Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

RAPID: Robust APT Detection and Investigation Using Context-Aware Deep Learning

Yonatan Amaru, Prasanna Wudali, Yuval Elovici, Asaf Shabtai

TL;DR

RAPID tackles the challenge of robust APT detection amid evolving system behavior by combining context-aware anomaly detection with provenance-grounded alert tracing. It introduces dual-purpose object embeddings learned through self-supervised sequence learning and CBOW, enabling dynamic adaptation and informative attack narratives. Through a Bi-LSTM anomaly detector and provenance-based tracing, RAPID achieves high precision and recall across graph, node, and edge levels while reducing alert fatigue and maintaining scalability for large enterprise deployments. The approach demonstrates superior performance compared with state-of-the-art methods on three public datasets and provides practical benefits for security operations, including detailed kill-chain–level narratives and efficient handling of large-scale provenance data.

Abstract

Advanced persistent threats (APTs) pose significant challenges for organizations, leading to data breaches, financial losses, and reputational damage. Existing provenance-based approaches for APT detection often struggle with high false positive rates, a lack of interpretability, and an inability to adapt to evolving system behavior. We introduce RAPID, a novel deep learning-based method for robust APT detection and investigation, leveraging context-aware anomaly detection and alert tracing. By utilizing self-supervised sequence learning and iteratively learned embeddings, our approach effectively adapts to dynamic system behavior. The use of provenance tracing both enriches the alerts and enhances the detection capabilities of our approach. Our extensive evaluation demonstrates RAPID's effectiveness and computational efficiency in real-world scenarios. In addition, RAPID achieves higher precision and recall than state-of-the-art methods, significantly reducing false positives. RAPID integrates contextual information and facilitates a smooth transition from detection to investigation, providing security teams with detailed insights to efficiently address APT threats.

RAPID: Robust APT Detection and Investigation Using Context-Aware Deep Learning

TL;DR

RAPID tackles the challenge of robust APT detection amid evolving system behavior by combining context-aware anomaly detection with provenance-grounded alert tracing. It introduces dual-purpose object embeddings learned through self-supervised sequence learning and CBOW, enabling dynamic adaptation and informative attack narratives. Through a Bi-LSTM anomaly detector and provenance-based tracing, RAPID achieves high precision and recall across graph, node, and edge levels while reducing alert fatigue and maintaining scalability for large enterprise deployments. The approach demonstrates superior performance compared with state-of-the-art methods on three public datasets and provides practical benefits for security operations, including detailed kill-chain–level narratives and efficient handling of large-scale provenance data.

Abstract

Advanced persistent threats (APTs) pose significant challenges for organizations, leading to data breaches, financial losses, and reputational damage. Existing provenance-based approaches for APT detection often struggle with high false positive rates, a lack of interpretability, and an inability to adapt to evolving system behavior. We introduce RAPID, a novel deep learning-based method for robust APT detection and investigation, leveraging context-aware anomaly detection and alert tracing. By utilizing self-supervised sequence learning and iteratively learned embeddings, our approach effectively adapts to dynamic system behavior. The use of provenance tracing both enriches the alerts and enhances the detection capabilities of our approach. Our extensive evaluation demonstrates RAPID's effectiveness and computational efficiency in real-world scenarios. In addition, RAPID achieves higher precision and recall than state-of-the-art methods, significantly reducing false positives. RAPID integrates contextual information and facilitates a smooth transition from detection to investigation, providing security teams with detailed insights to efficiently address APT threats.
Paper Structure (24 sections, 1 equation, 7 figures, 5 tables)

This paper contains 24 sections, 1 equation, 7 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Motivating Example
  4. Threat Model
  5. Prior Research
  6. Proposed Method: RAPID
  7. Overview
  8. Data Collection and Processing
  9. Provenance Graph Construction
  10. Object Embedding
  11. Anomaly Detection
  12. Alert Tracing
  13. Evaluation Setup
  14. RAPID Implementation
  15. Datasets
  16. ...and 9 more sections

Figures (7)

  • Figure 1: An example of a provenance graph containing host-based intrusion behavior from the DARA eng.3 THEIA dataset.
  • Figure 2: RAPID's workflow.
  • Figure 3: RAPID's object embedding.
  • Figure 4: Anomaly detection model.
  • Figure 5: Illustration of the alert tracing process in which anomalies are integrated into the provenance graph.
  • ...and 2 more figures