{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,15]],"date-time":"2025-11-15T10:36:21Z","timestamp":1763202981628,"version":"build-2065373602"},"reference-count":41,"publisher":"MDPI AG","issue":"7","license":[{"start":{"date-parts":[[2025,6,30]],"date-time":"2025-06-30T00:00:00Z","timestamp":1751241600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100019065","name":"Tianjin Municipal Science and Technology Program","doi-asserted-by":"publisher","award":["23YDTPJC00350"],"award-info":[{"award-number":["23YDTPJC00350"]}],"id":[{"id":"10.13039\/501100019065","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>Advanced persistent threat (APT) attacks present significant challenges to cybersecurity due to their covert nature, high complexity, and ability to operate across multiple temporal and spatial scales. Existing detection techniques often struggle with issues like class imbalance, insufficient feature extraction, and the inability to capture complex attack dependencies. To address these limitations, we propose a dual-phase framework for APT detection, combining multi-feature-conditioned generative adversarial networks (MF-CGANs) for data reconstruction and a multi-scale convolution and channel attention-enhanced graph convolutional network (MC-GCN) for improved attack detection. The MF-CGAN model generates minority-class samples to resolve the class imbalance problem, while MC-GCN leverages advanced feature extraction and graph convolution to better model the intricate relationships within network traffic data. Experimental results show that the proposed framework achieves significant improvements over baseline models. Specifically, MC-GCN outperforms traditional CNN-based IDS models, with accuracy, precision, recall, and F1-score improvements ranging from 0.47% to 13.41%. The MC-GCN model achieves an accuracy of 99.87%, surpassing CNN (86.46%) and GCN (99.24%), while also exhibiting high precision (99.87%) and recall (99.88%). These results highlight the proposed model\u2019s superior ability to handle class imbalance and capture complex attack behaviors, establishing it as a leading approach for APT detection.<\/jats:p>","DOI":"10.3390\/sym17071026","type":"journal-article","created":{"date-parts":[[2025,6,30]],"date-time":"2025-06-30T10:03:48Z","timestamp":1751277828000},"page":"1026","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Symmetric Dual-Phase Framework for APT Attack Detection Based on Multi-Feature-Conditioned GAN and Graph Convolutional Network"],"prefix":"10.3390","volume":"17","author":[{"given":"Qi","family":"Liu","sequence":"first","affiliation":[{"name":"School of Computer and Information Engineering, Tianjin Chengjian University, Tianjin 300384, China"}]},{"given":"Yao","family":"Dong","sequence":"additional","affiliation":[{"name":"School of Computer and Information Engineering, Tianjin Chengjian University, Tianjin 300384, China"}]},{"given":"Chao","family":"Zheng","sequence":"additional","affiliation":[{"name":"Smart Education Research and Development Center, Open University, Tianjin 300191, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-8720-9335","authenticated-orcid":false,"given":"Hualin","family":"Dai","sequence":"additional","affiliation":[{"name":"School of Computer and Information Engineering, Tianjin Chengjian University, Tianjin 300384, China"}]},{"given":"Jiaxing","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Computer and Information Engineering, Tianjin Chengjian University, Tianjin 300384, China"}]},{"given":"Liyuan","family":"Ning","sequence":"additional","affiliation":[{"name":"School of Computer and Information Engineering, Tianjin Chengjian University, Tianjin 300384, China"}]},{"given":"Qiqi","family":"Liang","sequence":"additional","affiliation":[{"name":"School of Computer and Information Engineering, Tianjin Chengjian University, Tianjin 300384, China"}]}],"member":"1968","published-online":{"date-parts":[[2025,6,30]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"1851","DOI":"10.1109\/COMST.2019.2891891","article-title":"A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities","volume":"21","author":"Alshamrani","year":"2019","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"102875","DOI":"10.1016\/j.cose.2022.102875","article-title":"APT beaconing detection: A systematic review","volume":"122","author":"Talib","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_3","unstructured":"Cole, E. (2012). Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization, Newnes."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"9355","DOI":"10.1007\/s12652-023-04603-y","article-title":"Advanced persistent threats (apt): Evolution, anatomy, attribution and countermeasures","volume":"14","author":"Sharma","year":"2023","journal-title":"J. Ambient. Intell. Humaniz. Comput."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Malik, V., Khanna, A., and Sharma, N. (2024). Advanced Persistent Threats (APTs): Detection Techniques and Mitigation Strategies. Int. J. Glob. Innov. Solut. (IJGIS).","DOI":"10.21428\/e90189c8.91e89a3e"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"3134","DOI":"10.30534\/ijeter\/2020\/42872020","article-title":"Detecting APT attacks based on network flow","volume":"8","author":"Nikolaevich","year":"2020","journal-title":"Int. J. Emerg. Trends Eng. Res."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"98","DOI":"10.1186\/s40537-022-00648-6","article-title":"The use of generative adversarial networks to alleviate class imbalance in tabular data: A survey","volume":"9","author":"Khoshgoftaar","year":"2022","journal-title":"J. Big Data"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Akbar, K.A., Wang, Y., Islam, M.S., Singhal, A., Khan, L., and Thuraisingham, B. (2021, January 16\u201320). Identifying tactics of advanced persistent threats with limited attack traces. Proceedings of the Information Systems Security: 17th International Conference, ICISS 2021, Patna, India. Proceedings 17.","DOI":"10.1007\/978-3-030-92571-0_1"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Xuan, C.D., and Cuong, N.H. (2024). A novel approach for APT attack detection based on feature intelligent extraction and representation learning. PLoS ONE, 19.","DOI":"10.1371\/journal.pone.0305618"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"49114","DOI":"10.1109\/ACCESS.2023.3275789","article-title":"Graph neural networks for intrusion detection: A survey","volume":"11","author":"Bilot","year":"2023","journal-title":"IEEE Access"},{"key":"ref_11","first-page":"139","article-title":"Generative adversarial nets","volume":"27","author":"Goodfellow","year":"2014","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1007\/s00779-019-01332-y","article-title":"GAN-based imbalanced data intrusion detection system","volume":"25","author":"Lee","year":"2021","journal-title":"Pers. Ubiquitous Comput."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Sharafaldin, I., Lashkari, A.H., and Ghorbani, A.A. (2018, January 22\u201324). Toward generating a new intrusion detection dataset and intrusion traffic characterization. Proceedings of the 4th International Conference on Information Systems Security and Privacy-ICISSP, Funchal, Portugal.","DOI":"10.5220\/0006639801080116"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Lin, Z., Shi, Y., and Xue, Z. (2022, January 16\u201319). Idsgan: Generative adversarial networks for attack generation against intrusion detection. Proceedings of the Pacific-Asia Conference on Knowledge Discovery and Data Mining, Chengdu, China.","DOI":"10.1007\/978-3-031-05981-0_7"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1009","DOI":"10.1016\/j.ins.2019.10.014","article-title":"Conditional Wasserstein generative adversarial network-gradient penalty-based approach to alleviating imbalanced data classification","volume":"512","author":"Zheng","year":"2020","journal-title":"Inf. Sci."},{"key":"ref_16","unstructured":"Mirza, M. (2014). Conditional generative adversarial nets. arXiv."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"13635","DOI":"10.1007\/s00521-021-05993-w","article-title":"DGM: A data generative model to improve minority class presence in anomaly detection domain","volume":"33","author":"Dlamini","year":"2021","journal-title":"Neural Comput. Appl."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Lee, J.H., and Park, K.H. (2019). AE-CGAN model based high performance network intrusion detection system. Appl. Sci., 9.","DOI":"10.3390\/app9204221"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Yang, Y., Liu, X., Wang, D., Sui, Q., Yang, C., Li, H., Li, Y., and Luan, T. (2025). A CE-GAN based approach to address data imbalance in network intrusion detection systems. Sci. Rep., 15.","DOI":"10.1038\/s41598-025-90815-5"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"464","DOI":"10.1016\/j.eswa.2017.09.030","article-title":"Effective data generation for imbalanced learning using conditional generative adversarial networks","volume":"91","author":"Douzas","year":"2018","journal-title":"Expert Syst. Appl."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Yeo, M., Koo, Y., Yoon, Y., Hwang, T., Ryu, J., Song, J., and Park, C. (2018, January 10\u201312). Flow-based malware detection using convolutional neural network. Proceedings of the 2018 International Conference on Information Networking (ICOIN), Chiang Mai, Thailand.","DOI":"10.1109\/ICOIN.2018.8343255"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"8890306","DOI":"10.1155\/2020\/8890306","article-title":"DL-IDS: Extracting Features Using CNN-LSTM Hybrid Network for Intrusion Detection System","volume":"2020","author":"Sun","year":"2020","journal-title":"Secur. Commun. Netw."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Vinayakumar, R., Soman, K.P., and Poornachandran, P. (2017, January 13\u201316). Applying convolutional neural network for network intrusion detection. Proceedings of the 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Udupi, India.","DOI":"10.1109\/ICACCI.2017.8126009"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"386","DOI":"10.1016\/j.ins.2019.10.069","article-title":"A hybrid deep learning model for efficient intrusion detection in big data environment","volume":"513","author":"Hassan","year":"2020","journal-title":"Inf. Sci."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Gautam, S., Henry, A., Zuhair, M., Rashid, M., Javed, A.R., and Maddikunta, P.K.R. (2022). A composite approach of intrusion detection systems: Hybrid RNN and correlation-based feature optimization. Electronics, 11.","DOI":"10.3390\/electronics11213529"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Zhang, K., Zheng, R., Li, C., Zhang, S., Wu, X., Sun, S., Yang, J., and Zheng, J. (2025). SE-DWNet: An Advanced ResNet-Based Model for Intrusion Detection with Symmetric Data Distribution. Symmetry, 17.","DOI":"10.3390\/sym17040526"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"122564","DOI":"10.1016\/j.eswa.2023.122564","article-title":"Flowtransformer: A transformer framework for flow-based network intrusion detection systems","volume":"241","author":"Manocchio","year":"2024","journal-title":"Expert Syst. Appl."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Liu, Y., and Wu, L. (2023). Intrusion detection model based on improved transformer. Appl. Sci., 13.","DOI":"10.3390\/app13106251"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Ibrahim, N., Shehmir, S., Yadav, A., and Kashef, R. (2024). A Transformer-Based Model for Network Intrusion Detection: Architecture, Classification Heads, and Transformer Blocks. Proceedings of the International IOT, Electronics and Mechatronics Conference, Springer Nature.","DOI":"10.1007\/978-981-97-4780-1_12"},{"key":"ref_30","unstructured":"Kipf, T.N., and Welling, M. (2016). Semi-supervised classification with graph convolutional networks. arXiv."},{"key":"ref_31","first-page":"4785","article-title":"APT attack detection based on flow network analysis techniques using deep learning","volume":"39","author":"Dao","year":"2020","journal-title":"J. Intell. Fuzzy Syst."},{"key":"ref_32","unstructured":"Zhou, J., Xu, Z., Rush, A.M., and Yu, M. (2020). Automating botnet detection with graph neural networks. arXiv."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Wang, H., Wan, L., and Yang, X. (2025). Defending Graph Neural Networks Against Backdoor Attacks via Symmetry-Aware Graph Self-Distillation. Symmetry, 17.","DOI":"10.3390\/sym17050735"},{"key":"ref_34","first-page":"103149","article-title":"AnoGLA: An efficient scheme to improve network anomaly detection","volume":"66","author":"Ding","year":"2022","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"184","DOI":"10.1007\/s44196-023-00369-5","article-title":"APT Attack Detection Based on Graph Convolutional Neural Networks","volume":"16","author":"Ren","year":"2023","journal-title":"Int. J. Comput. Intell. Syst."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Xuan, C.D., and Nguyen, T.T. (2024). A novel approach for APT attack detection based on an advanced computing. Sci. Rep., 14.","DOI":"10.1038\/s41598-024-72957-0"},{"key":"ref_37","first-page":"3459","article-title":"A new framework for APT attack detection based on network traffic","volume":"44","author":"Nguyen","year":"2023","journal-title":"J. Intell. Fuzzy Syst."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Lewis-Beck, M.S., Bryman, A., and Liao, T.F. (2004). Encyclopedia of Social Science Research Methods, Sage Publishing.","DOI":"10.4135\/9781412950589"},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"17265","DOI":"10.1007\/s00500-020-05017-0","article-title":"A deep learning approach for effective intrusion detection in wireless networks using CNN","volume":"24","author":"Riyaz","year":"2020","journal-title":"Soft Comput."},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"5363750","DOI":"10.1155\/2021\/5363750","article-title":"Anomaly detection in encrypted internet traffic using hybrid deep learning","volume":"2021","author":"Bakhshi","year":"2021","journal-title":"Secur. Commun. Netw."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"99837","DOI":"10.1109\/ACCESS.2022.3206425","article-title":"CNN-LSTM: Hybrid deep neural network for network intrusion detection system","volume":"10","author":"Halbouni","year":"2022","journal-title":"IEEE Access"}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/17\/7\/1026\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:01:59Z","timestamp":1760032919000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/17\/7\/1026"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,30]]},"references-count":41,"journal-issue":{"issue":"7","published-online":{"date-parts":[[2025,7]]}},"alternative-id":["sym17071026"],"URL":"https:\/\/doi.org\/10.3390\/sym17071026","relation":{},"ISSN":["2073-8994"],"issn-type":[{"type":"electronic","value":"2073-8994"}],"subject":[],"published":{"date-parts":[[2025,6,30]]}}}