LAUSR

In recent years, extensive research has been conducted in Advanced Persistent Threat (APT) attack defence. However, most existing defence solutions can only identify and temporarily disrupt cyber attacks, seeking to deny the threat from the intranet, it’s difficult to defence against APT attacks. Attributing the APT organization is an excellent complement to the existing defence solutions, which not only can expose the attacker’s true identity, but also provide evidence to bring the attacker to justice. However, research on attributing APT Organization is still few, poses complex tasks because APT attacks are highly targeted, stealthy, persistent and organized. To answer thie question, we propose a Particle Swarm Optimization Multiclass Support Vector Machine (PSO-MSVM) approach to identify the organization behind complex APT attacks automatically. Firstly, we have collected a large amount of data on the traces of APT attack tools executed in the sandbox, and selected data closely related to APT organizations to construct the feature set. Secondly, based on the strategy of keeping the personal best (pbest) and global best (gbest) particles in the particle swarm algorithm away from the adaptation values generated by the misclassification information as they move, the particle positions are updated frequently to eventually obtain the optimal parameters (i.e., penalty parameter ( ${C}$ ) and sigma parameter ( $\sigma $ )) for MSVM, thus enabling the MSVM technique to accurately identify APT organizations. The results obtained from the PSO-MSVM approach showed the superiority of this technique in three different measures of accuracy, precision and F1,compared with other six classical methods.