{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T17:55:59Z","timestamp":1773510959241,"version":"3.50.1"},"reference-count":34,"publisher":"SAGE Publications","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IFS"],"published-print":{"date-parts":[[2023,8,24]]},"abstract":"Advanced persistent threat (APT) attacking campaigns have been a common method for cyber-attackers to attack and exploit end-user computers (workstations) in recent years. In this study, to enhance the effectiveness of the APT malware detection, a combination of deep graph networks and contrastive learning is proposed. The idea is that several deep graph networks such as Graph Convolution Networks (GCN), Graph Isomorphism Networks (GIN), are combined with some popular contrastive learning models like N-pair Loss, Contrastive Loss, and Triplet Loss, in order to optimize the process of APT malware detection and classification in endpoint workstations. The proposed approach consists of three main phases as follows. First, the behaviors of APT malware are collected and represented as graphs. Second, GIN and GCN networks are used to extract feature vectors from the graphs of APT malware. Finally, different contrastive learning models, i.e. N-pair Loss, Contrastive Loss, and Triplet Loss are applied to determine which feature vectors belong to APT malware, and which ones belong to normal files. This combination of deep graph networks and contrastive learning algorithm is a novel approach, that not only enhances the ability to accurately detect APT malware but also reduces false alarms for normal behaviors. The experimental results demonstrate that the proposed model, whose effectiveness ranges from 88% to 94% across all performance metrics, is not only scientifically effective but also practically significant. Additionally, the results show that the combination of GIN and N-pair Loss performs better than other combined models. This provides a base malware detection system with flexible parameter selection and mathematical model choices for optimal real-world applications.<\/jats:p>","DOI":"10.3233\/jifs-231548","type":"journal-article","created":{"date-parts":[[2023,7,4]],"date-time":"2023-07-04T12:01:05Z","timestamp":1688472065000},"page":"4517-4533","source":"Crossref","is-referenced-by-count":3,"title":["Using knowledge graphs and contrastive learning for detecting APT Malware on Endpoint systems"],"prefix":"10.1177","volume":"45","author":[{"given":"Cho Do","family":"Xuan","sequence":"first","affiliation":[{"name":"Faculty of Information Security, Posts and Telecommunications Institute of Technology, Hanoi, Vietnam"}]},{"given":"Hoa Dinh","family":"Nguyen","sequence":"additional","affiliation":[{"name":"Faculty of Information Technology, Posts and Telecommunications Institute of Technology, Hanoi, Vietnam"}]}],"member":"179","reference":[{"key":"10.3233\/JIFS-231548_ref1","doi-asserted-by":"crossref","first-page":"102875","DOI":"10.1016\/j.cose.2022.102875","article-title":"APT beaconing detection: A systematic review","volume":"122","author":"Manar Abu Talib","year":"2022","journal-title":"Computers & Security"},{"key":"10.3233\/JIFS-231548_ref2","doi-asserted-by":"crossref","first-page":"108261","DOI":"10.1016\/j.compeleceng.2022.108261","article-title":", Advanced Persistent Threat intelligent profiling technique: A survey","volume":"103","author":"BinHui Tang","year":"2022","journal-title":"Computers and Electrical Engineering"},{"key":"10.3233\/JIFS-231548_ref3","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3221789"},{"issue":"1","key":"10.3233\/JIFS-231548_ref4","doi-asserted-by":"publisher","first-page":"223","DOI":"10.1109\/TNSE.2022.3206353","article-title":"MSCA: An Unsupervised Anomaly Detection System for Network Security in Backbone Network","volume":"10","author":"Liu","year":"2023","journal-title":"in IEEE Transactions on Network Science and Engineering"},{"issue":"3","key":"10.3233\/JIFS-231548_ref5","doi-asserted-by":"publisher","first-page":"2360","DOI":"10.11591\/ijece.v11i3.pp2360\u20132370","article-title":", Optimization of network traffic anomaly detection using machine learning","volume":"11","author":"Choxuan Do","year":"2021","journal-title":"International Journal of Electrical and Computer Engineering; Yogyakarta"},{"key":"10.3233\/JIFS-231548_ref6","doi-asserted-by":"publisher","DOI":"10.1080\/08874417.2023.2175337"},{"key":"10.3233\/JIFS-231548_ref7","doi-asserted-by":"crossref","first-page":"4785","DOI":"10.3233\/JIFS-200694","article-title":"APT attack detection based on flow network analysis techniques using deep learning","volume":"39","author":"Cho Do Xuan","year":"2020","journal-title":"Journal of Intelligent & Fuzzy Systems"},{"key":"10.3233\/JIFS-231548_ref8","doi-asserted-by":"crossref","first-page":"11311","DOI":"10.3233\/JIFS-202465","article-title":"A Multi-Layer Approach for Advanced Persistent Threat Detection Using Machine Learning Based on Network Traffic","volume":"40","author":"Cho Do Xuan","year":"2021","journal-title":"Journal of Intelligent & Fuzzy Systems"},{"key":"10.3233\/JIFS-231548_ref9","doi-asserted-by":"crossref","first-page":"316","DOI":"10.1016\/j.procs.2019.02.058","article-title":", A Method of Monitoring and Detecting APT Attacks Based on Unknown Domains","volume":"150","author":"Do Xuan Cho","year":"2019","journal-title":"Procedia Computer Science"},{"key":"10.3233\/JIFS-231548_ref13","doi-asserted-by":"crossref","first-page":"100529","DOI":"10.1016\/j.cosrev.2022.100529","article-title":"A comprehensive survey on deep learning based malware detection techniques","volume":"47","author":"Gopinath","year":"2023","journal-title":"Computer Science Review"},{"key":"10.3233\/JIFS-231548_ref14","first-page":"22","article-title":"Detecting C&C Server in the APT Attack based on Network Traffic using Machine Learning","volume":"11","author":"Do Xuan","year":"2020","journal-title":"International Journal of Advanced Computer Science and Applications"},{"issue":"3","key":"10.3233\/JIFS-231548_ref15","doi-asserted-by":"crossref","first-page":"3527","DOI":"10.3233\/JIFS-220233","article-title":"A Novel Intelligent Cognitive Computing-based APT Malware Detection for Endpoint Systems\u2019","volume":"43","author":"Cho Do Xuan","year":"2022","journal-title":"Journal of Intelligent & Fuzzy Systems"},{"issue":"4","key":"10.3233\/JIFS-231548_ref16","doi-asserted-by":"crossref","first-page":"4815","DOI":"10.3233\/JIFS-212880","article-title":"\u2018New Approach for APT Malware Detection on the Workstation Based on Process Profile\u2019","volume":"43","author":"Cho Do Xuan","year":"2022","journal-title":"Journal of Intelligent & Fuzzy Systems"},{"key":"10.3233\/JIFS-231548_ref17","doi-asserted-by":"crossref","first-page":"14005","DOI":"10.1007\/s10489-021-03138-z","article-title":"A new approach for APT malware detection based on deep graph network for endpoint systems","volume":"52","author":"Do Xuan","year":"2022","journal-title":"Appl Intell"},{"key":"10.3233\/JIFS-231548_ref19","first-page":"171","article-title":", Detecting APT Attacks Based on Network Traffic Using Machine Learning","volume":"20","author":"Cho Do Xuan","year":"2021","journal-title":"Journal of Web Engineering"},{"issue":"3","key":"10.3233\/JIFS-231548_ref20","doi-asserted-by":"crossref","first-page":"3459","DOI":"10.3233\/JIFS-221055","article-title":"A New Framework for APT Attack Detection Based on Network Traffic","volume":"44","author":"Hoa Cuong Nguyen","year":"2023","journal-title":"Journal of Intelligent & Fuzzy Systems"},{"key":"10.3233\/JIFS-231548_ref21","doi-asserted-by":"crossref","first-page":"13251","DOI":"10.1007\/s00521-021-05952-5","article-title":"A novel approach for APT attack detection based on combined deep learning model","volume":"33","author":"Do Xuan","year":"2021","journal-title":"Neural Comput & Applic"},{"issue":"4","key":"10.3233\/JIFS-231548_ref22","doi-asserted-by":"crossref","first-page":"4135","DOI":"10.3233\/JIFS-212570","article-title":"Optimization of APT Attack Detection Based on a Model Combining ATTENTION and Deep Learning","volume":"42","author":"Cho Do Xuan","year":"2022","journal-title":"Journal of Intelligent & Fuzzy Systems"},{"issue":"6","key":"10.3233\/JIFS-231548_ref23","first-page":"102627","article-title":"Orchestration of APT Malware Evasive Manoeuvers Employed for Eluding Anti-virus and Sandbox Defense","volume":"115","author":"Amit Sharma","journal-title":"Computers & Security"},{"issue":"4","key":"10.3233\/JIFS-231548_ref24","doi-asserted-by":"publisher","first-page":"4248","DOI":"10.1109\/TNSM.2022.3200866","article-title":"From Data and Model Levels: Improve the Performance of Few-Shot Malware Classification","volume":"19","author":"Chai","year":"2022","journal-title":"in IEEE Transactions on Network and Service Management"},{"issue":"1","key":"10.3233\/JIFS-231548_ref25","doi-asserted-by":"crossref","first-page":"1","DOI":"10.4018\/IJSSCI.312554","article-title":"A New Wrapper-Based Feature Selection Technique with Fireworks Algorithm for Android Malware Detection","volume":"14","author":"Mohamed Guendouz","year":"2022","journal-title":"Int J Softw Sci Comput Intell"},{"key":"10.3233\/JIFS-231548_ref27","doi-asserted-by":"crossref","first-page":"75","DOI":"10.1186\/s13677-022-00349-8","article-title":"A malware detection system using a hybrid approach of multi-heads attention-based control flow traces and image visualization","volume":"11","author":"Ullah","year":"2022","journal-title":"J Cloud Comp"},{"key":"10.3233\/JIFS-231548_ref31","doi-asserted-by":"crossref","first-page":"301","DOI":"10.1016\/j.neucom.2020.10.054","article-title":"Learning features from enhanced function call graphs for Android malware detection","volume":"423","author":"Minghui Cai","year":"2021","journal-title":"Neurocomputing"},{"issue":"1","key":"10.3233\/JIFS-231548_ref33","doi-asserted-by":"publisher","first-page":"88","DOI":"10.1109\/TSUSC.2018.2809665","article-title":"Robust Malware Detection for Internet of (Battlefield) Things Devices Using Deep Eigenspace Learning","volume":"4","author":"Azmoodeh","year":"2019","journal-title":"IEEE Transactions on Sustainable Computing"},{"key":"10.3233\/JIFS-231548_ref34","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1016\/j.aiopen.2021.01.001","article-title":", Graph neural networks: A review of methods and applications","volume":"1","author":"Jie Zhou","year":"2020","journal-title":"AI Open"},{"key":"10.3233\/JIFS-231548_ref35","doi-asserted-by":"crossref","unstructured":"Ilya Makarov , Dmitrii Kiselev , Nikita Nikitinsky , Lovro Subelj , Survey on graph embeddings and their applications to machine learning problems on graphs, PeerJ Computer Science 7(3) (2021). https:\/\/doi.org\/10.7717\/peerj-cs.357","DOI":"10.7717\/peerj-cs.357"},{"key":"10.3233\/JIFS-231548_ref36","doi-asserted-by":"crossref","first-page":"78","DOI":"10.1016\/j.knosys.2018.03.022","article-title":"Graph embedding techniques, applications, and performance: A survey","volume":"151","author":"Palash Goy","year":"2018","journal-title":"Knowledge-Based Systems"},{"key":"10.3233\/JIFS-231548_ref40","doi-asserted-by":"crossref","unstructured":"aniel Svozil , Vladim\u00edr Kvasnicka , Ji\u00ed Pospichal , Introduction to multi-layer feed-forward neural networks, Chemometrics and Intelligent Laboratory Systems 39(1) (1997). https:\/\/doi.org\/10.1016\/S0169-7439(97)00061-0","DOI":"10.1016\/S0169-7439(97)00061-0"},{"key":"10.3233\/JIFS-231548_ref41","doi-asserted-by":"crossref","first-page":"149","DOI":"10.1016\/j.neucom.2019.02.056","article-title":"Application of deep learning to cybersecurity: A survey","volume":"347","author":"Samaneh Mahdavifar","year":"2019","journal-title":"Neurocomputing"},{"key":"10.3233\/JIFS-231548_ref42","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2006.100"},{"key":"10.3233\/JIFS-231548_ref44","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN48605.2020.9206833"},{"key":"10.3233\/JIFS-231548_ref46","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298682"},{"key":"10.3233\/JIFS-231548_ref53","doi-asserted-by":"publisher","first-page":"101792","DOI":"10.1016\/j.cose.2020.101792","article-title":", AMalNet: A deep learning framework based on graph convolutional networks for malware detection","volume":"93","author":"Pei Xinjun","year":"2020","journal-title":"Computers & Security"},{"key":"10.3233\/JIFS-231548_ref54","doi-asserted-by":"publisher","DOI":"10.14569\/IJACSA.2021.0120355"}],"container-title":["Journal of Intelligent & Fuzzy Systems"],"original-title":[],"link":[{"URL":"https:\/\/content.iospress.com\/download?id=10.3233\/JIFS-231548","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T06:59:21Z","timestamp":1769669961000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/full\/10.3233\/JIFS-231548"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,8,24]]},"references-count":34,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.3233\/jifs-231548","relation":{},"ISSN":["1064-1246","1875-8967"],"issn-type":[{"value":"1064-1246","type":"print"},{"value":"1875-8967","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,8,24]]}}}