APT-MCL: An Adaptive APT Detection System Based on Multi-View Collaborative Provenance Graph Learning

TL;DR

APT-MCL is an unsupervised, multi-view collaborative learning system that enhances APT detection by analyzing provenance graphs, addressing data scarcity, attack diversity, and labeling challenges for practical deployment.

Contribution

It introduces a novel multi-view collaborative learning framework for unsupervised APT detection using provenance graphs, improving generalization and detection under limited labels.

Findings

Multi-view features enhance cross-scenario detection.

Co-training significantly improves node-level detection.

The system demonstrates effectiveness on real-world datasets.

Abstract

Advanced persistent threats (APTs) are stealthy and multi-stage, making single-point defenses (e.g., malware- or traffic-based detectors) ill-suited to capture long-range and cross-entity attack semantics. Provenance-graph analysis has become a prominent approach for APT detection. However, its practical deployment is hampered by (i) the scarcity of APT samples, (ii) the cost and difficulty of fine-grained APT sample labeling, and (iii) the diversity of attack tactics and techniques. Aiming at these problems, this paper proposes APT-MCL, an intelligent APT detection system based on Multi-view Collaborative provenance graph Learning. It adopts an unsupervised learning strategy to discover APT attacks at the node level via anomaly detection. After that, it creates multiple anomaly detection sub-models based on multi-view features and integrates them within a collaborative learning framework to adapt to diverse attack scenarios. Extensive experiments on three real-world APT datasets validate the approach: (i) multi-view features improve cross-scenario generalization, and (ii) co-training substantially boosts node-level detection under label scarcity, enabling practical deployment on diverse attack scenarios.