{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T01:34:56Z","timestamp":1760060096086,"version":"build-2065373602"},"reference-count":35,"publisher":"MDPI AG","issue":"8","license":[{"start":{"date-parts":[[2025,8,12]],"date-time":"2025-08-12T00:00:00Z","timestamp":1754956800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Natural Science Foundation Project","award":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"],"award-info":[{"award-number":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"]}]},{"name":"Inner Mongolia Major science and technology project","award":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"],"award-info":[{"award-number":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"]}]},{"name":"Iner Mongolia Autonomous Region science and technology plan project","award":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"],"award-info":[{"award-number":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"]}]},{"name":"Inner Mongolia Autonomous Region","award":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"],"award-info":[{"award-number":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"]}]},{"name":"Inner Mongolia Natural Science Foundation Project","award":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"],"award-info":[{"award-number":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"]}]},{"name":"Inner Mongolia Autonomous Region universities innovative research team project","award":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"],"award-info":[{"award-number":["62041211","2021SZD0004","2022YFHH0070","BR22-14-05","2024MS06002","2025ZD012","NMGIRT2313"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["BDCC"],"abstract":"<jats:p>In the highly interconnected digital ecosystem, cyberspace has become the main battlefield for complex attacks such as Advanced Persistent Threat (APT). The complexity and concealment of APT attacks are increasing, posing unprecedented challenges to network security. Current APT detection methods largely depend on general datasets, making it challenging to capture the stages and complexity of APT attacks. Moreover, existing detection methods often suffer from suboptimal accuracy, high false alarm rates, and a lack of real-time capabilities. In this paper, we introduce LDR-RFECV, a novel feature selection (FS) algorithm that uses LightGBM, Decision Trees (DTs), and Random Forest (RF) as integrated feature evaluators instead of single evaluators in recursive feature elimination algorithms. This approach helps select the optimal feature subset, thereby significantly enhancing detection efficiency. In addition, a novel optimization algorithm called LWHO was proposed, which integrates the Levy flight mechanism with the Wild Horse Optimizer (WHO) to optimize the hyperparameters of the LightGBM model, ultimately enhancing performance in APT attack detection. More importantly, this optimization strategy significantly boosts the detection rate during the lateral movement phase of APT attacks, a pivotal stage where attackers infiltrate key resources. Timely identification is essential for disrupting the attack chain and achieving precise defense. Experimental results demonstrate that the proposed method achieves 97.31% and 98.32% accuracy on two typical APT attack datasets, DAPT2020 and Unraveled, respectively, which is 2.86% and 4.02% higher than the current research methods, respectively.<\/jats:p>","DOI":"10.3390\/bdcc9080206","type":"journal-article","created":{"date-parts":[[2025,8,12]],"date-time":"2025-08-12T07:53:44Z","timestamp":1754985224000},"page":"206","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Research on Multi-Stage Detection of APT Attacks: Feature Selection Based on LDR-RFECV and Hyperparameter Optimization via LWHO"],"prefix":"10.3390","volume":"9","author":[{"given":"Lihong","family":"Zeng","sequence":"first","affiliation":[{"name":"College of Computer and Information Engineering, Inner Mongolia Agricultural University, Hohhot 010018, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-3436-7150","authenticated-orcid":false,"given":"Honghui","family":"Li","sequence":"additional","affiliation":[{"name":"College of Computer and Information Engineering, Inner Mongolia Agricultural University, Hohhot 010018, China"}]},{"given":"Xueliang","family":"Fu","sequence":"additional","affiliation":[{"name":"College of Computer and Information Engineering, Inner Mongolia Agricultural University, Hohhot 010018, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-0981-1607","authenticated-orcid":false,"given":"Daoqi","family":"Han","sequence":"additional","affiliation":[{"name":"College of Computer and Information Engineering, Inner Mongolia Agricultural University, Hohhot 010018, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-9318-6644","authenticated-orcid":false,"given":"Shuncheng","family":"Zhou","sequence":"additional","affiliation":[{"name":"College of Computer and Information Engineering, Inner Mongolia Agricultural University, Hohhot 010018, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-3025-3179","authenticated-orcid":false,"given":"Xin","family":"He","sequence":"additional","affiliation":[{"name":"College of Computer and Information Engineering, Inner Mongolia Agricultural University, Hohhot 010018, China"}]}],"member":"1968","published-online":{"date-parts":[[2025,8,12]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Messaoud, B.I., Guennoun, K., Wahbi, M., and Sadik, M. (2016, January 17\u201319). Advanced persistent threat: New analysis driven by life cycle phases and their challenges. Proceedings of the 2016 International Conference on Advanced Communication Systems and Information Security (ACOSIS), Marrakesh, Morocco.","DOI":"10.1109\/ACOSIS.2016.7843932"},{"key":"ref_2","unstructured":"(2025, May 07). Kaspersky. APT and Financial Attacks on Industrial Organizations in Q4 2024. Available online: https:\/\/ics-cert.kaspersky.com\/publications\/reports\/2025\/03\/25\/apt-and-financial-attacks-on-industrial-organizations-in-q4-2024\/."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Burita, L., and Le, D.T. (2021, January 13\u201315). Cyber security and APT groups. Proceedings of the 2021 Communication and Information Technologies (KIT), Vysoke Tatry, Slovakia.","DOI":"10.1109\/KIT52904.2021.9583744"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"349","DOI":"10.1016\/j.future.2018.06.055","article-title":"Detection of advanced persistent threat using machine-learning correlation analysis","volume":"89","author":"Ghafir","year":"2018","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"13251","DOI":"10.1007\/s00521-021-05952-5","article-title":"A novel approach for APT attack detection based on combined deep learning model","volume":"33","author":"Dao","year":"2021","journal-title":"Neural Comput. Appl."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"El Alami, H., and Rawat, D.B. (2024, January 29\u201331). A Novel Neural Networks-based Framework for APT Detection in Networked Autonomous Systems. Proceedings of the 2024 33rd International Conference on Computer Communications and Networks (ICCCN), Kailua-Kona, HI, USA.","DOI":"10.1109\/ICCCN61486.2024.10637554"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Eke, H.N., and Petrovski, A. (2023, January 8\u201311). Advanced persistent threats detection based on deep learning approach. Proceedings of the 2023 IEEE 6th International Conference on Industrial Cyber-Physical Systems (ICPS), Wuhan, China.","DOI":"10.1109\/ICPS58381.2023.10128062"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"8644","DOI":"10.1007\/s11227-021-04201-9","article-title":"APT-Dt-KC: Advanced persistent threat detection based on kill-chain model","volume":"78","author":"Panahnejad","year":"2022","journal-title":"J. Supercomput."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"186125","DOI":"10.1109\/ACCESS.2020.3029202","article-title":"Early detection of the advanced persistent threat attack using performance analysis of deep learning","volume":"8","author":"Joloudari","year":"2020","journal-title":"IEEE Access"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"8440","DOI":"10.1109\/JIOT.2023.3322412","article-title":"A comprehensive detection method for the lateral movement stage of apt attacks","volume":"11","author":"He","year":"2023","journal-title":"IEEE Internet Things J."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"14143","DOI":"10.1007\/s11227-024-06010-2","article-title":"A comprehensive comparison study of ML models for multistage APT detection: Focus on data preprocessing and resampling","volume":"80","author":"Dau","year":"2024","journal-title":"J. Supercomput."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"104056","DOI":"10.1016\/j.cose.2024.104056","article-title":"SKT-IDS: Unknown attack detection method based on Sigmoid Kernel Transformation and encoder\u2013decoder architecture","volume":"146","author":"Zha","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Chen, T., Dong, C., Lv, M., Song, Q., Liu, H., Zhu, T., Xu, K., Chen, L., Ji, S., and Fan, Y. (2022). APT-KGL: An intelligent apt detection system based on threat knowledge and heterogeneous provenance graph learning. IEEE Trans. Dependable Secur. Comput., 1\u201315.","DOI":"10.1109\/TDSC.2022.3229472"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"104036","DOI":"10.1016\/j.jnca.2024.104036","article-title":"RT-APT: A real-time APT anomaly detection method for large-scale provenance graph","volume":"233","author":"Weng","year":"2025","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Kicska, G., and Kiss, A. (2021). Comparing swarm intelligence algorithms for dimension reduction in machine learning. Big Data Cogn. Comput., 5.","DOI":"10.3390\/bdcc5030036"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Hallaji, E., Razavi-Far, R., and Saif, M. (2025). A Study on the Importance of Features in Detecting Advanced Persistent Threats Using Machine Learning. arXiv.","DOI":"10.1007\/978-3-031-94956-2_7"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"104185","DOI":"10.1016\/j.cose.2024.104185","article-title":"Genetic programming for enhanced detection of Advanced Persistent Threats through feature construction","volume":"149","author":"Welch","year":"2025","journal-title":"Comput. Secur."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"e21377","DOI":"10.1016\/j.heliyon.2023.e21377","article-title":"A prospective approach to detect advanced persistent threats: Utilizing hybrid optimization technique","volume":"9","author":"Kumari","year":"2023","journal-title":"Heliyon"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Abdulsattar, N.F., Abedi, F., Ghanimi, H.M., Kumar, S., Abbas, A.H., Abosinnee, A.S., Alkhayyat, A., Hassan, M.H., and Abbas, F.H. (2022). Botnet detection employing a dilated convolutional autoencoder classifier with the aid of hybrid shark and bear smell optimization algorithm-based feature selection in FANETs. Big Data Cogn. Comput., 6.","DOI":"10.3390\/bdcc6040112"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"4262","DOI":"10.1109\/TNSM.2022.3201928","article-title":"A hybrid intelligent approach to attribute Advanced Persistent Threat Organization using PSO-MSVM Algorithm","volume":"19","author":"Mei","year":"2022","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Bakhiet, A.M., and Aly, S.A. (2024, January 22\u201325). Hybridizing Base-Line 2D-CNN Model with Cat Swarm Optimization for Enhanced Advanced Persistent Threat Detection. Proceedings of the 2024 International Telecommunications Conference (ITC-Egypt), Cairo, Egypt.","DOI":"10.1109\/ITC-Egypt61547.2024.10620569"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Myneni, S., Chowdhary, A., Sabur, A., Sengupta, S., Agrawal, G., Huang, D., and Kang, M. (2020, January 24). DAPT 2020-constructing a benchmark dataset for advanced persistent threats. Proceedings of the Deployable Machine Learning for Security Defense: First International Workshop, MLHat 2020, San Diego, CA, USA.","DOI":"10.1007\/978-3-030-59621-7_8"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"109688","DOI":"10.1016\/j.comnet.2023.109688","article-title":"Unraveled\u2014A semi-synthetic dataset for Advanced Persistent Threats","volume":"227","author":"Myneni","year":"2023","journal-title":"Comput. Netw."},{"key":"ref_24","unstructured":"Stando, A., Cavus, M., and Biecek, P. (2023, January 18). The effect of balancing methods on model behavior in imbalanced classification problems. Proceedings of the Fifth International Workshop on Learning with Imbalanced Domains: Theory and Applications, Turin, Italy."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Efendi, R., Wahyono, T., and Widiasari, I.R. (2024). DBSCAN SMOTE LSTM: Effective Strategies for Distributed Denial of Service Detection in Imbalanced Network Environments. Big Data Cogn. Comput., 8.","DOI":"10.20944\/preprints202407.1825.v1"},{"key":"ref_26","unstructured":"Hackeling, G. (2017). Mastering Machine Learning with Scikit-Learn, Packt Publishing Ltd."},{"key":"ref_27","first-page":"1688","article-title":"Feature selection algorithm based on LightGBM","volume":"42","author":"Li","year":"2021","journal-title":"J. Northeast. Univ."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Nam, Y., and Han, S. (2025). Random Forest Variable Importance-based Selection Algorithm in Class Imbalance Problem. J. Classif., 1\u201314.","DOI":"10.1007\/s00357-025-09512-7"},{"key":"ref_29","first-page":"3149","article-title":"Lightgbm: A highly efficient gradient boosting decision tree","volume":"30","author":"Ke","year":"2017","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"3025","DOI":"10.1007\/s00366-021-01438-z","article-title":"Wild horse optimizer: A new meta-heuristic algorithm for solving engineering optimization problems","volume":"38","author":"Naruei","year":"2022","journal-title":"Eng. Comput."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Alizadeh, F., Khansari, M., and Arabsorkhi, A. (2024, January 9\u201310). Lateral movement detection through a heteregenous GNN model of kernel-level log. Proceedings of the 2024 11th International Symposium on Telecommunications (IST), Tehran, Iran.","DOI":"10.1109\/IST64061.2024.10843438"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"125877","DOI":"10.1016\/j.eswa.2024.125877","article-title":"A dynamic provenance graph-based detector for advanced persistent threats","volume":"265","author":"Wang","year":"2025","journal-title":"Expert Syst. Appl."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"112447","DOI":"10.1016\/j.asoc.2024.112447","article-title":"Detection of advanced persistent threat: A genetic programming approach","volume":"167","author":"Welch","year":"2024","journal-title":"Appl. Soft Comput."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"e70011","DOI":"10.1002\/spy2.70011","article-title":"Advanced Persistent Threat Detection Using Optimized and Hybrid Deep Learning Approach","volume":"8","author":"Almazmomi","year":"2025","journal-title":"Secur. Priv."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"12131","DOI":"10.1109\/TITS.2024.3360260","article-title":"A Novel Network Forensic Framework for Advanced Persistent Threat Attack Attribution Through Deep Learning","volume":"25","author":"Mei","year":"2024","journal-title":"IEEE Trans. Intell. Transp. Syst."}],"container-title":["Big Data and Cognitive Computing"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2504-2289\/9\/8\/206\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:25:12Z","timestamp":1760034312000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2504-2289\/9\/8\/206"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,12]]},"references-count":35,"journal-issue":{"issue":"8","published-online":{"date-parts":[[2025,8]]}},"alternative-id":["bdcc9080206"],"URL":"https:\/\/doi.org\/10.3390\/bdcc9080206","relation":{},"ISSN":["2504-2289"],"issn-type":[{"type":"electronic","value":"2504-2289"}],"subject":[],"published":{"date-parts":[[2025,8,12]]}}}