Clustering disparate attacks: mapping the activities of the advanced persistent threat

Martin Lee
Daren Lewis

  download slides (PDF)

The advanced persistent threat is one of the most difficult challenges faced by the anti-virus community. These highly sophisticated, low copy number attacks are distinguishable from high copy number malware sent over email, but remain tricky to detect. Although such attacks are often talked about, they nevertheless remain exceedingly rare when compared with the ubiquity of other malware attacks.

However, for some individuals and organizations, being sent an advanced persistent threat malware over email is a frequent occurrence. Presumably these targets represent a valuable quarry to their attackers. Current research in advanced persistent threats tends to examine each attack in isolation and not to examine the broader pattern of activity.

In this paper we show that it is possible by using an undirected graph to associate attacks according to the targets shared between distinct attacks. From this information it is possible to build a map of advance persistent threat activity and identify clusters that may represent the activities of single teams of malware writers.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.