Multimodal Advanced Persistent Threat Detection and Attribution Using Heterogenous Graph Neural Network and Analysis Using Explainable AI
Discuss this preprint
Start a discussion What are Sciety discussions?Listed in
This article is not in any list yet, why not save it to one of your lists.Abstract
Attributing cyberattacks to specific threat actors remains a critical yet complex challenge in cybersecurity. We propose a robust and interpretable framework for cyber threat attribution using a Heterogeneous Graph Neural Network (HGNN) approach that integrates static and behavioral malware analysis, threat intelli- gence from VirusTotal, and associations with Advanced Persistent Threat (APT) groups. The pipeline begins by extracting hash-level threat intelligence from a malware dataset and generating enriched sub-datasets (e.g., APT groups, entry points, libraries), which are then merged into a unified heterogeneous graph. Ini- tial experiments using traditional Random Forest classifiers yielded an accuracy of 58.09However, leveraging HGNN allowed us to capture the relational structure between malware artifacts and threat actor tactics, achieving a notable accu- racy of 98.52The model also supports anomaly detection, cross-platform malware analysis, and explainable AI (SHAP) interpretation to enhance traceability and trust. Our approach achieved an F1-score of 97.88, an AUC-ROC of 98.89, and a training stability of 0.92, laying the foundation for predictive cyber threat intelligence systems across multiple platforms.