Provenance-based threat hunting identifies Advanced Persistent Threats (APTs) on endpoints by correlating attack patterns described in Cyber Threat Intelligence (CTI) with provenance graphs derived from system audit logs. A fundamental challenge in this paradigm lies in the modality gap -- the structural and semantic disconnect between provenance graphs and CTI reports. Prior work addresses this by framing threat hunting as a graph matching task: 1) extracting attack graphs from CTI reports, and 2) aligning them with provenance graphs. However, this pipeline incurs severe \textit{information loss} during graph extraction and demands intensive manual curation, undermining scalability and effectiveness. In this paper, we present APT-CGLP, a novel cross-modal APT hunting system via Contrastive Graph-Language Pre-training, facilitating end-to-end semantic matching between provenance graphs and CTI reports without human intervention. First, empowered by the Large Language Model (LLM), APT-CGLP mitigates data scarcity by synthesizing high-fidelity provenance graph-CTI report pairs, while simultaneously distilling actionable insights from noisy web-sourced CTIs to improve their operational utility. Second, APT-CGLP incorporates a tailored multi-objective training algorithm that synergizes contrastive learning with inter-modal masked modeling, promoting cross-modal attack semantic alignment at both coarse- and fine-grained levels. Extensive experiments on four real-world APT datasets demonstrate that APT-CGLP consistently outperforms state-of-the-art threat hunting baselines in terms of accuracy and efficiency.

翻译：基于溯源图的威胁狩猎通过将网络威胁情报（CTI）中描述的攻击模式与源自系统审计日志的溯源图进行关联，从而在终端上识别高级持续性威胁（APT）。该范式的一个根本挑战在于模态鸿沟——即溯源图与CTI报告之间的结构和语义隔阂。先前的研究通过将威胁狩猎构建为图匹配任务来解决此问题：1）从CTI报告中提取攻击图，2）将其与溯源图对齐。然而，此流程在图提取过程中会产生严重的**信息损失**，并且需要大量人工干预，从而损害了可扩展性和有效性。本文提出APT-CGLP，一种基于对比图-语言预训练的新型跨模态APT狩猎系统，可在无需人工干预的情况下实现溯源图与CTI报告之间的端到端语义匹配。首先，借助大语言模型（LLM），APT-CGLP通过合成高保真度的溯源图-CTI报告对来缓解数据稀缺问题，同时从来源混杂的网络CTI中提炼可操作的见解以提升其实际效用。其次，APT-CGLP采用了一种定制的多目标训练算法，该算法将对比学习与跨模态掩码建模相结合，在粗粒度和细粒度层面共同促进跨模态攻击语义对齐。在四个真实世界APT数据集上的大量实验表明，APT-CGLP在准确性和效率方面持续优于最先进的威胁狩猎基线方法。