Abstraction method and system for APT software behavior based on access path hierarchy fusion
By introducing regular expressions to normalize paths and constructing multi-level path trees, the problem of APT software behavioral characteristics being overwhelmed is solved, enabling efficient abstraction and differential identification of malware behavior, and providing a structured foundation for behavioral analysis.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SUN YAT SEN UNIV
- Filing Date
- 2026-03-16
- Publication Date
- 2026-06-19
AI Technical Summary
In existing technologies, the behavioral characteristics of APT software are easily overwhelmed by the noise of massive access behavior from normal software, making it difficult to effectively identify the subtle differences between APT and normal software, thus making it difficult to detect malicious behavior.
By using a method based on access path hierarchy fusion, regular expressions are introduced to normalize paths. A preset high-level path dictionary is used for longest matching to construct a multi-level path tree, which abstracts software behavior, strips out indifferent behavior, and focuses on the behavioral differences in key areas.
It effectively reduces noise interference, amplifies the behavioral differences between malware and normal software, provides structured behavioral graphs, offers high-quality feature input for subsequent analysis, and supports anomaly detection and machine learning algorithms.
Smart Images

Figure CN122247676A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of cyberspace security, and more specifically, to a method and system for abstracting APT software behavior based on access path hierarchy fusion. Background Technology
[0002] Diverse APT software is a crucial weapon for APT groups to achieve their objectives, and effectively identifying APT software is a key step in combating APT activities. However, APT groups often possess a variety of APT software toolkits with different methods, coupled with mature and stable operation teams, enabling them to rapidly iterate and upgrade software and exploit zero-day vulnerabilities. This poses a significant challenge to widely used static feature-based APT software identification techniques. Nevertheless, all software needs to access and utilize various resources of the host system to complete its functions. APT software, however, needs to achieve different purposes than normal software, and its behavioral characteristics, especially its access to host machine files, will differ significantly from those of normal software, particularly in the following aspects:
[0003] Folder names. Newly created directories by APT software often have names that differ from those of normal software. For example, APT software often uses hash values for directory names, while normal software directory names are self-explanatory.
[0004] Directory depth. Newly created directories by APT software are often deeper than those of normal software, possibly because APT software needs deeper layers to conceal malicious behavior.
[0005] File access characteristics. To achieve purposes different from normal software, APT software may frequently access, modify, or delete certain sensitive files on the system, which differs from the behavior patterns of normal software.
[0006] A sandbox is a security isolation mechanism that provides an isolated environment for running programs and is often used to analyze the dynamic behavior of malware. Common sandboxes such as Cuckoo, VirusTotal, and QiAnXin Network Sandbox all support returning the behavior logs of a given APT malware sample. An important component of these logs is the malware's access to files on the host operating system, including which files were loaded, run, modified, and deleted. If a malware sample is available, or even just its hash value, the corresponding behavioral data can be retrieved. If the infected host can be accessed, access records of malware to sensitive system paths on the operating system can also be extracted from the infected host's logs. These abundant and readily available data sources provide data support for modeling the patterns of APT malware accessing sensitive operating system files.
[0007] However, during system operation, a large number of software programs run, and these programs frequently access various system files, generating massive access records. Since malicious behavior from malware is relatively rare, it often gets buried among normal activity, making detection difficult. Therefore, researching methods for abstracting APT software behavior and amplifying characteristic behaviors of malware has become one of the urgent problems to be solved in the field of malware detection.
[0008] Chinese invention application No. 202310622419.X discloses "A Mobile Malicious Program Monitoring System Based on Big Data", which includes: a traffic collection and parsing module for monitoring the signaling plane S6a, N11 and user plane S1 of a mobile terminal. The system includes: traffic collection, parsing, restoration, and backfilling for U and N3 interfaces; a dynamic and static analysis module that analyzes the parsing results of the traffic collection and parsing module through static feature comparison or dynamic sandbox detection to detect malicious samples and obtain malicious programs; a handling module that bypasses or redirects and blocks or handles the links, downloads, and malicious behaviors of malicious programs detected by the dynamic and static analysis module; and a statistical analysis module that achieves full-network malicious program situation awareness and visualizes virus infection status through multi-dimensional statistics, analysis reports, and analysis of user behavior through access logs. Summary of the Invention
[0009] To address the problem that existing malware detection technologies generate significant noise from massive amounts of normal software file access behavior, obscuring subtle behavioral differences between APT software and normal software and making it difficult to effectively detect malicious behavior, this invention provides an APT software behavior abstraction method based on access path hierarchy fusion. The technical solution adopted by this invention is as follows: The first aspect of this invention provides a method for abstracting APT software behavior based on access path hierarchy fusion, comprising the following steps: The input software processes and preprocesses the host machine's file access logs during operation to obtain a set of normalized paths; Each path in the normalized path set is matched with a preset high-level path dictionary using the longest common path, and the high-level path with the longest matching length is determined for each path. For each path, the longest matched high-level path is taken as the root node, and the remaining path elements are constructed as child nodes in hierarchical order to obtain the corresponding path chain. For each path chain, starting from the root node, a multi-level path tree is constructed by merging nodes with the same path elements with other path chains, where each node represents a directory or file. The path tree is used as a behavior abstraction of the software and then output.
[0010] As a preferred embodiment, the access log includes a loading record sub-table, a modifying record sub-table, and a deleting record sub-table.
[0011] As a preferred embodiment, the preprocessing method includes: Filter access records for non-system disks and non-remote paths; Based on a path normalization rule table, variables, short filenames, and de-identification identifiers in the path are replaced with a unified standardized path format.
[0012] As a preferred embodiment, the method for filtering access records of non-system disks and non-remote paths includes: Use preset regular expressions to match and retain system disk paths and remote paths to filter access records from non-system disks and non-remote paths.
[0013] As a preferred approach, the longest common path matching follows the longest matching principle, that is, the high-level path dictionary item with the longest common prefix with the current normalized path is selected as the matching result.
[0014] A second aspect of the present invention provides an APT software behavior abstraction system based on access path hierarchy fusion, the system comprising a preprocessing module, a matching module, a path chain construction module, a path tree construction module, and an output module; The preprocessing module is used to input the file access logs of the host machine during the operation of the software and preprocess them to obtain a normalized path set; The matching module is used to perform the longest common path matching between each path in the normalized path set and the preset high-level path dictionary, and to determine the high-level path with the longest matching length for each path. The path chain construction module is used to take the longest matched high-level path as the root node for each path, and construct the remaining path elements as child nodes in hierarchical order to obtain the corresponding path chain. The path tree construction module is used to construct a multi-level path tree for each path chain, starting from the root node, by merging nodes with the same path elements with other path chains, where each node represents a directory or file. The output module is used to output the path tree as a behavior abstraction of the software.
[0015] As a preferred embodiment, the access log includes a loading record sub-table, a modifying record sub-table, and a deleting record sub-table.
[0016] As a preferred embodiment, the preprocessing module includes a cleaning module and a normalization module; The cleaning module is used to filter access records for non-system disks and non-remote paths; The normalization module is used to replace variables, short filenames, and desensitization identifiers in a path with a unified standardized path format based on a path normalization rule table.
[0017] A third aspect of the present invention provides a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the aforementioned APT software behavior abstraction method based on access path hierarchy fusion.
[0018] A fourth aspect of the present invention provides a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the aforementioned APT software behavior abstraction method based on access path hierarchy fusion.
[0019] Compared with the prior art, the beneficial effects of this invention are: This invention introduces a path normalization rule table based on regular expressions to uniformly clean and replace original paths containing environment variables, short filenames, and different desensitization identifiers. This effectively solves the problem of inconsistent path representations caused by system differences, different sandbox desensitization rules, or software compatibility. It transforms heterogeneous raw data into a standardized and highly comparable set of paths, laying a reliable data foundation for subsequent accurate analysis and reducing noise interference at the source. By employing a pre-configured "high-level path dictionary" and following the "longest match principle," it identifies and extracts common functional directories commonly accessed by benign malware from specific access paths, achieving focused and dimensionality-reduced behavioral features. By filtering out indistinguishable behaviors on common root paths, the analysis focus is automatically shifted to deep subdirectory structures that reflect software intent, thus significantly amplifying and highlighting the behavioral differences between malware and normal software in key areas while retaining core discriminative information. By constructing a unified "multi-level path tree" from the remaining path fragments after matching high-level paths, this serves as an abstract model of software behavior, transforming a massive, flat linear path list into a structured and compact behavioral graph. This tree structure not only greatly compresses the data size, but also more intuitively represents the software's file access logic and organization pattern, making it possible to detect structural anomalies (such as anomaly depth and anomaly branches), and providing high-quality feature inputs that can be directly processed for subsequent applications of graph analysis or machine learning algorithms. Attached Figure Description
[0020] Figure 1 This is a flowchart of the APT software behavior abstraction method based on access path hierarchy fusion provided in this embodiment; Figure 2 This is a schematic diagram of the access path hierarchy fusion and path tree construction provided in this embodiment. Detailed Implementation
[0021] The accompanying drawings are for illustrative purposes only and should not be construed as limiting the invention. It should be understood that the described embodiments are merely some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application without creative effort are within the scope of protection of the embodiments of this application.
[0022] The terminology used in the embodiments of this application is for the purpose of describing particular embodiments only and is not intended to limit the embodiments of this application. The singular forms “a,” “the,” and “the” used in the embodiments of this application and the appended claims are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to and includes any or all possible combinations of one or more of the associated listed items.
[0023] In the following description, when referring to the accompanying drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims. In the description of this application, it should be understood that the terms "first," "second," "third," etc., are used only to distinguish similar objects and are not necessarily used to describe a specific order or sequence, nor should they be construed as indicating or implying relative importance. Those skilled in the art can understand the specific meaning of the above terms in this application according to the specific circumstances.
[0024] Furthermore, in the description of this application, unless otherwise stated, "multiple" means two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. The invention will be further described below with reference to the accompanying drawings and embodiments.
[0025] The present invention will be further described below with reference to the accompanying drawings and embodiments.
[0026] Example 1 Please refer to Figure 1 This embodiment provides an APT software behavior abstraction method based on access path hierarchy fusion, including the following steps: S1: Input the file access logs of the host machine during the operation of the software and preprocess them to obtain a set of normalized paths; In one specific embodiment, the access log includes loading a record sub-table, modifying a record sub-table, and deleting a record sub-table.
[0027] Specifically, it receives logs of access to host machine files during normal and malware operation, comprising three sub-tables: Load (Read), Modify (Edit and Write), and Delete. Each table entry provides a path, indicating that a file under that path was operated on during software operation; the path format is like "C:\\Windows\\System32\\api-ms-win-crt-runtime-l1-1-0.dll". For each sub-table, all path information is extracted, and subsequent operations are performed accordingly.
[0028] In one specific embodiment, the preprocessing method includes: Filter access records for non-system disks and non-remote paths; Based on a path normalization rule table, variables, short filenames, and de-identification identifiers in the path are replaced with a unified standardized path format.
[0029] In one specific embodiment, the method for filtering access records of non-system disks and non-remote paths includes: Use preset regular expressions to match and retain system disk paths and remote paths to filter access records from non-system disks and non-remote paths.
[0030] Specifically, considering that sensitive system files are mainly located on the system drive or remote network paths, to simplify processing and reduce the number of paths, paths with root directories other than the system drive or remote paths are removed during input. The specific removal method uses regular expressions to match root paths like "C:\\", remote paths like "\\remote hostname\\" or "\\?\\" (paths with unknown remote hostnames). The regular expression used is: "^\s*C:\s*\\+|^\s*\\\\[a-zA-Z\?\d\-]*\\|", with a case-insensitive matching mode.
[0031] It should be noted that after removing non-system drive paths, the remaining paths may have the following problems: (1) The path is damaged or incomplete. Some software uses asynchronous calls, multi-threaded delays, etc. to make some operations outside the monitoring window, or the data in some buffers is not written back in time when the sandbox rolls back transactions. All of these reasons may lead to incomplete access path records.
[0032] (2) The path is a relative path. To ensure universality, some software uses relative paths to access system resources, resulting in multiple root directories and first-level directories, but all pointing to the same directory. For example, "%HOMEPATH%" is used instead of "C:\Users\admin", and "%SYSTEM32%" is used instead of "C:\Windows\System32", etc.
[0033] (3) Different hosts have different names for the same directory. For example, "Administrator" and "Admin" both point to the administrator directory.
[0034] (4) Different sandboxes have different path desensitization rules. Some paths may contain host machine username information, and different sandboxes use different desensitization methods for this part. Common methods include " <username>"Desensitization was performed, but some parts were not desensitized, or were desensitized using other symbols, such as "xxx".
[0035] (5) The path uses Windows 8.3 short file name system to be compatible with older systems, such as "C:\Users\ADMINI~1\AppData\Local\Temp".
[0036] This part of the path must be processed and cleaned before it can be used; otherwise, it will introduce noise and affect the path hierarchy fusion.
[0037] Specifically, to further clean up the paths, this invention introduces a path normalization rule table, which is used to replace the part of the path string that satisfies the "matching pattern" column with the string in the "replacement pattern" column. The matching rule is to ignore case matching, as shown in Table 1.
[0038] Table 1 File path normalization table based on regular expressions
[0039] S2: Match each path in the normalized path set with the preset high-level path dictionary using the longest common path, and determine the high-level path with the longest matching length for each path. S3: For each path, take the longest matched high-level path as the root node, and construct the remaining path elements into child nodes in hierarchical order to obtain the corresponding path chain. In one specific embodiment, the longest common path matching follows the longest matching principle, that is, the high-level path dictionary item with the longest common prefix with the current normalized path is selected as the matching result.
[0040] For details, please refer to Figure 2 After path cleaning is completed, before identifying higher-level paths, a higher-level path dictionary needs to be configured. The configuration of the higher-level path dictionary follows these principles: the selected higher-level paths should be functional paths commonly accessed by multiple programs, and the access behavior of these paths should not differ significantly between normal and malicious programs. The differences in program behavior mainly lie in the subdirectory structure and file organization within these paths. By configuring these paths as root paths, paths can be merged without losing discriminative information, thus highlighting the differences in access among different programs to common paths. For example, for the path "C:\Users\ <username>The differences between "\AppData" and "good" malware accessing files are mainly concentrated in its subpaths. Therefore, this item is added to the high-level path dictionary and used as the root node to amplify the differences in accessing its subpaths.
[0041] Path matching follows the longest match principle. For example... Figure 2 Regarding the path "C:\Users\" in the log <username>"\AppData\TEMP\a.txt" matches the dictionary entry with ID 1 and length 2; matches the dictionary entry with ID 2 and length 3; matches the dictionary entry with ID 3 and length 4. Following the longest match rule, it should match the dictionary entry with ID 3.
[0042] After completing high-level path matching, the dictionary entry with the longest matching length is selected as the root node of the merged path tree. For file access paths matching this dictionary entry, the path elements following the high-level path are sequentially constructed as child nodes according to their hierarchical order, thus forming the corresponding path tree structure. For example... Figure 2 As shown, for the path "C:\Users <username>\AppData\TEMP\a.txt”, where "C:\Users <username>If "\AppData" is the high-level path, and the dictionary entry with ID 3 in the root path dictionary is matched, then "C:\Users" will be used. <username>"\AppData" is used as the root node of the path tree, and "TEMP" and "a.txt" are built as its child nodes in sequence to generate the corresponding path tree. Other matching paths continue to grow in this pattern.
[0043] S4: For each path chain, starting from the root node, a multi-level path tree is constructed with other path chains by merging nodes with the same path elements, where each node represents a directory or file. S5: Output the path tree as a behavior abstraction of the software; Specifically, based on the path tree structure, graph anomaly detection is performed using graph community detection methods; or based on graph neural network methods, different nodes are encoded using methods such as Word2Vector to form feature vectors, thus completing graph anomaly detection based on graph neural networks.
[0044] Example 2 This embodiment provides an APT software behavior abstraction system based on access path hierarchy fusion. The system includes a preprocessing module, a matching module, a path chain construction module, a path tree construction module, and an output module. The preprocessing module is used to input the file access logs of the host machine during the operation of the software and preprocess them to obtain a normalized path set; The matching module is used to perform the longest common path matching between each path in the normalized path set and the preset high-level path dictionary, and to determine the high-level path with the longest matching length for each path. The path chain construction module is used to take the longest matched high-level path as the root node for each path, and construct the remaining path elements as child nodes in hierarchical order to obtain the corresponding path chain. The path tree construction module is used to construct a multi-level path tree for each path chain, starting from the root node, by merging nodes with the same path elements with other path chains, where each node represents a directory or file. The output module is used to output the path tree as a behavior abstraction of the software.
[0045] In one specific embodiment, the access log includes loading a record sub-table, modifying a record sub-table, and deleting a record sub-table.
[0046] In one specific embodiment, the preprocessing module includes a cleaning module and a normalization module; The cleaning module is used to filter access records for non-system disks and non-remote paths; The normalization module is used to replace variables, short filenames, and desensitization identifiers in a path with a unified standardized path format based on a path normalization rule table.
[0047] Example 3 This embodiment provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, it implements the steps of the APT software behavior abstraction method based on access path hierarchy fusion described in Embodiment 1.
[0048] Example 4 This embodiment provides a computer device, including a storage medium, a processor, and a computer program stored in the storage medium and executable by the processor. When the computer program is executed by the processor, it implements the steps of the APT software behavior abstraction method based on access path hierarchy fusion described in Embodiment 1.
[0049] Obviously, the above embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the implementation of the present invention. Those skilled in the art can make other variations or modifications based on the above description. It is neither necessary nor possible to exhaustively describe all embodiments here. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the scope of protection of the claims of the present invention.< / username> < / username> < / username> < / username> < / username> < / username>
Claims
1. A method for abstracting APT software behavior based on access path hierarchy fusion, characterized in that, Includes the following steps: The input software processes and preprocesses the host machine's file access logs during operation to obtain a set of normalized paths; Each path in the normalized path set is matched with a preset high-level path dictionary using the longest common path, and the high-level path with the longest matching length is determined for each path. For each path, the longest matched high-level path is taken as the root node, and the remaining path elements are constructed as child nodes in hierarchical order to obtain the corresponding path chain. For each path chain, starting from the root node, a multi-level path tree is constructed by merging nodes with the same path elements with other path chains, where each node represents a directory or file. The path tree is used as a behavior abstraction of the software and then output.
2. The APT software behavior abstraction method based on access path hierarchy fusion according to claim 1, characterized in that, The access log includes the loading record sub-table, the modification record sub-table, and the deletion record sub-table.
3. The APT software behavior abstraction method based on access path hierarchy fusion according to claim 1, characterized in that, The preprocessing method includes: Filter access records for non-system disks and non-remote paths; Based on a path normalization rule table, variables, short filenames, and de-identification identifiers in the path are replaced with a unified standardized path format.
4. The APT software behavior abstraction method based on access path hierarchy fusion according to claim 3, characterized in that, The method for filtering access records of non-system disks and non-remote paths includes: Use preset regular expressions to match and retain system disk paths and remote paths to filter access records from non-system disks and non-remote paths.
5. The APT software behavior abstraction method based on access path hierarchy fusion according to claim 1, characterized in that, The longest common path matching follows the longest matching principle, that is, the high-level path dictionary item with the longest common prefix with the current normalized path is selected as the matching result.
6. An APT software behavior abstraction system based on access path hierarchy fusion, characterized in that, The system includes a preprocessing module, a matching module, a path chain construction module, a path tree construction module, and an output module. The preprocessing module is used to input the file access logs of the host machine during the operation of the software and preprocess them to obtain a normalized path set; The matching module is used to perform the longest common path matching between each path in the normalized path set and the preset high-level path dictionary, and to determine the high-level path with the longest matching length for each path. The path chain construction module is used to take the longest matched high-level path as the root node for each path, and construct the remaining path elements as child nodes in hierarchical order to obtain the corresponding path chain. The path tree construction module is used to construct a multi-level path tree for each path chain, starting from the root node, by merging nodes with the same path elements with other path chains, where each node represents a directory or file. The output module is used to output the path tree as a behavior abstraction of the software.
7. The APT software behavior abstraction system based on access path hierarchy fusion according to claim 6, characterized in that, The access log includes the loading record sub-table, the modification record sub-table, and the deletion record sub-table.
8. The APT software behavior abstraction system based on access path hierarchy fusion according to claim 6, characterized in that, The preprocessing module includes a cleaning module and a normalization module; The cleaning module is used to filter access records for non-system disks and non-remote paths; The normalization module is used to replace variables, short filenames, and desensitization identifiers in a path with a unified standardized path format based on a path normalization rule table.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that: When the computer program is executed by the processor, it implements the steps of the APT software behavior abstraction method based on access path hierarchy fusion as described in any one of claims 1 to 5.
10. A computer device, characterized in that: It includes a storage medium, a processor, and a computer program stored in the storage medium and executable by the processor, wherein the computer program, when executed by the processor, implements the steps of the APT software behavior abstraction method based on access path hierarchy fusion as described in any one of claims 1 to 5.