APT attacks have posed serious threats to the security of cyberspace nowadays which are usually tailored for specific targets. Identification and understanding of APT attacks remains a key issue for society. Attackers often utilize malware as the weapons to launch cyber-attacks. For this reason, detecting APT malware and gaining an insight of its malicious behaviors can strengthen the power to understand and counteract APT attacks. Based on the above motivation, this paper proposes a novel APT malware detection and cognition framework named APTMalInsight aiming at identifying and cognizing APT malware by leveraging system call information and ontology knowledge. We systematically study APT malware and extracts dynamic system call information to describe its behavioral characteristics. With respect to the established feature vectors, the APT malware can be detected and clustered into their belonging families accurately. Furthermore, a horizontal comparison between APT malware and the traditional malware is conducted from the perspective of behavior types, to understand the behavioral characteristics of APT malware in depth. On the above basis, the ontology model is introduced to construct the APT malware knowledge framework to represent its typical malicious behaviors, thereby implementing the systematic cognition of APT malware and providing contextual understanding of APT attacks. The evaluation results based on real APT malware samples demonstrate that the detection and clustering accuracy can reach up to 99.28% and 98.85% respectively. In addition, APTMalInsight supplies an effective cognition framework for APT malware and enhances the capability to understand APT attacks.

APT攻击对当今的网络空间安全构成了严重威胁，这些威胁通常是针对特定目标而定制的。识别和了解APT攻击仍然是社会的关键问题。攻击者经常利用恶意软件作为发动网络攻击的武器。因此，检测APT恶意软件并深入了解其恶意行为可以增强了解和应对APT攻击的能力。基于上述动机，本文提出了一种新颖的APT恶意软件检测和识别框架APTMalInsight，旨在利用系统调用信息和本体知识来识别和识别APT恶意软件。我们系统地研究APT恶意软件，并提取动态系统调用信息来描述其行为特征。关于已建立的特征向量，可以检测到APT恶意软件并将其准确地归类到其所属的家族中。此外，从行为类型的角度对APT恶意软件和传统恶意软件进行了水平比较，以深入了解APT恶意软件的行为特征。在此基础上，引入了本体模型来构建APT恶意软件知识框架来表示其典型的恶意行为，从而实现APT恶意软件的系统认知，并提供APT攻击的上下文理解。基于真实的APT恶意软件样本的评估结果表明，检测和聚类准确性分别可以达到99.28％和98.85％。此外，APTMalInsight为APT恶意软件提供了有效的认知框架，并增强了了解APT攻击的能力。