Neurosymbolic Learning for Advanced Persistent Threat Detection under Extreme Class Imbalance

TL;DR

This paper introduces a neurosymbolic approach combining BERT and logic tensor networks for explainable and effective detection of advanced persistent threats in IoT networks, addressing class imbalance and enhancing interpretability.

Contribution

It presents a novel neurosymbolic architecture that integrates optimized BERT with logic tensor networks for explainable APT detection in wireless IoT environments.

Findings

Achieved 95.27% F1 score in binary classification

Reduced false positive rate to 0.14%

Demonstrated high macro F1 score of 76.75% for attack categorization

Abstract

The growing deployment of Internet of Things (IoT) devices in smart cities and industrial environments increases vulnerability to stealthy, multi-stage advanced persistent threats (APTs) that exploit wireless communication. Detection is challenging due to severe class imbalance in network traffic, which limits the effectiveness of traditional deep learning approaches and their lack of explainability in classification decisions. To address these challenges, this paper proposes a neurosymbolic architecture that integrates an optimized BERT model with logic tensor networks (LTN) for explainable APT detection in wireless IoT networks. The proposed method addresses the challenges of mobile IoT environments through efficient feature encoding that transforms network flow data into BERT-compatible sequences while preserving temporal dependencies critical for APT stage identification. Severe class imbalance is mitigated using focal loss, hierarchical classification that separates normal traffic detection from attack categorization, and adaptive sampling strategies. Evaluation on the SCVIC-APT2021 dataset demonstrates an operationally viable binary classification F1 score of 95.27% with a false positive rate of 0.14%, and a 76.75% macro F1 score for multi-class attack categorization. Furthermore, a novel explainability analysis statistically validates the importance of distinct network features. These results demonstrate that neurosymbolic learning enables high-performance, interpretable, and operationally viable APT detection for IoT network monitoring architectures.