English

Learning the APT Kill Chain: Temporal Reasoning over Provenance Data for Attack Stage Estimation

Cryptography and Security 2026-05-06 v2 Networking and Internet Architecture

Abstract

Advanced Persistent Threats (APTs) evolve through multiple stages, each exhibiting distinct temporal and structural behaviors. Accurate stage estimation is critical for enabling adaptive cyber defense. This paper presents StageFinder, a temporal-graph learning framework for multi-stage attack progression inference from fused host and network provenance data. Provenance graphs are encoded using a graph neural network to capture structural dependencies among processes, files, and connections, while a long short-term memory (LSTM) model learns temporal dynamics to estimate stage probabilities aligned with the MITRE ATT&CK framework. The model is pretrained on the DARPA OpTC dataset and fine-tuned on labeled DARPA Transparent Computing data. Experimental results demonstrate that StageFinder achieves a macro F1-score of 0.96 and reduces prediction volatility by 31% compared to state-of-the-art baselines (Cyberian, NetGuardian). These results highlight the effectiveness of fused provenance-temporal learning for accurate and stable APT stage inference.

Keywords

Cite

@article{arxiv.2603.07560,
  title  = {Learning the APT Kill Chain: Temporal Reasoning over Provenance Data for Attack Stage Estimation},
  author = {Trung V. Phan and Thomas Bauschert},
  journal= {arXiv preprint arXiv:2603.07560},
  year   = {2026}
}

Comments

This paper has been accepted for publication in IEEE Global Communications Conference (GLOBECOM) 2026

R2 v1 2026-07-01T11:09:03.257Z