Advanced Persistent Threats (APTs) evolve through multiple stages, each exhibiting distinct temporal and structural behaviors. Accurate stage estimation is critical for enabling adaptive cyber defense. This paper presents StageFinder, a temporal-graph learning framework for multi-stage attack progression inference from fused host and network provenance data. Provenance graphs are encoded using a graph neural network to capture structural dependencies among processes, files, and connections, while a long short-term memory (LSTM) model learns temporal dynamics to estimate stage probabilities aligned with the MITRE ATT&CK framework. The model is pretrained on the DARPA OpTC dataset and fine-tuned on labeled DARPA Transparent Computing data. Experimental results demonstrate that StageFinder achieves a macro F1-score of 0.96 and reduces prediction volatility by 31% compared to state-of-the-art baselines (Cyberian, NetGuardian). These results highlight the effectiveness of fused provenance-temporal learning for accurate and stable APT stage inference.
@article{arxiv.2603.07560,
title = {Learning the APT Kill Chain: Temporal Reasoning over Provenance Data for Attack Stage Estimation},
author = {Trung V. Phan and Thomas Bauschert},
journal= {arXiv preprint arXiv:2603.07560},
year = {2026}
}
Comments
This paper has been accepted for publication in IEEE Global Communications Conference (GLOBECOM) 2026