Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Sentient: Detecting APTs Via Capturing Indirect Dependencies and Behavioral Logic

Wenhao Yan, Ning An, Wei Qiao, Weiheng Wu, Bo Jiang, Zhigang Lu, Baoxu Liu, Junrong Liu

TL;DR

Sentient targets the core challenges of APT detection by modeling indirect dependencies and procedural logic within provenance graphs. It combines a graph-transformer-based pre-training stage with an Intent Analysis Module powered by a bidirectional Mamba2 to learn robust benign behavioral patterns and to identify anomalies that deviate from these patterns. The approach demonstrates strong performance across three diverse datasets, achieving high accuracy and recall while substantially reducing false positives and maintaining practical runtime overhead. The work offers a scalable, analyst-friendly detection and investigation workflow suitable for real-world enterprise deployment.

Abstract

Advanced Persistent Threats (APTs) are difficult to detect due to their complexity and stealthiness. To mitigate such attacks, many approaches model entities and their relationship using provenance graphs to detect the stealthy and persistent characteristics of APTs. However, existing detection methods suffer from the flaws of missing indirect dependencies, noisy complex scenarios, and missing behavioral logical associations, which make it difficult to detect complex scenarios and effectively identify stealthy threats. In this paper, we propose Sentient, an APT detection method that combines pre-training and intent analysis. It employs a graph transformer to learn structural and semantic information from provenance graphs to avoid missing indirect dependencies. We mitigate scenario noise by combining global and local information. Additionally, we design an Intent Analysis Module (IAM) to associate logical relationships between behaviors. Sentient is trained solely on easily obtainable benign data to detect malicious behaviors that deviate from benign behavioral patterns. We evaluated Sentient on three widely-used datasets covering real-world attacks and simulated attacks. Notably, compared to six state-of-the-art methods, Sentient achieved an average reduction of 44% in false positive rate(FPR) for detection.

Sentient: Detecting APTs Via Capturing Indirect Dependencies and Behavioral Logic

TL;DR

Sentient targets the core challenges of APT detection by modeling indirect dependencies and procedural logic within provenance graphs. It combines a graph-transformer-based pre-training stage with an Intent Analysis Module powered by a bidirectional Mamba2 to learn robust benign behavioral patterns and to identify anomalies that deviate from these patterns. The approach demonstrates strong performance across three diverse datasets, achieving high accuracy and recall while substantially reducing false positives and maintaining practical runtime overhead. The work offers a scalable, analyst-friendly detection and investigation workflow suitable for real-world enterprise deployment.

Abstract

Advanced Persistent Threats (APTs) are difficult to detect due to their complexity and stealthiness. To mitigate such attacks, many approaches model entities and their relationship using provenance graphs to detect the stealthy and persistent characteristics of APTs. However, existing detection methods suffer from the flaws of missing indirect dependencies, noisy complex scenarios, and missing behavioral logical associations, which make it difficult to detect complex scenarios and effectively identify stealthy threats. In this paper, we propose Sentient, an APT detection method that combines pre-training and intent analysis. It employs a graph transformer to learn structural and semantic information from provenance graphs to avoid missing indirect dependencies. We mitigate scenario noise by combining global and local information. Additionally, we design an Intent Analysis Module (IAM) to associate logical relationships between behaviors. Sentient is trained solely on easily obtainable benign data to detect malicious behaviors that deviate from benign behavioral patterns. We evaluated Sentient on three widely-used datasets covering real-world attacks and simulated attacks. Notably, compared to six state-of-the-art methods, Sentient achieved an average reduction of 44% in false positive rate(FPR) for detection.

Paper Structure

This paper contains 24 sections, 10 equations, 6 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. APT Detection
  4. Graph Transformer
  5. State Space Models
  6. Threat Model
  7. Methodology
  8. Graph Construction
  9. Pre-training
  10. Intent Analysis Module
  11. Threat Detection
  12. Attack Investigation
  13. Evaluation
  14. Datasets and Settings
  15. Datasets.
  16. ...and 9 more sections

Figures (6)

  • Figure 1: An example of an attack provenance graph from the DARPA E3 dataset. Red and blue denote malicious and benign, respectively. The red subgraphs highlight the core attack behavior, while the blue subgraphs represent benign DNS resolution activity. The system call type: R=Read, W=Write, O=Open, C=Clone, E=Execute, S=Send, and Rc=Receive.
  • Figure 2: Overview of Sentient's Architecture.
  • Figure 3: Performance overhead of Sentient on the Cadets.
  • Figure 4: Ablation Study of PT and IAM Components on CADETS Dataset: Impact on Performance and Overhead.
  • Figure 5: Hyperparameter Impact on Performance.
  • ...and 1 more figures