TRAPShield Supporting Datasets

This is the Supporting datasets of our submission, entitled \TRAPShield: Real-Time APT File Theft Defense with Multi-Domain Behavioral Characterization and Transparent Decoy Redirection\. Our submission presents a novel APT file theft defense framework that directly targets the ultimate goal of the attack, enabling effective protection of critical files. TRAPShield identifies malicious access to sensitive files through multi-granularity, multi-domain behavioral characterization, combined with an adaptive identity authentication mechanism. It transparently intercepts malicious accesses and redirects them to highly similar deceptive decoy files. By leveraging contextual information around decoy-triggering points, TRAPShield enables continuous tracking of the entire attack campaign without file leaking. We conduct extensive experiments on three groups of datasets constructed from large-scale real-world APT reports, covering diverse APT file theft modalities. Results demonstrate that TRAPShield achieves F1 scores exceeding 90.95% in identifying file theft behaviors, and maintains zero false negative rates with authentication required for less than 5% of accesses. For malicious accesses, TRAPShield misguides them to decoys in an average of 0.125 ms, preventing the exfiltration of actual sensitive contents in real-time. Furthermore, it comprehensively tracks and reconstructs all attack scenarios and captures multi-stage malware artifacts, providing vital evidence for forensic investigation and threat attribution.