一种基于语义共现网络的攻击能力特征学习与聚合方法

In the attribution of APT (Advanced Persistent Threat) groups, attack capability features are key information. However, the raw attack capability features extracted by Virustotal suffer from issues such as high dimensionality, redundant information, and significant noise interference, which negatively affect the effective learning of these features by attribution models. Additionally, APT attackers often employ techniques such as component substitution, dynamic file naming, and code obfuscation to evade security detection, making traditional static feature engineering methods ineffective in addressing the resulting feature shifts and changes in attack strategies, thus reducing the accuracy and stability of attribution. To address these issues, this paper constructs an attack capability feature semantic co-occurrence network, utilizing GraphSAGE to learn the character-level features and co-occurrence relationships of attack capability features. By combining a feature aggregation strategy, an APT group attack capability feature gene bank is generated to enhance the robustness and attribution capability of the features. Based on this, a soft voting-based ensemble learning method is further proposed to integrate the decision results of multiple submodels, achieving more robust attribution of attack tools.