{"id":"https://openalex.org/W4411208121","doi":"https://doi.org/10.1109/isdfs65363.2025.11012042","title":"Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution","display_name":"Behavioral and Propagation-Based Analysis of APT Attacks for Effective Attack Attribution","publication_year":2025,"publication_date":"2025-04-24","ids":{"openalex":"https://openalex.org/W4411208121","doi":"https://doi.org/10.1109/isdfs65363.2025.11012042"},"language":"en","primary_location":{"id":"doi:10.1109/isdfs65363.2025.11012042","is_oa":false,"landing_page_url":"https://doi.org/10.1109/isdfs65363.2025.11012042","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 13th International Symposium on Digital Forensics and Security (ISDFS)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5100756566","display_name":"Mohammed Rauf Ali Khan","orcid":"https://orcid.org/0000-0003-2658-1969"},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":true,"raw_author_name":"Mohammed Rauf Ali Khan","raw_affiliation_strings":["King Fahd University of Petroleum and Minerals,Dept. of Computer Engineering,Dhahran,Saudi Arabia"],"affiliations":[{"raw_affiliation_string":"King Fahd University of Petroleum and Minerals,Dept. of Computer Engineering,Dhahran,Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5001203590","display_name":"Ahmad Almulhem","orcid":"https://orcid.org/0000-0003-3773-0579"},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":false,"raw_author_name":"Ahmad Almulhem","raw_affiliation_strings":["King Fahd University of Petroleum and Minerals,Dept. of Computer Engineering,Dhahran,Saudi Arabia"],"affiliations":[{"raw_affiliation_string":"King Fahd University of Petroleum and Minerals,Dept. of Computer Engineering,Dhahran,Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5100756566"],"corresponding_institution_ids":["https://openalex.org/I134085113"],"apc_list":null,"apc_paid":null,"fwci":6.9916,"has_fulltext":false,"cited_by_count":2,"citation_normalized_percentile":{"value":0.96478908,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":96},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"8"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.8162999749183655,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.8162999749183655,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.7972000241279602,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/attribution","display_name":"Attribution","score":0.6064472198486328},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5816899538040161},{"id":"https://openalex.org/keywords/authorship-attribution","display_name":"Authorship attribution","score":0.5442010760307312},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4283008873462677},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.2859261929988861},{"id":"https://openalex.org/keywords/psychology","display_name":"Psychology","score":0.21631741523742676},{"id":"https://openalex.org/keywords/social-psychology","display_name":"Social psychology","score":0.11599716544151306}],"concepts":[{"id":"https://openalex.org/C143299363","wikidata":"https://www.wikidata.org/wiki/Q900584","display_name":"Attribution","level":2,"score":0.6064472198486328},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5816899538040161},{"id":"https://openalex.org/C3020202489","wikidata":"https://www.wikidata.org/wiki/Q2032038","display_name":"Authorship attribution","level":2,"score":0.5442010760307312},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4283008873462677},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.2859261929988861},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.21631741523742676},{"id":"https://openalex.org/C77805123","wikidata":"https://www.wikidata.org/wiki/Q161272","display_name":"Social psychology","level":1,"score":0.11599716544151306}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/isdfs65363.2025.11012042","is_oa":false,"landing_page_url":"https://doi.org/10.1109/isdfs65363.2025.11012042","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 13th International Symposium on Digital Forensics and Security (ISDFS)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W2035546108","https://openalex.org/W2376361520","https://openalex.org/W2133328864","https://openalex.org/W2093949997","https://openalex.org/W4205570701","https://openalex.org/W2975078241","https://openalex.org/W2623063325"],"abstract_inverted_index":{"Various":[0],"advanced":[1],"persistent":[2],"threat":[3,76,87],"(APT)":[4],"groups":[5],"are":[6],"emerging":[7],"with":[8,74,167],"different":[9],"tactics,":[10],"techniques,":[11],"and":[12,18,34,136,148,155],"procedures":[13],"(TTPs)":[14],"for":[15,114],"targeting":[16],"enterprises":[17],"organizations.":[19],"Traditional":[20],"methods":[21],"that":[22,45],"use":[23],"either":[24],"static":[25],"or":[26],"dynamic":[27],"analysis":[28,61,166],"might":[29],"struggle":[30],"to":[31,50,97,131],"detect":[32],"polymorphic":[33],"packed":[35],"zero-day":[36],"attacks.":[37],"In":[38],"this":[39,160],"paper,":[40],"we":[41],"propose":[42],"an":[43,55,90],"approach":[44,79,96,173],"allows":[46],"mal":[47],"ware":[48],"analysts":[49,84],"consider":[51],"all":[52],"aspects":[53],"of":[54,145],"attack,":[56],"including":[57],"not":[58],"just":[59],"sample":[60],"but":[62],"also":[63,141],"a":[64,98,179],"view":[65],"into":[66],"TTP-based":[67,168],"attack":[68,81,91,101,123,161,169,185],"vectors.":[69],"By":[70,163],"correlating":[71],"observed":[72],"TTPs":[73],"known":[75],"intelligence,":[77],"our":[78,95,172],"facilitates":[80],"attribution,":[82],"helping":[83],"identify":[85],"the":[86,103,121,143],"actor":[88],"behind":[89],"campaign.":[92,162],"We":[93,140],"applied":[94],"recent":[99],"APT":[100,184],"by":[102],"Black":[104,137],"Basta":[105,138],"group":[106],"on":[107,183],"Keytronics,":[108],"which":[109],"utilized":[110],"unique":[111,157],"delivery":[112],"mechanisms":[113],"initial":[115],"access.":[116],"This":[117],"paper":[118],"then":[119],"describes":[120],"entire":[122],"vector,":[124],"explaining":[125],"how":[126],"email":[127],"bombing":[128],"was":[129],"used":[130],"deliver":[132],"payloads":[133],"like":[134],"SystemBC":[135],"ransomware.":[139],"list":[142],"indicators":[144],"compromise,":[146],"command":[147],"control":[149],"traffic,":[150],"persistence":[151],"mechanisms,":[152],"detection":[153],"rules,":[154],"other":[156],"identifiers":[158],"from":[159],"integrating":[164],"sample-based":[165],"vector":[170],"examination,":[171],"enhances":[174],"existing":[175],"attribution":[176],"methods,":[177],"providing":[178],"more":[180],"comprehensive":[181],"perspective":[182],"strategies.":[186]},"counts_by_year":[{"year":2025,"cited_by_count":2}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}