From One Attack Domain to Another: Contrastive Transfer Learning with Siamese Networks for APT Detection

TL;DR

This paper introduces a hybrid transfer learning framework using Siamese networks and contrastive learning to enhance cross-domain APT detection, addressing challenges like domain shift, feature drift, and scarcity of real-world data.

Contribution

It presents a novel combination of transfer learning, explainability, and contrastive Siamese networks to improve APT detection across different attack domains.

Findings

Improved detection scores across domain transfers.

Enhanced robustness with synthetic attack scenarios.

Scalable and explainable APT detection method.

Abstract

Advanced Persistent Threats (APT) pose a major cybersecurity challenge due to their stealth, persistence, and adaptability. Traditional machine learning detectors struggle with class imbalance, high dimensional features, and scarce real world traces. They often lack transferability-performing well in the training domain but degrading in novel attack scenarios. We propose a hybrid transfer framework that integrates Transfer Learning, Explainable AI (XAI), contrastive learning, and Siamese networks to improve cross-domain generalization. An attention-based autoencoder supports knowledge transfer across domains, while Shapley Additive exPlanations (SHAP) select stable, informative features to reduce dimensionality and computational cost. A Siamese encoder trained with a contrastive objective aligns source and target representations, increasing anomaly separability and mitigating feature drift. We evaluate on real-world traces from the DARPA Transparent Computing (TC) program and augment with synthetic attack scenarios to test robustness. Across source to target transfers, the approach delivers improved detection scores with classical and deep baselines, demonstrating a scalable, explainable, and transferable solution for APT detection.