Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Neeraj Saini,Vivekananda Bhat Kasaragod,Krishna Prakasha,Ashok Kumar Das

DOI: https://doi.org/10.1002/cpe.7865

2023-07-19

Concurrency and Computation: Practice and Experience

Abstract:Summary A persistent, targeted cyber attack is called an advanced persistent threat (APT) attack. The attack is mainly launched to gain sensitive information, take over the system, and for financial gain, which creates nowadays more hurdles and challenges for the organization in preventing, detecting, and recovering from such attacks. Due to the nature of APT attacks, it is difficult to detect them quickly. Therefore machine learning techniques come into these research areas. This study uses deep and machine learning models such as random forest, decision tree, convolutional neural network, multilayer perceptron and so forth to categorize and effectively detect APT attacks by utilizing publicly accessible datasets. The datasets used in this study are CSE‐CIC‐IDS2018, CIC‐IDS2017, NSL‐KDD, and UNSW‐NB15. This study proposes the hybrid ensemble machine learning model, a mixed approach of random forest and XGBoost classifiers. It has obtained the maximum prediction accuracy of 98.92%, 99.91%, 99.24%, and 97.11% for datasets CSE‐CIC‐IDS2018, CIC‐IDS2017, NSL‐KDD, and UNSW‐NB15, with a false positive rate of 0.52%, 0.12%, 0.62%, and 5.29% respectively. These results are compared to other closely related recent studies in the literature. Our experiment's findings show that our model has performed significantly better for all datasets.

computer science, theory & methods, software engineering

Cho Do Xuan,Tung Thanh Nguyen

DOI: https://doi.org/10.1038/s41598-024-72957-0

IF: 4.6

2024-09-28

Scientific Reports

Abstract:To enhance the effectiveness of the Advanced Persistent Threat (APT) detection process, this research proposes a new approach to build and analyze the behavior profiles of APT attacks in network traffic. To achieve this goal, this study carries out two main objectives, including (i) building the behavior profile of APT IP in network traffic using a new intelligent computation method; (ii) analyzing and evaluating the behavior profile of APT IP based on a deep graph network. Specifically, to build the behavior profile of APT IP, this article describes using a combination of two different data mining methods: Bidirectional Long Short-Term Memory (Bi) and Attention (A). Based on the obtained behavior profile, the Dynamic Graph Convolutional Neural Network (DGCNN) is proposed to extract the characteristics of APT IP and classify them. With the flexible combination of different components in the model, the important information and behavior of APT attacks are demonstrated, not only enhancing the accuracy of detecting attack campaigns but also reducing false predictions. The experimental results in the paper show that the method proposed in this study has brought better results than other approaches on all measurements. In particular, the accuracy of APT attack prediction results (Precision) reached from 84 to 91%, higher than other studies of over 7%. These experimental results have proven that the proposed BiADG model for detecting APT attacks in this study is proper and reasonable. In addition, those experimental results have not only proven the effectiveness and superiority of the proposed method in detecting APT attacks but have also opened up a new approach for other cyber-attack detections such as distributed denial of service, botnets, malware, phishing, etc.

multidisciplinary sciences

Indra Kumari,Minho Lee

DOI: https://doi.org/10.1016/j.heliyon.2023.e21377

IF: 3.776

2023-10-30

Heliyon

Abstract:Advanced Persistent Threat (APT) attacks pose significant challenges for AI models in detecting and mitigating sophisticated and highly effective cyber threats. This research introduces a novel concept called Hybrid HHOSSA which is the grouping of Harris Hawk Optimization (HHO) and Sparrow Search Algorithm (SSA) characteristics for optimizing the feature selection and data balancing in the context of APT detection. In addition, the light GBM as well as the weighted average Bi-LSTM are optimized by the proposed hybrid HHOSSA optimization. The HHOSSA-based attribute selection is used to choose the most important attributes from the provided dataset in the early step of the quasi-identifier detection. The HHOSSA-SMOTE algorithm effectively balances the unbalanced data, such as the lateral movements and the data exfiltration in the DAPT 2020 database, which further improves the classifier performance. The light GBM and the Bi-LSTM classifier hyperparameters are well attuned and classified by the HHOSSA optimization for the precise classification of the attacks. The outcome of both the optimized light GBM and the Bi-LSTM classifier generates the final prediction of the attacks existing in the network. According to the research findings, the HHOSSA-hybrid classifier achieves high accuracy in detecting attacks, with an accuracy rate of 94.468 %, a sensitivity of 94.650 %, and a specificity of 95.230 % with a K-fold value of 10. Also, the HHOSSA-hybrid classifier achieves the highest AUC percentage of 97.032, highlighting its exceptional performance in detecting APT attacks.

Na Xu,Shudong Li,Xiaobo Wu,Weihong Han,Xiaojing Luo

DOI: https://doi.org/10.1109/dsc53577.2021.00101

2021-10-01

Abstract:Advanced Persistent Threat (APT) attack activities with the theme of COVID-19 and vaccine are also growing rapidly. The target of APT attack has gradually expanded from government agencies to vaccine manufacturers, medical industry and so on. What's more, APT groups have a strict organizational structure and professional division of labor and malware delivered by the same APT groups are similar. Classifying malware samples into known APT groups in time can minimize losses as soon as possible and keep relevant industries vigilant. In our paper, we proposed a multi-classification method of APT malware based on Adaboost and LightGBM. We collect real APT malware samples that have been delivered by 12 known APT groups. The API call sequence of each APT malware is obtained through the sandbox. For the relationship between adjacent APIs, we use TF-IDF algorithm combined with bi-gram. Then, Adaboost algorithm is used to select out the important API features, which form the target feature subset. Finally, we use the above subset combined with LightGBM ensemble algorithm to train multiple classifiers, named Ada-LightGBM. The experimental results show that our method is superior to the single Adaboost and LightGBM method. The classifier has good recognition performance for the test samples.

Wen-Lin Chu,Chih-Jer Lin,Ke-Neng Chang

DOI: https://doi.org/10.3390/app9214579

2019-10-28

Applied Sciences

Abstract:Traditional network attack and hacking models are constantly evolving to keep pace with the rapid development of network technology. Advanced persistent threat (APT), usually organized by a hacker group, is a complex and targeted attack method. A long period of strategic planning and information search usually precedes an attack on a specific goal. Focus is on a targeted object and customized specific methods are used to launch the attack and obtain confidential information. This study offers an attack detection system that enables early discovery of the APT attack. The system uses the NSL-KDD database for attack detection and verification. The main method uses principal component analysis (PCA) for feature sampling and the enhancement of detection efficiency. The advantages and disadvantages of using the classifiers are then compared to detect the dataset, the classifier supports the vector machine, naive Bayes classification, the decision tree and neural networks. Results of the experiments show the support vector machine (SVM) to have the highest recognition rate, reaching 97.22% (for the trained subdata A). The purpose of this study was to establish an APT early warning model mechanism, that could be used to reduce the impact and influence of APT attacks.

Hao Yue,Tong Li,Di Wu,Runzi Zhang,Zhen Yang

DOI: https://doi.org/10.1016/j.cose.2024.103748

IF: 5.105

2024-05-01

Computers & Security

Abstract:Advanced persistent threats (APTs) are a significant threat to network security as they can disintegrate the security fortress of enterprises. Recent studies have focused on detecting APT attacks by matching typical tactics, techniques, and procedures (TTPs) associated with APT attacks. However, the lack of positive APT samples affects the performance of existing approaches. To address this challenge, we propose a novel attack intent-driven and sequence-based learning approach (AISL) for APT detection. AISL integrates heterogeneous audit data and creates corresponding security tags based on attack intent. Specifically, we investigate various data sources of attack detection and establish a dedicated network event ontology. Based on this ontology, we construct a provenance graph that integrates audit data from heterogeneous sources. During the construction of the provenance graph, we identify and tag potential attack behaviors based on attack intent to increase the number of positive samples in the dataset. Finally, we train a tag-sequence-based semantic model for APT detection. We evaluated AISL through ten realistic APT attacks and achieved an average precision of 93.05%, recall of 98.12%, and F1-score of 95.36%, outperforming state-of-the-art approaches.

computer science, information systems

Peng Chen,Yunfei Guo,Jianpeng Zhang,Yawen Wang,Hongchao Hu

DOI: https://doi.org/10.1109/ICCC51575.2020.9345300

2020-01-01

Abstract:Intrusion Detection System (IDS) plays a vital role in cybersecurity. One major challenge in state-of-the-art IDS is that the Advanced Persistent Threats (APTs) cannot be well detected. Deep Neural Networks (DNNs) extract latent features of input data, which is considered to be able to capture intrinsic property of APTs, to detect APTs. However, DNN is not well used in APT detection. In this paper, a DNN model is utilized for intrusion detection and a novel method of preprocessing is proposed to improve the performance of the detection algorithms. We consider the statistical characteristics of training set to be the statistical characteristics of test set and detection set. Experiment results show that our preprocessing methodology achieves a better performance in terms of accuracy, recall and F1 Score than traditional preprocessing methods, which means a better detection for APTs.

Arun Kumar Silivery,Ram Mohan Rao Kovvur

DOI: https://doi.org/10.1016/j.measen.2023.100924

2023-10-25

Abstract:This proposed model introduces novel deep learning methodologies. The objective here is to create a reliable intrusion detection mechanism to help identify malicious attacks. Deep learning based solution framework is developed consisting of three approaches. The first approach is Long-Short Term Memory Recurrent Neural Network (LSTM-RNN) with seven optimizer functions such as adamax, SGD, adagrad, adam, RMSprop, nadam and adadelta. The model is evaluated on NSL-KDD dataset and classified multi attack classification. The model has outperformed with adamax optimizer in terms of accuracy, detection rate and low false alarm rate. The results of LSTM-RNN with adamax optimizer is compared with existing shallow machine and deep learning models in terms of accuracy, detection rate and low false alarm rate. The multi model methodology consisting of Recurrent Neural Network (RNN), Long-Short Term Memory Recurrent Neural Network (LSTM-RNN), and Deep Neural Network (DNN). The multi models are evaluated on bench mark datasets such as KDD99, NSL-KDD, and UNSWNB15 datasets. The models self-learnt the features and classifies the attack classes as multi-attack classification. The models RNN, and LSTM-RNN provide considerable performance compared to other existing methods on KDD99 and NSL-KDD dataset

Networking and Internet Architecture,Machine Learning

Xuan Cho Do,Hai Anh Tran,Thi Lan Phuong Nguyen

DOI: https://doi.org/10.1007/s10489-024-05750-1

IF: 5.3

2024-10-01

Applied Intelligence

Abstract:Advanced Persistent Threat (APT) attack is one of the most dangerous cyber-attack techniques nowadays. Therefore, the issue of detecting and predicting the spread of APT malware in the network is a very urgent issue to help the process of preventing this attack effectively. In this paper, we propose a new approach that is capable of predicting the spread of APT malware in the network based on the APT's own behaviors. Accordingly, to predict the spread of APT malicious code in the system, we propose to use a combination of two single Susceptible‐Infected‐Recovered (SIR) models. Specifically, the first SIR model was built to predict the spread of APT malicious code to devices and computers within the organization. These devices and computers are often used by APT malicious code as a basis to escalate privileges to devices or computers containing important and sensitive information of the organization. The second SIR model has the function of predicting the spread of APT malware to a group of computers containing sensitive information or potentially causing high risks to the organization. The two SIR models will provide information about infections between computer groups in the system to help accurately predict the spread of APT malware in the system. The proposal to combine two SIR models in the article is a new proposal based on the behavior of APT malware in practice. By combining two SIR models, the proposal in this article has opened up a new approach for a number of problems predicting the spread in the internet such as malicious code in wireless sensor networks or malicious information on the social network.

computer science, artificial intelligence

Mohammad Mamun,Kevin Shi

DOI: https://doi.org/10.48550/arXiv.2108.13989

2021-09-01

Abstract:APT, known as Advanced Persistent Threat, is a difficult challenge for cyber defence. These threats make many traditional defences ineffective as the vulnerabilities exploited by these threats are insiders who have access to and are within the network. This paper proposes DeepTaskAPT, a heterogeneous task-tree based deep learning method to construct a baseline model based on sequences of tasks using a Long Short-Term Memory (LSTM) neural network that can be applied across different users to identify anomalous behaviour. Rather than applying the model to sequential log entries directly, as most current approaches do, DeepTaskAPT applies a process tree based task generation method to generate sequential log entries for the deep learning model. To assess the performance of DeepTaskAPT, we use a recently released synthetic dataset, DARPA Operationally Transparent Computing (OpTC) dataset and a real-world dataset, Los Alamos National Laboratory (LANL) dataset. Both of them are composed of host-based data collected from sensors. Our results show that DeepTaskAPT outperforms similar approaches e.g. DeepLog and the DeepTaskAPT baseline model demonstrate its capability to detect malicious traces in various attack scenarios while having high accuracy and low false-positive rates. To the best of knowledge this is the very first attempt of using recently introduced OpTC dataset for cyber threat detection.

Cryptography and Security,Artificial Intelligence

Ali Shan,Seunghwan Myeong

DOI: https://doi.org/10.3390/s24154888

2024-07-27

Abstract:Cyber-security challenges are growing globally and are specifically targeting critical infrastructure. Conventional countermeasure practices are insufficient to provide proactive threat hunting. In this study, random forest (RF), support vector machine (SVM), multi-layer perceptron (MLP), AdaBoost, and hybrid models were applied for proactive threat hunting. By automating detection, the hybrid machine learning-based method improves threat hunting and frees up time to concentrate on high-risk warnings. These models are implemented on approach devices, access, and principal servers. The efficacy of several models, including hybrid approaches, is assessed. The findings of these studies are that the AdaBoost model provides the highest efficiency, with a 0.98 ROC area and 95.7% accuracy, detecting 146 threats with 29 false positives. Similarly, the random forest model achieved a 0.98 area under the ROC curve and a 95% overall accuracy, accurately identifying 132 threats and reducing false positives to 31. The hybrid model exhibited promise with a 0.89 ROC area and 94.9% accuracy, though it requires further refinement to lower its false positive rate. This research emphasizes the role of machine learning in improving cyber-security, particularly for critical infrastructure. Advanced ML techniques enhance threat detection and response times, and their continuous learning ability ensures adaptability to new threats.

Haiyan Xuan,Mohith Manohar

2023-12-04

Abstract:As Artificial Intelligence (AI) technologies continue to gain traction in the modern-day world, they ultimately pose an immediate threat to current cybersecurity systems via exploitative methods. Prompt engineering is a relatively new field that explores various prompt designs that can hijack large language models (LLMs). If used by an unethical attacker, it can enable an AI system to offer malicious insights and code to them. In this paper, an enhanced intrusion detection system (IDS) that utilizes machine learning (ML) and hyperparameter tuning is explored, which can improve a model's performance in terms of accuracy and efficacy. Ultimately, this improved system can be used to combat the attacks made by unethical hackers. A standard IDS is solely configured with pre-configured rules and patterns; however, with the utilization of machine learning, implicit and different patterns can be generated through the models' hyperparameter settings and parameters. In addition, the IDS will be equipped with multiple datasets so that the accuracy of the models improves. We evaluate the performance of multiple ML models and their respective hyperparameter settings through various metrics to compare their results to other models and past research work. The results of the proposed multi-dataset integration method yielded an accuracy score of 99.9% when equipped with the XGBoost and random forest classifiers and RandomizedSearchCV hyperparameter technique.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Aravind Prakash M,Indra Gandhi K,Sriram R,Amaysingh

DOI: https://doi.org/10.3233/apc210005

2021-10-04

Abstract:Recently machine learning algorithms are utilized for identifying network threats. Threats otherwise called as intrusions, will harm the network in a stern manner, thus it must be dealt cautiously. In the proposed research work, a deep learning model has been applied to recognize and categorize unanticipated and unpredictable cyber-attacks. The UNSW NB-15 dataset has a vital number of features which will be learned by the hidden layers present in the suggested model and classified by the output layer. The suitable quantity of layers, neurons in each layer and the optimizer utilized in the proposed work are obtained through a sequence of trial and error experiments. The concluding model acquired can be utilized for estimating future malicious attacks. There are several data preprocessing techniques available at our disposal. We used two types of techniques in our experiment: 1) Log transformation, MinMaxScaling and factorize technique; and 2) Z-score encoding and dummy encoding technique. In general, the selection of data preprocessing techniques has a direct impact on the output performed by any machine learning process and our research, attempts to prove this concept.

Bayi Xu,Lei Sun,Xiuqing Mao,Chengwei Liu,Zhiyi Ding

DOI: https://doi.org/10.32604/cmc.2023.046478

2024-01-01

Abstract:In recent years, frequent network attacks have highlighted the importance of efficient detection methods for ensuring cyberspace security. This paper presents a novel intrusion detection system consisting of a data preprocessing stage and a deep learning model for accurately identifying network attacks. We have proposed four deep neural network models, which are constructed using architectures such as Convolutional Neural Networks (CNN), Bi-directional Long Short-Term Memory (BiLSTM), Bidirectional Gate Recurrent Unit (BiGRU), and Attention mechanism. These models have been evaluated for their detection performance on the NSL-KDD dataset.To enhance the compatibility between the data and the models, we apply various preprocessing techniques and employ the particle swarm optimization algorithm to perform feature selection on the NSL-KDD dataset, resulting in an optimized feature subset. Moreover, we address class imbalance in the dataset using focal loss. Finally, we employ the BO-TPE algorithm to optimize the hyperparameters of the four models, maximizing their detection performance. The test results demonstrate that the proposed model is capable of extracting the spatiotemporal features of network traffic data effectively. In binary and multiclass experiments, it achieved accuracy rates of 0.999158 and 0.999091, respectively, surpassing other state-of-the-art methods.

computer science, information systems,materials science, multidisciplinary

Ying-Dar Lin,Ze-Yu Wang,Po-Ching Lin,Van-Linh Nguyen,Ren-Hung Hwang,Yuan-Cheng Lai

DOI: https://doi.org/10.1016/j.jisa.2022.103248

IF: 4.96

2022-08-01

Journal of Information Security and Applications

Abstract:This work compares the performance of different combinations of data sources for intrusion detection in depth. To learn and distinguish between normal and malicious behavior, we use machine learning algorithms and train three typical models on three kinds of datasets: system logs, packet flows and host statistics. Unlike other studies, our study captures and monitors the behavior from multiple data sources in order to catch security attacks. Our aim is to figure out how to build the most effective dataset for machine learning with a combination of multiple sources. However, since there are no such datasets which have been generated from multiple sources for given attacks, we show how to build and generate a dataset with three data sources. We then compare the F1 score of the detection by applying machine learning algorithms for various combinations of the data sources. Our evaluation results show that the dataset of host statistics results in better performance (0.91) than traffic flows (0.63) and system logs (0.44) because it has the highest average F1-score in the three stages of attacks, while the other datasets may have poor F1-scores in some of the stages, particularly in the stage of impact. However, in the initial access stage of attacks, the dataset of logs performs the best (0.94), and the packet flows are suitable for detecting network DoS attacks (0.82). Furthermore, running this detection with all three data sources results in minor overheads of at most 2.1% CPU utilization. Finally, we analyze the important features of each model, such as the number of logs generated by apache-access, in.telnetd and postfix in the dataset of logs, SrcBytes and TotBytes in the dataset of flows, and MINFLT, VSTEXT and RSIZE in the dataset of statistics.

computer science, information systems

Cho Do Xuan,Nguyen Hoa Cuong

DOI: https://doi.org/10.1371/journal.pone.0305618

IF: 3.7

2024-06-25

PLoS ONE

Abstract:Advanced Persistent Threat (APT) attacks are causing a lot of damage to critical organizations and institutions. Therefore, early detection and warning of APT attack campaigns are very necessary today. In this paper, we propose a new approach for APT attack detection based on the combination of Feature Intelligent Extraction (FIE) and Representation Learning (RL) techniques. In particular, the proposed FIE technique is a combination of the Bidirectional Long Short-Term Memory (BiLSTM) deep learning network and the Attention network. The FIE combined model has the function of aggregating and extracting unusual behaviors of APT IPs in network traffic. The RL method proposed in this study aims to optimize classifying APT IPs and normal IPs based on two main techniques: rebalancing data and contrastive learning. Specifically, the rebalancing data method supports the training process by rebalancing the experimental dataset. And the contrastive learning method learns APT IP's important features based on finding and pulling similar features together as well as pushing contrasting data points away. The combination of FIE and RL (abbreviated as the FIERL model) is a novel proposal and innovation and has not been proposed and published by any research. The experimental results in the paper have proved that the proposed method in the paper is correct and reasonable when it has shown superior efficiency compared to some other studies and approaches over 5% on all measurements.

multidisciplinary sciences

Abdulrahman Mahmoud Eid,Bassel Soudan,Ali Bou Nasif,MohammadNoor Injadat

DOI: https://doi.org/10.1007/s00521-024-09439-x

2024-02-11

Neural Computing and Applications

Abstract:This study investigates the effectiveness of six prominent machine learning models—random forest, decision trees, K-nearest neighbor, logistic regression, support vector machines, and Naïve Bayes—for intrusion detection systems in industrial Internet of Things environments. The evaluation encompasses the effects of data preprocessing techniques, including feature engineering, data normalization, recoding, and missing data mitigation. Furthermore, the research delves into dataset balancing, examining the effects of six different techniques on model performance. The investigations are conducted using the domain-specific WUSTL-IIOT-2021 dataset, which captures the unique characteristics of IIoT data. The study also investigates multi-class attack identification utilizing an innovative SMOTE-based multi-class balancing approach to tackle dataset imbalances. The results indicate that data preprocessing and intelligent dataset balancing produce consistent enhancements in the classification performance of the selected models across binary and multi-classification tasks. Random forest emerges as the standout algorithm, delivering consistently high performance with computational efficiency.

computer science, artificial intelligence

Wei Ma,Yunyun Hou,Mingyu Jin,Pengpeng Jian

DOI: https://doi.org/10.1371/journal.pone.0300821

IF: 3.7

2024-03-26

PLoS ONE

Abstract:Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system's normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

multidisciplinary sciences

BinHui Tang,JunFeng Wang,Zhongkun Yu,Bohan Chen,Wenhan Ge,Jian Yu,TingTing Lu

DOI: https://doi.org/10.1016/j.compeleceng.2022.108261

2022-10-01

Abstract:With the boom in Internet and information technology, cyber-attacks are becoming more frequent and sophisticated, especially Advanced Persistent Threat (APT) attacks. Unlike traditional attacks, APT attacks are more targeted, stealthy, and adversarial, rendering it challenging to manually analyze threat behaviors for APT detection, attribution, and response. Therefore, the research community has focused on intelligent defense methods. Intelligent threat profiling is dedicated to analyzing APT attacks and improving defense capability with Knowledge Graph and Deep Learning methods. With this insight, this paper provides the first systematic review of intelligent threat profiling techniques for APT attacks, covering three aspects: data, methods, and applications. The contents include data processing techniques, threat modeling, representation, reasoning methods, etc. Furthermore, this paper summarizes the latest research in applications, proposes the research framework and technical architecture, and provides insights into future research trends. This paper contributes to recognizing the advantages and challenges of intelligent threat profiling. It paves the way for integrating knowledge graphs and deep learning to achieve intelligent security.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture