Bon-APT: Detection, attribution, and explainability of APT malware using temporal segmentation of API calls

Advanced Persistent Threats (APTs) are highly sophisticated cyberattacks that are aimed at achieving strategic goals and are usually backed by a well-funded entity. In this paper, we tackle the challenges of detecting and attributing APTs by proposing Bon-APT, a temporal learning method that analyzes and segment the occurrences of API calls invoked during the dynamic analysis of the examined PE. Those segments can be used to profile the temporal behavior of an APT, provide insights into its modus operandi, and induce an accurate machine-learning based model for the detection and attribution of APTs. Moreover, Bon-APT provides a human comprehensible explainability regarding the relations among segments as well as the behavior of the APT in each of them. This not only improves transparency and reliability from a human expert perspective, but it can also enrich the security experts with new knowledge regarding APTs' behavior. To evaluate Bon-APT, we built a unique collection of 12,655 APTs, belonging to 188 different cyber-groups and 17 different nations, which, to the best of our knowledge, is the largest collection of its kind. We conducted four experiments to evaluate the proposed method and compared its performance to the performance of state-of-the-art methods on the tasks of APT detection and authorship attribution (for both group and nation). Bon-APT achieved promising results in each of the tasks while outperforming the state-of-the-art methods. Bon-APT also provides a simple and concise explanation regarding its decisions and the APT behavior, as well as an easy, straightforward visual and quantitative behavioral comparison.