As Advanced Persistent Threats (APTs) grow increasingly sophisticated, the demand for effective detection methods has intensified. This study addresses the challenge of identifying APT campaign attacks through system event logs. A cascading approach, name SFM, combines Technique hunting and APT campaign attribution. Our approach assumes that real-world system event logs contain a vast majority of normal events interspersed with few suspiciously malicious ones and that these logs are annotated with Techniques of MITRE ATT&CK framework for attack pattern recognition. Then, we attribute APT campaign attacks by aligning detected Techniques with known attack sequences to determine the most likely APT campaign. Evaluations on five real-world APT campaigns indicate that the proposed approach demonstrates reliable performance.

翻译：随着高级持续性威胁（APT）日益复杂化，对有效检测方法的需求愈发迫切。本研究致力于解决通过系统事件日志识别APT活动攻击的挑战。我们提出一种名为SFM的级联方法，将技术狩猎与APT活动归因相结合。该方法基于两个假设：真实世界的系统事件日志包含大量正常事件，其间散布少量可疑恶意事件；且这些日志已通过MITRE ATT&CK框架的技术标签进行攻击模式标注。随后，我们通过将检测到的技术特征与已知攻击序列进行比对，以确定最可能的APT活动。在五个真实APT活动数据集上的评估表明，所提方法展现出可靠的性能。