Search papers, labs, and topics across Lattice.
StageFinder, a novel temporal graph learning framework, is introduced to estimate the stage of Advanced Persistent Threat (APT) attacks by fusing host and network provenance data. The framework uses a graph neural network to encode structural dependencies within provenance graphs and an LSTM model to learn temporal dynamics. Pretraining on the DARPA OpTC dataset and fine-tuning on DARPA Transparent Computing data allows StageFinder to achieve a macro F1-score of 0.96, demonstrating improved accuracy and stability in APT stage inference compared to existing methods.
Fusing graph neural networks and LSTMs over provenance data enables 31% more stable and accurate estimation of APT attack stages, a leap beyond existing methods.
Advanced Persistent Threats (APTs) evolve through multiple stages, each exhibiting distinct temporal and structural behaviors. Accurate stage estimation is critical for enabling adaptive cyber defense. This paper presents StageFinder, a temporal graph learning framework for multi-stage attack progression inference from fused host and network provenance data. Provenance graphs are encoded using a graph neural network to capture structural dependencies among processes, files, and connections, while a long short-term memory (LSTM) model learns temporal dynamics to estimate stage probabilities aligned with the MITRE ATT&CK framework. The model is pretrained on the DARPA OpTC dataset and fine-tuned on labeled DARPA Transparent Computing data. Experimental results demonstrate that StageFinder achieves a macro F1-score of 0.96 and reduces prediction volatility by 31 percent compared to state-of-the-art baselines (Cyberian, NetGuardian). These results highlight the effectiveness of fused provenance and temporal learning for accurate and stable APT stage inference.
