Advanced Persistent Threath Identification

Advanced Persistent Threat Identification. Advanced Persistent Threats (APTs) represent one of the most critical challenges in modern cybersecurity. Their stealthy and evolving nature makes them particularly difficult to detect within the massive volume of system logs generated by enterprise environments. This thesis investigates the use of machine learning for APT detection from log data, comparing shallow classifiers, deep learning approaches, and a tactic-aware ensemble of fine-tuned BERT heads. \\ The experiments demonstrate that while shallow models can achieve competitive performance under random data splits, they fail to generalize when evaluated chronologically, underscoring their limited ability to adapt to the evolving behaviors characteristic of APT campaigns. Deep learning models, especially fine-tuned BERT, provide stronger and more stable performance, benefiting from their ability to capture contextual relationships within logs. \\ The proposed ensemble of tactic-specific BERT heads highlights the potential of specialization by aligning detection capabilities with MITRE ATT\&CK tactics. This ensemble achieved promising results under random splits and showed the value of tactic-aware learning, though limitations remain in terms of recall and robustness under chronological evaluation. Error analysis revealed that many missed malicious logs were dominated by obfuscated or semantically weak tokens, making them difficult to distinguish from benign activity. \\ This thesis contributes to the understanding of APT detection through log analysis, illustrating both the strengths and limitations of current machine learning approaches. The findings emphasize the importance of temporal evaluation for realistic assessments and suggest that adaptive, tactic-aware methods hold promise for improving the detection of advanced and evolving threats.