2022.1031.29","volume":"15","author":"SR Kothuri","year":"2022","unstructured":"Kothuri SR, RajaLakshmi NR. MALO-LSTM: multimodal sentiment analysis using modified ant lion optimization with long short term memory network. Int J Intell Eng Syst. 2022;15(5):326\u201335. https:\/\/doi.org\/10.22266\/ijies2022.1031.29.","journal-title":"Int J Intell Eng Syst"},{"key":"1272_CR18","doi-asserted-by":"publisher","unstructured":"Karapoola S, Singh N, Rebeiro C. SUNDEW: an ensemble of predictors for case-sensitive detection of malware. arXiv e-prints, p. arXiv:2211.06153, Nov. 2022, https:\/\/doi.org\/10.48550\/arXiv.2211.06153.","DOI":"10.48550\/arXiv.2211.06153"},{"issue":"28","key":"1272_CR19","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1002\/cpe.7865","volume":"35","author":"N Saini","year":"2023","unstructured":"Saini N, Bhat Kasaragod V, Prakasha K, Das AK. A hybrid ensemble machine learning model for detecting APT attacks based on network behavior anomaly detection. Concurr Comput Pract Exp. 2023;35(28):1\u201327. https:\/\/doi.org\/10.1002\/cpe.7865.","journal-title":"Concurr Comput Pract Exp"},{"key":"1272_CR20","doi-asserted-by":"publisher","DOI":"10.1016\/j.sintl.2024.100297","volume":"6","author":"YK Saheed","year":"2025","unstructured":"Saheed YK, Omole AI, Sabit MO. GA-mADAM-IIoT: a new lightweight threats detection in the industrial IoT via genetic algorithm with attention mechanism and LSTM on multivariate time series sensor data. Sensors Int. 2025;6: 100297. https:\/\/doi.org\/10.1016\/j.sintl.2024.100297.","journal-title":"Sensors Int"},{"key":"1272_CR21","doi-asserted-by":"publisher","unstructured":"Rajalakshmi NR, Saravanan S, Singha A. Surplus data prediction and classification of textual-data using machine and deep learning comparative analysis. In 2023 International conference on communication, security and artificial intelligence, ICCSAI 2023. 2023. p. 329\u2013334. https:\/\/doi.org\/10.1109\/ICCSAI59793.2023.10421287.","DOI":"10.1109\/ICCSAI59793.2023.10421287"},{"issue":"August","key":"1272_CR22","doi-asserted-by":"publisher","first-page":"103445","DOI":"10.1016\/j.cose.2023.103445","volume":"134","author":"M Imran","year":"2023","unstructured":"Imran M, Siddiqui HUR, Raza A, Raza MA, Rustam F, Ashraf I. A performance overview of machine learning-based defense strategies for advanced persistent threats in industrial control systems. Comput Secur. 2023;134(August):103445. https:\/\/doi.org\/10.1016\/j.cose.2023.103445.","journal-title":"Comput Secur"},{"issue":"9","key":"1272_CR23","doi-asserted-by":"publisher","first-page":"484","DOI":"10.14569\/IJACSA.2023.0140952","volume":"14","author":"K Hammadeh","year":"2023","unstructured":"Hammadeh K, Kavitha M. Unraveling ransomware: detecting threats with advanced machine learning algorithms. Int J Adv Comput Sci Appl. 2023;14(9):484\u201391. https:\/\/doi.org\/10.14569\/IJACSA.2023.0140952.","journal-title":"Int J Adv Comput Sci Appl"},{"key":"1272_CR24","doi-asserted-by":"publisher","DOI":"10.1002\/ett.5029","author":"R Ji","year":"2024","unstructured":"Ji R, Padha D, Singh Y, Sharma S. Review of intrusion detection system in cyber-physical system based networks: characteristics, industrial protocols, attacks, data sets and challenges. Trans Emerging Telecommun Technol. 2024. https:\/\/doi.org\/10.1002\/ett.5029.","journal-title":"Trans Emerging Telecommun Technol"},{"key":"1272_CR25","doi-asserted-by":"publisher","unstructured":"Reddy GT, et al. An ensemble based machine learning model for diabetic retinopathy classification. In: International conference on emerging trends in information technology and engineering ic-ETITE 2020. 2020. p. 1\u20136. https:\/\/doi.org\/10.1109\/ic-ETITE47903.2020.235.","DOI":"10.1109\/ic-ETITE47903.2020.235"},{"key":"1272_CR26","doi-asserted-by":"publisher","unstructured":"Selvaraj K, Singh MM. APT attack detection using packet flow and optimized ensemble machine learning with low time complexity. In: IEEE symposium on wireless technology and applications ISWTA. 2024. p. 229\u2013234. https:\/\/doi.org\/10.1109\/ISWTA62130.2024.10652055.","DOI":"10.1109\/ISWTA62130.2024.10652055"},{"key":"1272_CR27","doi-asserted-by":"publisher","unstructured":"Arefin S, Chowdhury M, Parvez R, Ahmed T, Abrar AFMS, Sumaiya F. Understanding APT detection using Machine learning algorithms: Is superior accuracy a thing? In IEEE international conference on electro information technology. 2024, p. 532\u2013537. https:\/\/doi.org\/10.1109\/eIT60633.2024.10609886.","DOI":"10.1109\/eIT60633.2024.10609886"},{"key":"1272_CR28","unstructured":"Karapoola S, Singh N, Rebeiro C. \u201cSUNDEW: an ensemble of predictors for case-sensitive detection of malware. 2022. p. 1\u201314 [Online]. http:\/\/arxiv.org\/abs\/2211.06153"},{"issue":"2","key":"1272_CR29","doi-asserted-by":"publisher","first-page":"31","DOI":"10.31838\/jvcs\/06.02.04","volume":"6","author":"N Ibrahim","year":"2024","unstructured":"Ibrahim N, Rajalakshmi NR, Hammadeh K. A novel machine learning model for early detection of advanced persistent threats utilizing semi-synthetic network traffic data. J VLSI Circuits Syst. 2024;6(2):31\u20139. https:\/\/doi.org\/10.31838\/jvcs\/06.02.04.","journal-title":"J VLSI Circuits Syst"},{"issue":"April","key":"1272_CR30","doi-asserted-by":"publisher","first-page":"81118","DOI":"10.1109\/ACCESS.2025.3566980","volume":"13","author":"YK Saheed","year":"2025","unstructured":"Saheed YK, Chukwuere JE. CPS-IIoT-P2Attention: explainable privacy-preserving with scaled dot-product attention in cyber physical system-industrial IoT network. IEEE Access. 2025;13(April):81118\u201342. https:\/\/doi.org\/10.1109\/ACCESS.2025.3566980.","journal-title":"IEEE Access"},{"issue":"S4","key":"1272_CR31","doi-asserted-by":"publisher","first-page":"514","DOI":"10.62441\/nano-ntp.v20iS4.39","volume":"20","author":"K Hammadeh","year":"2024","unstructured":"Hammadeh K, Kavitha M, Ibrahim N. Enhancing cybersecurity in software-defined networking: a hybrid approach for advanced DDoS detection and mitigation. Nanotechnol Perceptions. 2024;20(S4):514\u201329. https:\/\/doi.org\/10.62441\/nano-ntp.v20iS4.39.","journal-title":"Nanotechnol Perceptions"},{"issue":"August","key":"1272_CR32","doi-asserted-by":"publisher","first-page":"110713","DOI":"10.1109\/ACCESS.2024.3441037","volume":"12","author":"X Dastile","year":"2024","unstructured":"Dastile X, Celik T. Counterfactual explanations with multiple properties in credit scoring. IEEE Access. 2024;12(August):110713\u201328. https:\/\/doi.org\/10.1109\/ACCESS.2024.3441037.","journal-title":"IEEE Access"},{"key":"1272_CR33","unstructured":"Rajalakshmi NR, Balaji N. A vikor method for distributing load balanced virtual machine in cloud data center. Int J Appl Eng Res 2015; 10(4): 10127\u201310136. https:\/\/www.scopus.com\/inward\/record.uri?eid=2-s2.0-84927747947&partnerID=40&md5=c8215c62f2aa3c26f443d460ce9bcdc4"},{"key":"1272_CR34","doi-asserted-by":"publisher","DOI":"10.1007\/s43538-024-00372-0","author":"R Ji","year":"2024","unstructured":"Ji R, Kumar N, Padha D. CNN-GWO-voting & hybrid: ensemble learning inspired intrusion detection approaches for cyber-physical systems. Proc Indian Natl Sci Acad. 2024. https:\/\/doi.org\/10.1007\/s43538-024-00372-0.","journal-title":"Proc Indian Natl Sci Acad"},{"key":"1272_CR35","doi-asserted-by":"publisher","DOI":"10.1002\/spy2.497","author":"R Ji","year":"2025","unstructured":"Ji R, Selwal A, Kumar N, Padha D. Cascading bagging and boosting ensemble methods for intrusion detection in cyber-physical systems. Secur Privacy. 2025. https:\/\/doi.org\/10.1002\/spy2.497.","journal-title":"Secur Privacy"},{"issue":"3","key":"1272_CR36","doi-asserted-by":"publisher","first-page":"80","DOI":"10.22266\/ijies2024.0630.07","volume":"17","author":"TJ Rani","year":"2024","unstructured":"Rani TJ. Classification of epileptic seizures using LSTM based zebra optimization algorithm with hyperparameter tuning\u201d. Int J Intell Eng Syst. 2024;17(3):80\u201391. https:\/\/doi.org\/10.22266\/ijies2024.0630.07.","journal-title":"Int J Intell Eng Syst"},{"key":"1272_CR37","doi-asserted-by":"publisher","unstructured":"Sharafaldin I, Lashkari AH, Ghorbani AA. Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: ICISSP 2018\u2014Proceedings of the 4th international conference on information system security and privacy, vol. 2018-Janua, no. Cic. 2018, p. 108\u2013116. https:\/\/doi.org\/10.5220\/0006639801080116.","DOI":"10.5220\/0006639801080116"},{"key":"1272_CR38","unstructured":"Myneni S, Jha K, Sabur A, Garima Agrawal YD, Chowdhary A, Huang D. Unraveled Git repository (2022) URL\u00a0https:\/\/gitlab.com\/asu22\/unraveled."}],"container-title":["Journal of Big Data"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s40537-025-01272-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s40537-025-01272-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s40537-025-01272-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,30]],"date-time":"2025-08-30T07:02:37Z","timestamp":1756537357000},"score":1,"resource":{"primary":{"URL":"https:\/\/journalofbigdata.springeropen.com\/articles\/10.1186\/s40537-025-01272-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,30]]},"references-count":38,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,12]]}},"alternative-id":["1272"],"URL":"https:\/\/doi.org\/10.1186\/s40537-025-01272-w","relation":{},"ISSN":["2196-1115"],"issn-type":[{"value":"2196-1115","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,8,30]]},"assertion":[{"value":"4 March 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 August 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"30 August 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"212"}}