English

APT-MCL: An Adaptive APT Detection System Based on Multi-View Collaborative Provenance Graph Learning

Cryptography and Security 2026-01-14 v1

Abstract

Advanced persistent threats (APTs) are stealthy and multi-stage, making single-point defenses (e.g., malware- or traffic-based detectors) ill-suited to capture long-range and cross-entity attack semantics. Provenance-graph analysis has become a prominent approach for APT detection. However, its practical deployment is hampered by (i) the scarcity of APT samples, (ii) the cost and difficulty of fine-grained APT sample labeling, and (iii) the diversity of attack tactics and techniques. Aiming at these problems, this paper proposes APT-MCL, an intelligent APT detection system based on Multi-view Collaborative provenance graph Learning. It adopts an unsupervised learning strategy to discover APT attacks at the node level via anomaly detection. After that, it creates multiple anomaly detection sub-models based on multi-view features and integrates them within a collaborative learning framework to adapt to diverse attack scenarios. Extensive experiments on three real-world APT datasets validate the approach: (i) multi-view features improve cross-scenario generalization, and (ii) co-training substantially boosts node-level detection under label scarcity, enabling practical deployment on diverse attack scenarios.

Keywords

Cite

@article{arxiv.2601.08328,
  title  = {APT-MCL: An Adaptive APT Detection System Based on Multi-View Collaborative Provenance Graph Learning},
  author = {Mingqi Lv and Shanshan Zhang and Haiwen Liu and Tieming Chen and Tiantian Zhu},
  journal= {arXiv preprint arXiv:2601.08328},
  year   = {2026}
}
R2 v1 2026-07-01T09:02:23.487Z