Stacking-ensemble-based apt organization identification method and system, and storage medium

Abstract

An APT organization identification method, system and storage medium based on a stacking ensemble are provided, the method comprising: using a TF-IDF algorithm combined with an n-gram to extract and vectorize behavior features from malware samples to form a malicious behavior vector feature set; based on the malicious behavior vector feature set, calculating correlations between features and chi-square values between the features and categories, performing screening twice on the malicious behavior vector feature set to obtain an improved low-dimensional feature subset data; constructing a multi-model fusion stacking ensemble, learning an APT organization identification model, using the APT organization identification model to perform an identification on new ATP attacks. The feature selection of high-dimensional behavior vector features reduces the complexity of the data set; the imbalance of samples in the data set is also considered, and multi-model integrated training to improve the recognition accuracy is adopted; in addition, the APT organization identification model for malicious samples is obtained through machine learning training, which improves the automatic identification efficiency of new sample is improved.