Please wait a minute...
Journal of ZheJiang University (Engineering Science)  2026, Vol. 60 Issue (8): 1749-1759    DOI: 10.3785/j.issn.1008-973X.2026.08.014
    
Graph-adversarial learning framework integrating log semantics for APT detection
Huixue LIU1(),Xinqian LIU1,*(),Shuai WANG1,Chuan ZHAO2,3,Jianguo DING4
1. School of Computer Science and Technology, Shandong University of Technology, Zibo 255000, China
2. School of Information Science and Engineer, University of Jinan, Jinan 250022, China
3. Shandong Key Laboratory of Ubiquitous Intelligent Computing, Jinan 250022, China
4. Zibo Public Security Traffic Management Service Center, Zibo 255000, China
Download: HTML     PDF(899KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

Advanced persistent threats (APTs) pose significant challenges to the security detection of large-scale multi-host systems. To address these challenges, a novel detection framework named GE-APT was proposed. First, critical log information and features were extracted, and semantic representations were obtained using the Sentence-BERT model. A self-supervised autoencoder was then employed to compress and refine these high-dimensional semantic features. Subsequently, a system provenance graph was constructed based on system entities and their interactions, with semantic edge features introduced to enhance the expressive power of the graph structure. To model the distribution of normal behavioral patterns at the node level, an improved generative adversarial network was adopted for adversarial learning, while the discriminator was designed using a graph attention mechanism to effectively identify anomalous activities. Finally, GE-APT achieved precision rates of 90.91% and 86.86% on datasets DARPA TC and OpTC, respectively, and outperformed existing typical detection methods in accuracy, recall, F1-score, and other metrics. These results validate the effectiveness of the proposed framework in detecting anomalous behaviors associated with APT attacks.



Key wordsnetwork security      intrusion detection      advanced persistent threat (APT) detection      graph neural network      adversarial learning     
Received: 21 July 2025      Published: 16 July 2026
CLC:  TP 399  
  TP 309  
Fund:  山东省泛在智能计算重点实验室开放基金资助.
Corresponding Authors: Xinqian LIU     E-mail: 1281310712@qq.com;lxq@sdut.edu.cn
Cite this article:

Huixue LIU,Xinqian LIU,Shuai WANG,Chuan ZHAO,Jianguo DING. Graph-adversarial learning framework integrating log semantics for APT detection. Journal of ZheJiang University (Engineering Science), 2026, 60(8): 1749-1759.

URL:

https://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2026.08.014     OR     https://www.zjujournals.com/eng/Y2026/V60/I8/1749


融合日志语义与图对抗学习的APT检测框架

高级持续性威胁(APT)给大规模多主机系统的安全检测带来严峻挑战,为此提出名为GE-APT的新型检测框架. 提取关键日志信息与特征,利用Sentence-BERT模型获取语义特征,通过自监督自编码器降维压缩. 基于系统实体及其交互构建系统溯源图,引入语义边特征以增强图结构表达能力. 为了在节点级别建模正常实体行为特征分布,引入改进的生成对抗网络进行对抗学习,以图注意力机制构建判别器以识别异常行为. GE-APT在数据集DARPA TC和OpTC上的精确率分别为90.91%和86.86%,在准确率、召回率和F1值等评估指标上亦优于现有典型检测方法. 实验结果验证了所提框架在APT攻击异常行为检测方面的有效性.


关键词: 网络安全,  入侵检测,  高级持续性威胁(APT)检测,  图神经网络,  对抗学习 
Fig.1 Attackcase provenance graph
Fig.2 Architecture of graph-adversarial learning framework integrating log semantics for APT detection
序号关键字序号关键字
1Action15Parent_image_path
2Commend_line16Path
3Dest_ip17Principal
4Dest_port18Requesting_domain
5Direction19Requesting_logon_id
6File_path20Requesting_user
7Image_path21Sid
8Info_class22Task_name
9Key23Type
1014protocol24User
11Logon_id25User_name
12Module_path26Value
13New_path27Start_time
14Object28End_time
Tab.1 Keywords retained in this study
Fig.3 Schematic of autoencoder architecture
Fig.4 Training process of improved adversarial learning model
数据子集日志数边数节点数
训练集113 750 000113 750 0008 620 780
测试集8 999 6948 999 6941 334 377
Tab.2 OpTC subset partition details
数据子集运行系统异常节点数边数量
CADETSFreeBSD12 8528 663 569
TRACEUbuntu67 38322 161 538
Tab.3 Basic information of DARPA TC subset
测试集日志数边数节点数良性节点个数异常节点个数
全集899969489996941334377131179922578
分集1171958817195882531272496703457
分集2110228211022821662941625233771
分集367580675801406513509556
分集41257704125770419442118127113150
分集5200230020023003110553075863469
分集6185581118558112766152753761239
分集7994429994429155962155163799
Tab.4 Statistics of OpTC test set
测试集PRF1FPR
全集86.8693.2589.940.28
分集192.5787.9790.210.09
分集293.8892.0092.930.10
分集394.8996.9495.910.21
分集482.2496.6188.911.50
分集593.6887.6690.570.06
分集696.9589.7593.210.01
分集781.7293.9987.430.10
Tab.5 Evaluation results of proposed framework on different OpTC test sets %
数据集AccPRF1FPR
CADETS99.80690.9198.4294.520.18
TRACE99.80085.2698.8791.560.15
Tab.6 Evaluation results of proposed framework on DARPA TC dataset %
模型AccPF1RFPR
182.048.0914.6980.221.19
280.946.5211.8766.5918.78
380.647.2613.2776.8719.29
499.6086.8689.9493.250.28
Tab.7 Module ablation experiment results %
模型AccPF1RFPR
GCN90.01524.782.79.57
GAT96.93547.071.92.63
EGAT(K=1)99.48685.986.50.30
EGAT(K=2)99.69089.993.00.28
Tab.8 Discriminator control experiment results %
方法CADETS子集TRACE子集
PRF1FPRPRF1FPR
GE-APT90.9198.4294.520.1885.2698.8791.560.15
文献[41]88.0099.0093.5067.0099.0080.00
THREATRACE90.0099.0083.000.2072.0099.0083.000.20
Tab.9 Performance comparison of different detection methods on DARPA TC dataset %
方法检测级别数据集AccPRF1TPRFPR
MEGR-APT[38]OpTC(51/201/501/358)93.0100.075.085.075.00.0
LogShield[39]日志OpTC(201~204号主机)91.081.069.075.069.08.6
GE-APT节点OpTC(201~204号主机)99.686.993.389.993.30.3
OC-DHetGNN[40]节点Private96.3
Tab.10 Performance comparison of different detection methods on OpTC dataset %
[1]   奇安信. 全球高级持续性威胁(APT)2023年度报告[R/OL].(2024-02-02)[2025-09-25]. https://www.qianxin.com/threat/reportdetail?report_id=310.
[2]   WENG Z, ZHANG W, ZHU T, et al RT-APT: a real-time APT anomaly detection method for large-scale provenance graph[J]. Journal of Network and Computer Applications, 2025, 233: 104036
doi: 10.1016/j.jnca.2024.104036
[3]   ZIPPERLE M, GOTTWALT F, CHANG E, et al Provenance-based intrusion detection systems: a survey[J]. ACM Computing Surveys, 2023, 55 (7): 1- 36
[4]   HUANG S, LIU Y, FUNG C, et al HitAnomaly: hierarchical transformers for anomaly detection in system log[J]. IEEE Transactions on Network and Service Management, 2020, 17 (4): 2064- 2076
doi: 10.1109/TNSM.2020.3034647
[5]   INAM M A, CHEN Y, GOYAL A, et al. SoK: history is a vast early warning system: auditing the provenance of system intrusions [C]// Proceedings of the IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2023: 2620–2638.
[6]   XU L, ZHAO Z, ZHAO D, et al AJSAGE: a intrusion detection scheme based on jump-knowledge connection to GraphSAGE[J]. Computers and Security, 2025, 150: 104263
doi: 10.1016/j.cose.2024.104263
[7]   XU B, GONG Y, GENG X, et al ProcSAGE: an efficient host threat detection method based on graph representation learning[J]. Cybersecurity, 2024, 7 (1): 51
doi: 10.1186/s42400-024-00240-w
[8]   WANG S, WANG Z, ZHOU T, et al THREATRACE: detecting and tracing host-based threats in node level through provenance graph learning[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 3972- 3987
doi: 10.1109/TIFS.2022.3208815
[9]   李元诚, 罗昊, 王欣煜, 等 基于溯源图和注意力机制的APT攻击检测模型构建[J]. 通信学报, 2024, 45 (3): 117- 130
LI Yuancheng, LUO Hao, WANG Xinyu, et al Construction of advanced persistent threat attack detection model based on provenance graph and attention mechanism[J]. Journal on Communications, 2024, 45 (3): 117- 130
[10]   REIMERS N, GUREVYCH I. Sentence-BERT: sentence embeddings using Siamese BERT-networks [C]// Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP). Hong Kong: Association for Computational Linguistics, 2019: 3982–3992.
[11]   ORTAKCI Y, BORHAN B Optimizing SBERT for long text clustering: two novel approaches with empirical insights[J]. The Journal of Supercomputing, 2025, 81 (8): 950
doi: 10.1007/s11227-025-07414-4
[12]   SARIOGLU M, SARIYER G, SOZEN M E LLM-based embeddings for clustering and predicting integrated reporting quality levels of companies[J]. Discover Computing, 2025, 28 (1): 95
doi: 10.1007/s10791-025-09590-6
[13]   HE X, FANG A, YU D. Multilingual topic evolution and comparative analysis for electronic commerce research: a combination of BERTopic and SBERT [J]. Journal of Intelligent and Fuzzy Systems, 2024: 1–22.
[14]   NIE Y Automated essay scoring with SBERT embeddings and LSTM-Attention networks[J]. PeerJ Computer Science, 2025, 11: e2634
doi: 10.7717/peerj-cs.2634
[15]   LIU W, LI J, CHEN S GSRDR-GAN: global search result diversification ranking approach based on multi-head self-attention and GAN[J]. Neurocomputing, 2025, 648: 130723
doi: 10.1016/j.neucom.2025.130723
[16]   MAHBUB S, BAYZID M S EGRET: edge aggregated graph attention networks and transfer learning improve protein–protein interaction site prediction[J]. Briefings in Bioinformatics, 2022, 23 (2): bbab578
doi: 10.1093/bib/bbab578
[17]   HOSSAIN M N, NAHID M, MILAJERDI S, et al. Real-time attack scenario reconstruction from audit data [C]// 26th USENIX Security Symposium. Berkeley: USENIX Association, 2017: 487–504.
[18]   HOSSAIN M N, SHEIKHI S, SEKAR R. Combating dependence explosion in forensic analysis using alternative tag propagation semantics [C]// Proceedings of the IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2020: 1139–1155.
[19]   HOSSAIN M N, WANG, J N, SEKAR R, et al. Dependence-preserving data compaction for scalable forensic analysis [C]// 27th USENIX Security Symposium. Berkeley: USENIX Association, 2018: 1723–1740.
[20]   ANJUM M M, IQBAL S, HAMELIN B. ANUBIS: a provenance graph-based framework for advanced persistent threat detection [C]// Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing. [S.l.]: ACM, 2022: 1684–1693.
[21]   LEE J S, FAN Y Y, CHENG C H, et al ML-based intrusion detection system for precise APT cyber-clustering[J]. Computers and Security, 2025, 149: 104209
doi: 10.1016/j.cose.2024.104209
[22]   ALSAHEEL A, NAN Y H, MA S Q, et al. A sequence-based learning approach for attack investigation [C]// 30th USENIX Security Symposium. Berkeley: USENIX Security, 2021: 3005–3022.
[23]   KAPOOR M, MELTON J, RIDENHOUR M, et al. PROV-GEM: automated provenance analysis framework using graph embeddings [C]// Proceedings of the 20th IEEE International Conference on Machine Learning and Applications. Pasadena: IEEE, 2022: 1720–1727.
[24]   LI Z, CHENG X, SUN L, et al A hierarchical approach for advanced persistent threat detection with attention-based graph neural networks[J]. Security and Communication Networks, 2021, 2021: 9961342
[25]   ZENGY J, WANG X, LIU J, et al. SHADEWATCHER: recommendation-guided cyber threat analysis using system audit records [C]// Proceedings of the IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2022: 489–506.
[26]   JIN J, ZHU T, YUAN Q, et al PDCleaner: a multi-view collaborative data compression method for provenance graph-based APT detection systems[J]. Computers and Security, 2025, 152: 104359
doi: 10.1016/j.cose.2025.104359
[27]   王郅伟, 何睎杰, 易鑫, 等 基于APT活动全生命周期的攻击与检测综述[J]. 通信学报, 2024, 45 (9): 206- 228
WANG Zhiwei, HE Xijie, YI Xin, et al Survey of attack and detection based on the full life cycle of APT[J]. Journal on Communications, 2024, 45 (9): 206- 228
[28]   HOSSAIN M N, MILAJERDI S M, WANG J, et al. SLEUTH: real-time attack scenario reconstruction from COTS audit data [EB/OL]. (2018–01–06)[2025–09–25]. https://arxiv.org/pdf/1801.02062.
[29]   MILAJERDI S M, ESHETE B, GJOMEMO R, et al. POIROT: aligning attack behavior with kernel audit records for cyber threat hunting [C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. London: ACM, 2019: 1795–1812.
[30]   SATVAT K, GJOMEMO R, VENKATAKRISHNAN V N. Extractor: extracting attack behavior from threat reports [C]// Proceedings of the IEEE European Symposium on Security and Privacy. Vienna: IEEE, 2021: 598–615.
[31]   FORREST S, HOFMEYR S A, SOMAYAJI A, et al. A sense of self for Unix processes [C]// Proceedings 1996 IEEE Symposium on Security and Privacy. Oakland: IEEE, 2002: 120–128.
[32]   MANZOOR E, MILAJERDI S M, AKOGLU L. Fast memory-efficient anomaly detection in streaming heterogeneous graphs [C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. San Francisco: ACM, 2016: 1035–1044.
[33]   HAN X, PASQUIER T, BATES A, et al. Unicorn: runtime provenance-based detector for advanced persistent threats [C]// Proceedings 2020 Network and Distributed System Security Symposium. San Diego: Internet Society, 2020: 1–15.
[34]   JIA Z, XIONG Y, NAN Y, et al. MAGIC: detecting advanced persistent threats via masked graph representation learning [EB/OL]. (2023–10–15)[2025–09–25]. https://arxiv.org/pdf/2310.09831.
[35]   ANJUM M M, IQBAL S, HAMELIN B. Analyzing the usefulness of the DARPA OpTC dataset in cyber threat detection research [C]// Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. [S.l.]: ACM, 2021: 27–32.
[36]   FIVEDIRECTIONS. OpTC-data [EB/OL]. [2025–09–26]. https://github.com/FiveDirections/OpTC-data/blob/master/ecar.md.
[37]   ZIPPERLE M, ZHANG Y, CHANG E, et al PARGMF: a provenance-enabled automated rule generation and matching framework with multi-level attack description model[J]. Journal of Information Security and Applications, 2024, 81: 103682
doi: 10.1016/j.jisa.2023.103682
[38]   ALY A, IQBAL S, YOUSSEF A, et al MEGR-APT: a memory-efficient APT hunting system based on attack representation learning[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 5257- 5271
doi: 10.1109/TIFS.2024.3396390
[39]   AFNAN S, SADIA M, IQBAL S, et al. LogShield: a transformer-based APT detection system leveraging self-attention [EB/OL]. (2023–11–09)[2025–09–25]. https://arxiv.org/pdf/2311.05733.
[40]   HUANG Z, GU Y, ZHAO Q. One-class directed heterogeneous graph neural network for intrusion detection [C]// Proceedings of the 2022 the 6th International Conference on Innovation in Artificial Intelligence. Guangzhou: ACM, 2022: 178–184.
[41]   罗汉新, 王金双, 伍文昌 基于溯源图节点级别的APT检测[J]. 网络安全与数据治理, 2022, 41 (10): 49- 55
LUO Hanxin, WANG Jinshuang, WU Wenchang Detecting advanced persistent threats through provenance graph in node level[J]. Cyber Security and Data Governance, 2022, 41 (10): 49- 55
[1] Yebo FAN,Yicheng LI,Yong LIU,Wei ZHANG. Efficient attack model targeting GNN-based rumor detectors[J]. Journal of ZheJiang University (Engineering Science), 2026, 60(8): 1739-1748.
[2] Wenjun ZHENG,Zhikun LI,Shoufei HAN. Aspect-based sentiment analysis via knowledge-enhanced graph Transformer[J]. Journal of ZheJiang University (Engineering Science), 2026, 60(6): 1269-1276.
[3] Wenqiang CHEN,Linyue FENG,Dongdan WANG,Yulei GU,Xuan ZHAO. Vehicle trajectory prediction model integrating dynamic risk map and multivariate attention mechanism[J]. Journal of ZheJiang University (Engineering Science), 2026, 60(3): 455-467.
[4] Zhihui LI,Kun DENG,Congyuan XU. Method for detecting unknown IoT attack based on relational embedding[J]. Journal of ZheJiang University (Engineering Science), 2026, 60(3): 624-632.
[5] Yanle WANG,Ruifeng ZHANG,Qiang LI. Graph neural network recommendation model integrating global information and contrastive learning[J]. Journal of ZheJiang University (Engineering Science), 2026, 60(2): 351-359.
[6] Lihong WANG,Xinqian LIU,Jing LI,Zhiquan FENG. Network intrusion detection method based on federated learning and spatiotemporal feature fusion[J]. Journal of ZheJiang University (Engineering Science), 2025, 59(6): 1201-1210.
[7] Lizhou FENG,Zhichun BAI,Youwei WANG. Dual-channel E-commerce fraud detection method integrating user behavior and review relationships[J]. Journal of ZheJiang University (Engineering Science), 2025, 59(10): 2164-2174.
[8] Yidan LIU,Xiaofei ZHU,Yabo YIN. Heterogeneous graph convolutional neural network for argument pair extraction[J]. Journal of ZheJiang University (Engineering Science), 2024, 58(5): 900-907.
[9] Xinhua YAO,Tao YU,Senwen FENG,Zijian MA,Congcong LUAN,Hongyao SHEN. Recognition method of parts machining features based on graph neural network[J]. Journal of ZheJiang University (Engineering Science), 2024, 58(2): 349-359.
[10] Han ZHANG. Graph neural network model for multivariate time series forecasting[J]. Journal of ZheJiang University (Engineering Science), 2024, 58(12): 2500-2509.
[11] Zechao MA,Xiaoming LIU,Hanqing XIA,Weiqiang WANG,Jiuzeng WANG,Haitao SHEN. Pavement distress situation prediction method based on graph neural network[J]. Journal of ZheJiang University (Engineering Science), 2024, 58(12): 2596-2608.
[12] Qing-song ZHOU,Xiao-dong CAI,Jia-liang LIU. Personalized recommendation algorithm combining social influence and long short-term preference[J]. Journal of ZheJiang University (Engineering Science), 2023, 57(3): 495-502.
[13] Ju-xiang ZENG,Ping-hui WANG,Yi-dong DING,Lin LAN,Lin-xi CAI,Xiao-hong GUAN. Graph neural network based node embedding enhancement model for node classification[J]. Journal of ZheJiang University (Engineering Science), 2023, 57(2): 219-225.
[14] Jing-jing ZHANG,Zhao-gong ZHANG,Xin XU. Graph convolution collaborative filtering model combining graph enhancement and sampling strategies[J]. Journal of ZheJiang University (Engineering Science), 2023, 57(2): 243-251.
[15] Tian-qi ZHOU,Yan YANG,Ji-jie ZHANG,Shao-wei YIN,Zeng-qiang GUO. Graph contrastive learning based on negative-sample-free loss and adaptive augmentation[J]. Journal of ZheJiang University (Engineering Science), 2023, 57(2): 259-266.