# Ranking-enhanced anomaly detection using Active Learning-assisted Attention Adversarial Dual AutoEncoder

**Authors:** Sidahmed Benabderrahmane, James Cheney, Talal Rahwan

PMC · DOI: 10.1038/s41598-025-25621-0 · Scientific Reports · 2025-11-24

## TL;DR

This paper introduces a new method for detecting stealthy cyber threats using an improved autoencoder model and active learning to reduce the need for labeled data.

## Contribution

The novel contribution is an Attention Adversarial Dual AutoEncoder framework enhanced by active learning for efficient APT detection.

## Key findings

- The framework achieved significant improvements in detection rates during active learning.
- It outperformed existing approaches on real-world imbalanced cybersecurity datasets.
- The method works across multiple operating systems and attack scenarios.

## Abstract

Advanced Persistent Threats (APTs) pose a significant challenge in cybersecurity due to their stealthy and long-term nature. Modern supervised learning methods require extensive labeled data, which is often scarce in real-world cybersecurity environments. In this paper, we propose an innovative approach that leverages AutoEncoders for unsupervised anomaly detection, augmented by active learning to iteratively improve the detection of APT anomalies. By selectively querying an oracle for labels on uncertain or ambiguous samples, we minimize labeling costs while improving detection rates, enabling the model to improve its detection accuracy with minimal data while reducing the need for extensive manual labeling. We provide a detailed formulation of the proposed Attention Adversarial Dual AutoEncoder-based anomaly detection framework and show how the active learning loop iteratively enhances the model. The framework is evaluated on real-world imbalanced provenance trace databases produced by the DARPA Transparent Computing program, where APT-like attacks constitute as little as 0.004% of the data. The datasets span multiple operating systems, including Android, Linux, BSD, and Windows, and cover two attack scenarios. The results have shown significant improvements in detection rates during active learning and better performance compared to other existing approaches.

## Full-text entities

- **Diseases:** APT anomalies (MESH:D000013)

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12644807/full.md

## Figures

22 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12644807/full.md

## References

38 references — full list in the complete paper: https://tomesphere.com/paper/PMC12644807/full.md

---
Source: https://tomesphere.com/paper/PMC12644807