Advanced persistent threats (APTs) are stealthy and multi-stage, making single-point defenses (e.g., malware- or traffic-based detectors) ill-suited to capture long-range and cross-entity attack semantics. Provenance-graph analysis has become a prominent approach for APT detection. However, its practical deployment is hampered by (i) the scarcity of APT samples, (ii) the cost and difficulty of fine-grained APT sample labeling, and (iii) the diversity of attack tactics and techniques. Aiming at these problems, this paper proposes APT-MCL, an intelligent APT detection system based on Multi-view Collaborative provenance graph Learning. It adopts an unsupervised learning strategy to discover APT attacks at the node level via anomaly detection. After that, it creates multiple anomaly detection sub-models based on multi-view features and integrates them within a collaborative learning framework to adapt to diverse attack scenarios. Extensive experiments on three real-world APT datasets validate the approach: (i) multi-view features improve cross-scenario generalization, and (ii) co-training substantially boosts node-level detection under label scarcity, enabling practical deployment on diverse attack scenarios.
翻译:高级持续性威胁(APT)具有隐蔽性和多阶段性,使得单点防御(例如基于恶意软件或流量的检测器)难以捕获长距离和跨实体的攻击语义。溯源图分析已成为APT检测的一种重要方法。然而,其实际部署受到以下因素的阻碍:(i) APT样本稀缺,(ii) 细粒度APT样本标注成本高且困难,以及(iii) 攻击战术与技术的多样性。针对这些问题,本文提出了APT-MCL,一种基于多视图协同溯源图学习的智能APT检测系统。它采用无监督学习策略,通过异常检测在节点层面发现APT攻击。之后,系统基于多视图特征创建多个异常检测子模型,并将它们集成在一个协同学习框架内,以适应多样化的攻击场景。在三个真实世界APT数据集上的大量实验验证了该方法的有效性:(i) 多视图特征提升了跨场景泛化能力,(ii) 协同训练在标签稀缺条件下显著提升了节点级检测性能,从而实现了在多样化攻击场景中的实际部署。