Stacking-ensemble-based APT organization identification method and system, and storage medium

The invention claimed is: 1 . An APT organization identification method based on a stacking ensemble, comprising the following steps: using a TF-IDF algorithm combined with an n-gram to extract and vectorize behavior features from malware samples to form a malicious behavior vector feature set; based on the malicious behavior vector feature set and an APT organization tag, calculating correlations between features and chi-square values between the features and categories, performing screening twice on the malicious behavior vector feature set to obtain an improved low-dimensional feature subset data; and constructing a multi-model fusion stacking ensemble, learning an APT organization identification model, using the APT organization identification model to perform an organization identification on new APT attacks; wherein calculating of the chi-square values between the features and the categories comprises: for S m , categories in a feature subset S, calculating a chi-square value of each feature in each category, and arranging the features in a descending order of the chi-square values; from feature sets of each category, selecting top N feature text and put them into a new feature subset S′; keeping one of the repeated features in S′, and deleting the rest; and outputting the new feature subset S′. 2 . The APT organization identification method based on a stacking ensemble according to claim 1 , wherein using the TF-IDF algorithm combined with the n-gram to extract and vectorize the behavior features from the malware samples to form a behavior data set comprises: for behavior text features of the malware samples, first generating n-gram texts, then counting a text frequency TF of each text separately, then attaching a weight parameter IDF to each text; TF i , j = n i , j ∑ k ⁢ n k , j wherein TF i,j : a frequency of a text i in a sample j; n i,j : a number of times the text i appears in the sample j; Σ k n k,j : a total number of text appearing in the sample j; then calculating the weight parameters: IDF i , j = log ⁢ ❘ "\[LeftBracketingBar]" D ❘ "\[RightBracketingBar]" ❘ "\[LeftBracketingBar]" j : i ∈ d j ❘ "\[RightBracketingBar]" + 1 wherein |D| represents a total number of samples, |j:i∈d j | represents a number of samples containing the text i, in order to prevent a denominator from being zero, 1 is added, a final weight calculation formula of each text is: TF−IDF i,j =TF i,j ×IDF i,j and through a TF-IDF method for calculating malicious sample behavior feature text combined with the n-gram, preprocessing data, calculating text frequency features, performing a feature vectorization on behavior text data to form a semantic matrix, forming the malicious behavior vector feature set. 3 . The APT organization identification method based on a stacking ensemble according to claim 1 , wherein feature data extracted by the n-gram combined with a TF-IDF method comprises more feature attributes, first, performing a first primary selection of the malicious behavior vector feature set, calculating correlations between features and features, and filtering out features with information redundancy between features. 4 . The APT organization identification method based on a stacking ensemble according to claim 3 , wherein calculating the correlations between features and features comprises: inputting: a behavior vector dataset F, a number of features F n , and thresholds ε 1 ,ε 2 ; randomly selecting a feature X 1 , calculating its information entropy H (X 1 ), if H(X 1 )>ε 1 is satisfied, then adding it to a feature set to be selected S, otherwise, continue to select; for i=2, . . . , F n calculating an information entropy of the feature X i , if H(X i )>ε 1 is satisfied, then judging correlations between this feature and all other features X j in S: ρ X i , X j = cov ⁡ ( X i , X j ) σ X i ⁢ σ X j = E ( ( X i - μ x i ) ⁢