Advanced Persistent Threats (APTs) are difficult to detect due to their complexity and stealthiness. To mitigate such attacks, many approaches model entities and their relationship using provenance graphs to detect the stealthy and persistent characteristics of APTs. However, existing detection methods suffer from the flaws of missing indirect dependencies, noisy complex scenarios, and missing behavioral logical associations, which make it difficult to detect complex scenarios and effectively identify stealthy threats. In this paper, we propose Sentient, an APT detection method that combines pre-training and intent analysis. It employs a graph transformer to learn structural and semantic information from provenance graphs to avoid missing indirect dependencies. We mitigate scenario noise by combining global and local information. Additionally, we design an Intent Analysis Module (IAM) to associate logical relationships between behaviors. Sentient is trained solely on easily obtainable benign data to detect malicious behaviors that deviate from benign behavioral patterns. We evaluated Sentient on three widely-used datasets covering real-world attacks and simulated attacks. Notably, compared to six state-of-the-art methods, Sentient achieved an average reduction of 44% in false positive rate(FPR) for detection.

翻译：高级持续性威胁（APTs）因其复杂性与隐蔽性而难以检测。为应对此类攻击，现有方法多通过构建溯源图对实体及其关系进行建模，以识别APT的隐蔽性与持续性特征。然而，当前检测方法存在间接依赖缺失、复杂场景噪声干扰以及行为逻辑关联缺失等缺陷，导致难以有效检测复杂场景并准确识别隐蔽威胁。本文提出Sentient——一种融合预训练与意图分析的APT检测方法。该方法采用图Transformer从溯源图中学习结构与语义信息，以避免间接依赖的遗漏；通过结合全局与局部信息来降低场景噪声干扰；同时设计了意图分析模块（IAM）以建立行为间的逻辑关联。Sentient仅需使用易于获取的良性数据进行训练，即可检测偏离良性行为模式的恶意行为。我们在三个涵盖真实攻击与模拟攻击的广泛使用数据集上对Sentient进行评估。实验表明，相较于六种前沿方法，Sentient在检测任务中平均将误报率（FPR）降低了44%。