Semantic-Aware Advanced Persistent Threat Detection Using Autoencoders on LLM-Encoded System Logs
Waleed Khan Mohammed, Zahirul Arief Irfan Bin Shahrul Anuar, Mousa Sufian Mousa Mitani, Hezerul Abdul Karim, Nouar AlDahoul
TL;DR
This work tackles the challenge of detecting stealthy APTs by moving beyond shallow statistical features to semantic representations of system logs using LLM-encoded descriptions. It introduces MPNet-AE, which converts provenance records into natural-language sentences, embeds them with all-mpnet-base-v2 into high-dimensional semantic vectors, and uses an autoencoder trained on benign data to identify anomalies via reconstruction error. Evaluations on the DARPA Transparent Computing datasets show MPNet-AE outperforming unsupervised baselines such as IForest, OC-SVM, and PCA across multiple contexts, demonstrating robust detection of non-linear, low-frequency attack patterns. The results underscore the value of semantic understanding for APT detection and point to practical deployment opportunities with further work on log-specific fine-tuning, temporal/graph modeling, online learning, and explainability.
Abstract
Advanced Persistent Threats (APTs) are among the most challenging cyberattacks to detect. They are carried out by highly skilled attackers who carefully study their targets and operate in a stealthy, long-term manner. Because APTs exhibit "low-and-slow" behavior, traditional statistical methods and shallow machine learning techniques often fail to detect them. Previous research on APT detection has explored machine learning approaches and provenance graph analysis. However, provenance-based methods often fail to capture the semantic intent behind system activities. This paper proposes a novel anomaly detection approach that leverages semantic embeddings generated by Large Language Models (LLMs). The method enhances APT detection by extracting meaningful semantic representations from unstructured system log data. First, raw system logs are transformed into high-dimensional semantic embeddings using a pre-trained transformer model. These embeddings are then analyzed using an Autoencoder (AE) to identify anomalous and potentially malicious patterns. The proposed method is evaluated using the DARPA Transparent Computing (TC) dataset, which contains realistic APT attack scenarios generated by red teams in live environments. Experimental results show that the AE trained on LLM-derived embeddings outperforms widely used unsupervised baseline methods, including Isolation Forest (IForest), One-Class Support Vector Machine (OC-SVM), and Principal Component Analysis (PCA). Performance is measured using the Area Under the Receiver Operating Characteristic Curve (AUC-ROC), where the proposed approach consistently achieves superior results, even in complex threat scenarios. These findings highlight the importance of semantic understanding in detecting non-linear and stealthy attack behaviors that are often missed by conventional detection techniques.
