This study addresses the challenge of erroneous attribution in existing APT malware attribution methods when encountering previously unseen threat actors. To enhance reliability in open-world scenarios, the authors propose a novel attribution framework based on an ordered sequence of binary classifiers coupled with an explicit abstention mechanism. Specifically, two binary classifiers are trained per known APT group and applied sequentially according to their validation performance; if none yield sufficient confidence, the system proactively abstains from making an attribution. Evaluated under a stringent setting where 87% of test samples originate from unknown groups, the method correctly abstains on 94% of these unknown instances while achieving 92% attribution precision and 95% selective accuracy—significantly outperforming current state-of-the-art approaches.

Early attribution of Advanced Persistent Threat (APT) activity can help defenders prioritise investigation, select countermeasures, and reduce the impact of an intrusion. Malware provides useful attribution evidence, but automated APT malware attribution remains difficult in practice. Existing approaches are typically trained and evaluated as closed-set classifiers over a limited number of known APT groups. In operational environments, however, classifiers are likely to encounter samples from groups not represented during training. Closed-set classifiers are then forced to assign such samples to known groups, producing unsupported and potentially misleading attributions. We present a high-precision APT malware attribution method based on ranked binary classifiers with explicit abstention. Rather than training a single multi-class classifier, our approach trains and tunes two binary classifiers per APT group, ranks the classifiers by validation performance, and applies them sequentially. A sample is attributed only when a classifier provides sufficient evidence; otherwise, it abstains. We evaluate the method on the APT Malware dataset and on a larger combined dataset designed to stress-test out-of-scope behaviour. On the APT Malware dataset, the method achieves higher precision than previously published results on the same dataset. In the most challenging setting, where 87% of test samples came from 60 APT groups excluded from training, the method abstained on 94% of out-of-scope samples while maintaining 92% precision and 95% selective accuracy on the samples it classified.