Multimodal Advanced Persistent Threat Detection and Attribution Using Heterogenous Graph Neural Network and Analysis Using Explainable AI

Read the full article See related articles

Discuss this preprint

Start a discussion What are Sciety discussions?

Listed in

This article is not in any list yet, why not save it to one of your lists.
Log in to save this article

Abstract

Attributing cyberattacks to specific threat actors remains a critical yet complex challenge in cybersecurity. We propose a robust and interpretable framework for cyber threat attribution using a Heterogeneous Graph Neural Network (HGNN) approach that integrates static and behavioral malware analysis, threat intelli- gence from VirusTotal, and associations with Advanced Persistent Threat (APT) groups. The pipeline begins by extracting hash-level threat intelligence from a malware dataset and generating enriched sub-datasets (e.g., APT groups, entry points, libraries), which are then merged into a unified heterogeneous graph. Ini- tial experiments using traditional Random Forest classifiers yielded an accuracy of 58.09However, leveraging HGNN allowed us to capture the relational structure between malware artifacts and threat actor tactics, achieving a notable accu- racy of 98.52The model also supports anomaly detection, cross-platform malware analysis, and explainable AI (SHAP) interpretation to enhance traceability and trust. Our approach achieved an F1-score of 97.88, an AUC-ROC of 98.89, and a training stability of 0.92, laying the foundation for predictive cyber threat intelligence systems across multiple platforms.

Article activity feed