The traditional attack detection methods struggle to identify advanced persistent threat （APT） attacks launched using zero-day vulnerabilities. To address this issue， this paper proposes an APT attack activity identification for zero-day attack method （APTIZDM）， which consists of three key components. The first component is the cyber situation perception ontology construction （CSPOC） method， which provides a formal description of critical activity attributes and features in IoT systems. The second component is the malicious command & control （C&C） DNS response activity mining （MCCDRM） method， which identifies malicious C&C communication activities in APT attack scenarios while effectively controlling the scope and starting time of the identification process， thereby reducing computational overhead. The third component is the zero-day attack activity recognition method in APT attack （ZDAARA） scenarios， which utilizes Bayesian networks and security risk propagation theory to perform correlation analysis on system call information. It calculates the malicious probability of each system call instance and effectively identifies zero-day attack activities missed by intrusion detection systems. Simulation experiment results demonstrate that MCCDRM and ZDAARA， as the core components of the APTIZDM， achieve high accuracy and low false positive rates， effectively collaborating to identify APT attack activities.