Date of Graduation

8-2025

Document Type

Thesis

Degree Name

Master of Science in Computer Science (MS)

Degree Level

Graduate

Department

Computer Science & Computer Engineering

Advisor/Mentor

Li, Qinghua

Committee Member

Farnell, Christopher

Second Committee Member

Thompson, Dale R

Abstract

Advanced Persistent Threats (APTs) are complex, stealthy attacks that involve multiple stages and many attack techniques used in each stage, making them difficult to defend against. Although many solutions can detect APTs, most of them only detect the existence of attack, but cannot produce fine-grained classification over the stage of the APT and the specific attack technique used. Some existing solutions can classify the stages of APT, but few of them provide attack technique classification, and existing work do not provide interpretability for the classification or countermeasures for the attack. In this thesis work, we propose a solution named CAPTure, to detect APT stages and attack techniques, provide interpretability for detection, and map the attack to MITRE D3FEND countermeasures. Specifically, we introduce a selective undersampling technique to address the imbalanced data distribution problem, and a hybrid graph representation concatenated with numerical flow statistics features to capture both structural and quantitative contexts for detection. Leveraging these features, we further design a stacked hierarchical classifier for APT stage detection and attack technique detection, followed by feature importance generation for interpretability and countermeasure mapping for attack mitigation. Evaluations on two open-source APT datasets show that our work can detect APT stages and attack techniques accurately, with higher performance than baseline schemes. It also has a short latency of below 1.25 seconds in detection, making it capable of real-time detection.

Download

Share

COinS