SANVector: SBERT-APTNet Vector Framework for Cyber Threat Attack Attribution Using Diversified CTI Logs
摘要
Advanced Persistent Threat (APT) is a type of cyberattack where intruders gain unauthorized access and remain undetected for an elongated period of time. The main purpose of an APT is to steal sensitive information, spy on operations, or disrupt systems. To overcome these challenges, in this paper, we have proposed a novel modular and scalable architecture SANVector (SBERT-APTNet Vector) framework that uses fine-tuned SBERT embeddings, contrastive learning, and multi-view features to automatically identify the threat actors from unstructured reports about cyber threats. For that, we have focused on attributing APT activities to known threat actor groups such as APT28, APT29, Lazarus Group, Turla, and others extracted from various log report sources such as FireEye, Crowdstrike, Unit42, Mandiant, and Kaspersky. In all we analyze a total of 11 APT groups. To begin, our model incorporates a strong preprocessing pipeline that normalizes attacker aliases, extracts deep semantic features, and masks indicators of compromises using a trained SBERT model. Furthermore, these features are classified using the traditional model with K-Nearest Neighbor (KNN) to achieve high performances of 93.17% accuracy and a perfect F1 score across various threat groups. Moreover, we compare the performance of fine-tuned SBERT with SBERT models using classifiers, such as KNN, SVM, AdaBoost, XGBoost, and DNN. In addition, this study provides a practical solution to the critical problem of APT attribution, with implications for enhancing cyber defense operation, national security, and threat intelligence workflows.