To address low attribution accuracy and poor adaptability to novel attack techniques in APT attack provenance analysis, this paper pioneers the application of deep reinforcement learning (DRL) to end-to-end APT attribution, departing from conventional supervised classification paradigms. The proposed model frames attribution as an agent-environment interaction task, where the agent dynamically engages with multi-source heterogeneous threat behavior sequences. It integrates a deep Q-network (DQN), multi-scale temporal feature encoding, behavior sequence modeling, reward shaping, and adversarial robustness training to enable autonomous learning of attacker fingerprints and yield fine-grained, interpretable attribution. Evaluated on a real-world APT dataset, the method achieves a dramatic improvement in attribution accuracy—from 7% to 98%—and supports high-confidence cross-family and cross-stage attribution, significantly outperforming state-of-the-art approaches.

The development of the DRL model for malware attribution involved extensive research, iterative coding, and numerous adjustments based on the insights gathered from predecessor models and contemporary research papers. This preparatory work was essential to establish a robust foundation for the model, ensuring it could adapt and respond effectively to the dynamic nature of malware threats. Initially, the model struggled with low accuracy levels, but through persistent adjustments to its architecture and learning algorithms, accuracy improved dramatically from about 7 percent to over 73 percent in early iterations. By the end of the training, the model consistently reached accuracy levels near 98 percent, demonstrating its strong capability to accurately recognise and attribute malware activities. This upward trajectory in training accuracy is graphically represented in the Figure, which vividly illustrates the model maturation and increasing proficiency over time.