Clustering disparate attacks: mapping the activities of the advanced persistent threat presented at Virus Bulletin 2011

by Martin Lee (,


Summary : The advanced persistent threat is one of the most difficult challenges faced by the anti-virus community. These
highly sophisticated, low copy number attacks are distinguishable from high copy number malware
sent over email, but remain tricky to detect. Although such attacks are often talked about, they nevertheless remain
exceedingly rare when compared with the ubiquity of other malware attacks.
However, for some individuals and organizations, being sent an advanced persistent threat malware over email is a
frequent occurrence. Presumably these targets represent a valuable quarry to their attackers. Current research in
advanced persistent threats tends to examine each attack in isolation and not to examine the broader pattern of activity.
In this paper we show that it is possible by using an undirected graph to associate attacks according to the targets
shared between distinct attacks. From this information it is possible to build a map of advance persistent threat
activity and identify clusters that may represent the activities of single teams of malware writers.