Saved in:
Bibliographic Details
Main Authors: Yin, Zhenhao, Yan, Hanbing, Lu, Huishu, Xiong, Jing, Li, Xiangyu, Mei, Rui, Zang, Tianning
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.15039
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918251874746368
author Yin, Zhenhao
Yan, Hanbing
Lu, Huishu
Xiong, Jing
Li, Xiangyu
Mei, Rui
Zang, Tianning
author_facet Yin, Zhenhao
Yan, Hanbing
Lu, Huishu
Xiong, Jing
Li, Xiangyu
Mei, Rui
Zang, Tianning
contents Large-scale, standardized datasets for Advanced Persistent Threat (APT) research are scarce, and inconsistent actor aliases and redundant samples hinder reproducibility. This paper presents APT-ClaritySet and its construction pipeline that normalizes threat actor aliases (reconciling approximately 11.22\% of inconsistent names) and applies graph-feature deduplication -- reducing the subset of statically analyzable executables by 47.55\% while retaining behaviorally distinct variants. APT-ClaritySet comprises: (i) APT-ClaritySet-Full, the complete pre-deduplication collection with 34{,}363 malware samples attributed to 305 APT groups (2006 - early 2025); (ii) APT-ClaritySet-Unique, the deduplicated release with 25{,}923 unique samples spanning 303 groups and standardized attributions; and (iii) APT-ClaritySet-FuncReuse, a function-level resource that includes 324{,}538 function-reuse clusters (FRCs) enabling measurement of inter-/intra-group sharing, evolution, and tooling lineage. By releasing these components and detailing the alias normalization and scalable deduplication pipeline, this work provides a high-fidelity, reproducible foundation for quantitative studies of APT patterns, evolution, and attribution.
format Preprint
id arxiv_https___arxiv_org_abs_2512_15039
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle APT-ClaritySet: A Large-Scale, High-Fidelity Labeled Dataset for APT Malware with Alias Normalization and Graph-Based Deduplication
Yin, Zhenhao
Yan, Hanbing
Lu, Huishu
Xiong, Jing
Li, Xiangyu
Mei, Rui
Zang, Tianning
Cryptography and Security
Software Engineering
Large-scale, standardized datasets for Advanced Persistent Threat (APT) research are scarce, and inconsistent actor aliases and redundant samples hinder reproducibility. This paper presents APT-ClaritySet and its construction pipeline that normalizes threat actor aliases (reconciling approximately 11.22\% of inconsistent names) and applies graph-feature deduplication -- reducing the subset of statically analyzable executables by 47.55\% while retaining behaviorally distinct variants. APT-ClaritySet comprises: (i) APT-ClaritySet-Full, the complete pre-deduplication collection with 34{,}363 malware samples attributed to 305 APT groups (2006 - early 2025); (ii) APT-ClaritySet-Unique, the deduplicated release with 25{,}923 unique samples spanning 303 groups and standardized attributions; and (iii) APT-ClaritySet-FuncReuse, a function-level resource that includes 324{,}538 function-reuse clusters (FRCs) enabling measurement of inter-/intra-group sharing, evolution, and tooling lineage. By releasing these components and detailing the alias normalization and scalable deduplication pipeline, this work provides a high-fidelity, reproducible foundation for quantitative studies of APT patterns, evolution, and attribution.
title APT-ClaritySet: A Large-Scale, High-Fidelity Labeled Dataset for APT Malware with Alias Normalization and Graph-Based Deduplication
topic Cryptography and Security
Software Engineering
url https://arxiv.org/abs/2512.15039