{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,25]],"date-time":"2025-10-25T14:19:07Z","timestamp":1761401947746,"version":"build-2065373602"},"reference-count":25,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2018,5,22]],"date-time":"2018-05-22T00:00:00Z","timestamp":1526947200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"Malware allegedly developed by nation-states, also known as advanced persistent threats (APT), are becoming more common. The task of attributing an APT to a specific nation-state or classifying it to the correct APT family is challenging for several reasons. First, each nation-state has more than a single cyber unit that develops such malware, rendering traditional authorship attribution algorithms useless. Furthermore, the dataset of such available APTs is still extremely small. Finally, those APTs use state-of-the-art evasion techniques, making feature extraction challenging. In this paper, we use a deep neural network (DNN) as a classifier for nation-state APT attribution. We record the dynamic behavior of the APT when run in a sandbox and use it as raw input for the neural network, allowing the DNN to learn high level feature abstractions of the APTs itself. We also use the same raw features for APT family classification. Finally, we use the feature abstractions learned by the APT family classifier to solve the attribution problem. Using a test set of 1000 Chinese and Russian developed APTs, we achieved an accuracy rate of 98.6%<\/jats:p>","DOI":"10.3390\/e20050390","type":"journal-article","created":{"date-parts":[[2018,5,23]],"date-time":"2018-05-23T03:14:24Z","timestamp":1527045264000},"page":"390","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":22,"title":["End-to-End Deep Neural Networks and Transfer Learning for Automatic Analysis of Nation-State Malware"],"prefix":"10.3390","volume":"20","author":[{"given":"Ishai","family":"Rosenberg","sequence":"first","affiliation":[{"name":"Deep Instinct Ltd., Tel Aviv 6618356, Israel"}]},{"given":"Guillaume","family":"Sicard","sequence":"additional","affiliation":[{"name":"Deep Instinct Ltd., Tel Aviv 6618356, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2904-4982","authenticated-orcid":false,"given":"Eli (Omid)","family":"David","sequence":"additional","affiliation":[{"name":"Deep Instinct Ltd., Tel Aviv 6618356, Israel"}]}],"member":"1968","published-online":{"date-parts":[[2018,5,22]]},"reference":[{"key":"ref_1","first-page":"817","article-title":"The Law of Cyber-Attack","volume":"100","author":"Hathaway","year":"2012","journal-title":"Fac. Scholarsh. Ser."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"538","DOI":"10.1002\/asi.21001","article-title":"A survey of modern authorship attribution methods","volume":"60","author":"Stamatatos","year":"2009","journal-title":"J. Am. Soc. Inf. Sci. Technol."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Rosenblum, N., Zhu, X., and Miller, B.P. (2011, January 12\u201314). Who wrote this code? Identifying the authors of program binaries. Proceedings of the Computer Security-ESORICS 2011, Leuven, Belgium.","DOI":"10.1007\/978-3-642-23822-2_10"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"S94","DOI":"10.1016\/j.diin.2014.03.012","article-title":"Oba2: An onion approach to binary code authorship attribution","volume":"11","author":"Alrabaee","year":"2014","journal-title":"Digit. Investig."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Caliskan-Islam, A., Yamaguchi, F., Dauber, E., Harang, R., Rieck, K., Greenstadt, R., and Narayanan, A. (2018, January 18\u201321). When coding style survives compilation: De-anonymizing programmers from executable binaries. Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA.","DOI":"10.14722\/ndss.2018.23304"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Pfeffer, A., Call, C., Chamberlain, J., Kellogg, L., Ouellette, J., Patten, T., Zacharias, G., Lakhotia, A., Golconda, S., and Bay, J. (2012, January 16\u201318). Malware analysis and attribution using genetic information. Proceedings of the 7th IEEE International Conference on Malicious and Unwanted Software, Fajardo, PR, USA.","DOI":"10.1109\/MALWARE.2012.6461006"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Alrabaee, S., Shirani, P., Debbabi, M., and Wang, L. (arXiv, 2017). On the Feasibility of Malware Authorship Attribution, arXiv.","DOI":"10.1007\/978-3-319-51966-1_17"},{"key":"ref_8","unstructured":"Marquis-Boire, M., Marschalek, M., and Guarnieri, C. (2015, January 1\u20136). Big game hunting: The peculiarities in nation-state malware research. Proceedings of the Black Hat USA, Las Vegas, NV, USA."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Huang, W., and Stokes, J.W. (2016, January 7\u20138). MtNet: A Multi-Task Neural Network for Dynamic Malware Classification. Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), San Sebastian, Spain.","DOI":"10.1007\/978-3-319-40667-1_20"},{"key":"ref_10","unstructured":"Hardy, W., Chen, L., Hou, S., Ye, Y., and Li, X. (2016, January 25\u201328). DL4MD: A Deep Learning Framework for Intelligent Malware Detection. Proceedings of the International Conference on Data Mining (DMIN), Las Vegas, NV, USA."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Ahmadi, M., Giacinto, G., Ulyanov, D., Semenov, S., and Trofimov, M. (arXiv, 2015). Novel feature extraction, selection and fusion for effective malware family classification, arXiv.","DOI":"10.1145\/2857705.2857713"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"1798","DOI":"10.1109\/TPAMI.2013.50","article-title":"Representation learning: A review and new perspectives","volume":"35","author":"Bengio","year":"2013","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"David, O.E., and Netanyahu, N.S. (2015, January 12\u201316). DeepSign: Deep learning for automatic malware signature generation and classification. Proceedings of the International Joint Conference on Neural Networks (IJCNN), Killarney, Ireland.","DOI":"10.1109\/IJCNN.2015.7280815"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Rosenberg, I., Sicard, G., and David, E. (2017, January 11\u201314). DeepAPT: Nation-State APT Attribution Using End-to-End Deep Neural Networks. Proceedings of the International Conference on Artificial Neural Networks (ICANN), Alghero, Italy.","DOI":"10.1007\/978-3-319-68612-7_11"},{"key":"ref_15","unstructured":"Virvilis, N., and Gritzalis, D. (2013, January 2\u20136). The Big Four\u2014What we did wrong in protecting critical ICT infrastructures from Advanced Persistent Threat detection?. Proceedings of the 8th International Conference on Availability, Reliability & Security, Regensburg, Germany."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"971","DOI":"10.3390\/fi4040971","article-title":"The Cousins of Stuxnet: Duqu, Flame, and Gauss","volume":"4","author":"Bencsath","year":"2012","journal-title":"Future Internet"},{"key":"ref_17","first-page":"2493","article-title":"Natural Language Processing (Almost) from Scratch","volume":"12","author":"Collobert","year":"2011","journal-title":"J. Mach. Learn. Res."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Zeiler, M.D., and Fergus, R. (2014, January 6\u201312). Visualizing and understanding convolutional networks. Proceedings of the Computer Vision\u2014ECCV 2014, Zurich, Switzerland.","DOI":"10.1007\/978-3-319-10590-1_53"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"135","DOI":"10.1016\/S0304-3800(02)00064-9","article-title":"Illuminating the \u2018black-box\u2019: A randomization approach for understanding variable contributions in artificial neural networks","volume":"154","author":"Olden","year":"2002","journal-title":"Ecol. Model."},{"key":"ref_20","first-page":"1929","article-title":"Dropout: A simple way to prevent neural networks from overfitting","volume":"15","author":"Srivastava","year":"2014","journal-title":"J. Mach. Learn. Res."},{"key":"ref_21","unstructured":"Glorot, X., Bordes, A., and Bengio, Y. (2011, January 11\u201313). Deep sparse rectifier neural networks. Proceedings of the 14th International Conference on Artificial Intelligence and Statistics, Ft. Lauderdale, FL, USA."},{"key":"ref_22","unstructured":"Donahue, J., Jia, Y., Vinyals, O., Hoffman, J., Zhang, N., Tzeng, E., and Darrell, T. (arXiv, 2013). DeCAF: A Deep Convolutional Activation Feature for Generic Visual Recognition, arXiv."},{"key":"ref_23","first-page":"2579","article-title":"Visualizing data using t-SNE","volume":"9","author":"Hinton","year":"2008","journal-title":"Int. J. Mach. Learn. Res."},{"key":"ref_24","unstructured":"Goodfellow, I.J., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A.C., and Bengio, Y. (2014, January 8\u201313). Generative Adversarial Nets. Proceedings of the Advances in Neural Information Processing Systems (NIPS), Montreal, QC, Canada."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Rosenberg, I., Shabtai, A., Rokach, L., and Elovici, Y. (arXiv, 2018). Low Resource Black-Box End-to-End Attack Against State of the Art API Call Based Malware Classifiers, arXiv.","DOI":"10.1007\/978-3-030-00470-5_23"}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/20\/5\/390\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T15:05:21Z","timestamp":1760195121000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/20\/5\/390"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,5,22]]},"references-count":25,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2018,5]]}},"alternative-id":["e20050390"],"URL":"https:\/\/doi.org\/10.3390\/e20050390","relation":{},"ISSN":["1099-4300"],"issn-type":[{"type":"electronic","value":"1099-4300"}],"subject":[],"published":{"date-parts":[[2018,5,22]]}}}