APT-MCL: An Adaptive APT Detection System Based on Multi-View Collaborative Provenance Graph Learning
Mingqi Lv, Shanshan Zhang, Haiwen Liu, Tieming Chen, Tiantian Zhu
TL;DR
This paper tackles APT detection under label scarcity and cross-scenario diversity by leveraging provenance graphs and unsupervised node-level anomaly detection. It introduces APT-MCL, which uses two independent multi-view feature spaces (structural and behavioral) learned via GNNs and anomaly scores from iForest, followed by a collaborative co-training framework that iteratively refines detections with pseudo-labels. The key contributions are (i) multi-view feature design to cover diverse attack tactics, (ii) a collaborative learning framework that converts unsupervised sub-models into semi-supervised learners, and (iii) extensive experiments showing improved cross-scenario generalization and robustness against label scarcity across three real-world datasets. The approach has practical impact for host-based provenance analytics, enabling scalable, data-efficient APT detection across varied campaigns with moderate computational overhead.
Abstract
Advanced persistent threats (APTs) are stealthy and multi-stage, making single-point defenses (e.g., malware- or traffic-based detectors) ill-suited to capture long-range and cross-entity attack semantics. Provenance-graph analysis has become a prominent approach for APT detection. However, its practical deployment is hampered by (i) the scarcity of APT samples, (ii) the cost and difficulty of fine-grained APT sample labeling, and (iii) the diversity of attack tactics and techniques. Aiming at these problems, this paper proposes APT-MCL, an intelligent APT detection system based on Multi-view Collaborative provenance graph Learning. It adopts an unsupervised learning strategy to discover APT attacks at the node level via anomaly detection. After that, it creates multiple anomaly detection sub-models based on multi-view features and integrates them within a collaborative learning framework to adapt to diverse attack scenarios. Extensive experiments on three real-world APT datasets validate the approach: (i) multi-view features improve cross-scenario generalization, and (ii) co-training substantially boosts node-level detection under label scarcity, enabling practical deployment on diverse attack scenarios.
