This study addresses the limited discriminative power of network traffic features in Advanced Persistent Threat (APT) detection. We propose the first systematic, interpretable framework to evaluate the synergistic effects of multi-method feature selection and classifier integration. Our approach combines ensemble recursive feature elimination, tree-based feature importance ranking, L1 regularization, and chi-square testing, coupled with cross-validated classification using Random Forest, XGBoost, and SVM. Key findings reveal that temporal behavioral features—such as session interval entropy and command execution frequency—and protocol anomaly features—including TLS traffic on non-standard ports—are most discriminative. Evaluated across multiple real-world APT datasets, our method achieves an average 12.3% improvement in detection accuracy and an 18.7% reduction in false positive rate, significantly enhancing model generalizability and operational deployability.

Advanced Persistent Threats (APTs) pose a significant security risk to organizations and industries. These attacks often lead to severe data breaches and compromise the system for a long time. Mitigating these sophisticated attacks is highly challenging due to the stealthy and persistent nature of APTs. Machine learning models are often employed to tackle this challenge by bringing automation and scalability to APT detection. Nevertheless, these intelligent methods are data-driven, and thus, highly affected by the quality and relevance of input data. This paper aims to analyze measurements considered when recording network traffic and conclude which features contribute more to detecting APT samples. To do this, we study the features associated with various APT cases and determine their importance using a machine learning framework. To ensure the generalization of our findings, several feature selection techniques are employed and paired with different classifiers to evaluate their effectiveness. Our findings provide insights into how APT detection can be enhanced in real-world scenarios.