N-victims: An approach to determine N-victims for APT investigations

Shun Te Liu, Yi Ming Chen, Hui Ching Hung

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

8 Scopus citations


The advanced Persistent Threat (APT) is a sophisticated and target-oriented cyber attack for accessing valuable information. The attacker leverages the customized malware as the stepping stone to intrude into the enterprise network. For enterprises and forensic analysts, finding the victims and investigating them to evaluate the damages are critical, but the investigation is often limited by resources and time. In this paper, we propose an N-Victims approach that starts from a known malware-infected computer to determine the top N most likely victims. We test our approach in a real APT case that happened in a large enterprise network consisting of several thousand computers, which run a commercial antivirus system. N-Victims can find more malware-infected computers than N-Gram based approaches. In the top 20 detected computers, N-Victims also had a higher detection rate and a lower false positive rate than N-Gram based approaches.

Original languageEnglish
Title of host publicationInformation Security Applications - 13th International Workshop, WISA 2012, Revised Selected Papers
EditorsDong Hoon Lee, Moti Yung
PublisherSpringer Verlag
Number of pages15
ISBN (Print)9783642354151
StatePublished - 2012
Event13th International Workshop on Information Security Applications, WISA 2012 - Jeju Island, Korea, Republic of
Duration: 16 Aug 201218 Aug 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7690 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference13th International Workshop on Information Security Applications, WISA 2012
Country/TerritoryKorea, Republic of
CityJeju Island


  • Advanced persistent threat
  • Botnet detection
  • Incident investigation
  • Malware detection


Dive into the research topics of 'N-victims: An approach to determine N-victims for APT investigations'. Together they form a unique fingerprint.

Cite this