APT detection is difficult to detect due to the long-term latency, covert and slow multistage attack patterns of Advanced Persistent Threat (APT). To tackle these issues, we propose TBDetector, a transformer-based advanced persistent threat detection method for APT attack detection. Considering that provenance graphs provide rich historical information and have the powerful attacks historic correlation ability to identify anomalous activities, TBDetector employs provenance analysis for APT detection, which summarizes long-running system execution with space efficiency and utilizes transformer with self-attention based encoder-decoder to extract long-term contextual features of system states to detect slow-acting attacks. Furthermore, we further introduce anomaly scores to investigate the anomaly of different system states, where each state is calculated with an anomaly score corresponding to its similarity score and isolation score. To evaluate the effectiveness of the proposed method, we have conducted experiments on five public datasets, i.e., streamspot, cadets, shellshock, clearscope, and wget_baseline. Experimental results and comparisons with state-of-the-art methods have exhibited better performance of our proposed method.

翻译：高级持续性威胁（APT）因其长期潜伏性、隐蔽且缓慢的多阶段攻击模式而难以检测。针对这些问题，我们提出TBDetector，一种基于Transformer的高级持续性威胁检测方法。考虑到溯源图能提供丰富的历史信息，并具有强大的攻击历史关联能力来识别异常活动，TBDetector采用溯源分析进行APT检测：该分析以空间高效的方式总结长期运行的系统执行过程，并利用基于自注意力机制编码器-解码器的Transformer提取系统状态的长期上下文特征，以检测缓慢发起的攻击。此外，我们进一步引入异常分数来探究不同系统状态的异常程度，其中每个状态根据其相似度分数和隔离度分数计算得到相应的异常分数。为评估所提方法的有效性，我们在五个公开数据集（即streamspot、cadets、shellshock、clearscope和wget_baseline）上进行了实验。实验结果及与最先进方法的对比表明，我们提出的方法具有更优的性能。