Table 1.
The purpose and operation of each event.
Fig 1.
Classification framework for APT malicious software based on multi-feature fusion.
Fig 2.
Typical malicious software behavior of the APT30 family.
Fig 3.
APT30 sample behavior of creating forged Word files.
Fig 4.
Connecting to a remote C&C server.
Fig 5.
Generating malicious executable files of APT30 samples.
Fig 6.
Deleting the malicious executable file generated by the APT30 sample.
Fig 7.
Typical malicious software behavior of the DarkHotel family.
Fig 8.
Connecting to the remote malicious domain.
Fig 9.
Traversing the system process list.
Fig 10.
Generating a malicious executable file for encryption and authentication purposes.
Fig 11.
Generate a disguised acroproedit file for the Dark Hotel sample.
Fig 12.
Process behavior information in json reports.
Fig 13.
APT malware code snippet.
Fig 14.
The behavior graph of the code snippet.
Fig 15.
Directed multi-edge behavior isomorphism graph.
Table 2.
Operating system resource types and API calls.
Table 3.
Primary extracted opcodes.
Fig 16.
The opcode frequency co-occurrence matrix image.
Fig 17.
Behavior graph feature engineering module.
Fig 18.
Details of operations in the GGNN network.
Fig 19.
ImageCNTM model.
Table 4.
APT family and sample size.
Table 5.
Comparison of related papers based on dynamic behavior models.
Table 6.
Comparison of related papers based on static structural models.
Table 7.
Comparison of APT malware related papers.
Fig 20.
Confusion matrix for multiple classifications of APT malware.
Fig 21.
Original features.
Fig 22.
The t-SNE plot after passing through the classification layer.
Fig 23.
Ablation study of graph learning model.
Fig 24.
Ablation study of image learning model.
Fig 25.
Comparison of multi-feature fusion modules.
Fig 26.
Comparison of single-feature and multi-feature fusion modules.