Advanced Persistent Threats (APTs) are challenging to detect due to their complexity and stealth. To mitigate such attacks, many approaches utilize provenance graphs to model entities and their dependencies, detecting the covert and persistent nature of APTs. However, existing methods face several challenges: 1) Environmental noise hinders precise detection; 2) Reliance on hard-to-obtain labeled data and prior knowledge of APTs limits their ability to detect unknown threats; 3) The difficulty in capturing long-range interaction dependencies, leading to the loss of critical context. We propose Sentient, a threat detection system based on behavioral intent analysis that detects node-level threats from audit logs. Sentient constructs a provenance graph from the audit logs and uses this graph to build multiple scenarios. By combining graph comprehension with multiple scenario comprehension, Sentient learns normal interaction behaviors. Sentient detects anomalies by identifying interactions that deviate from the established behavior patterns. We evaluated Sentient on three widely used datasets covering both real-world and simulated attacks. The results confirm that Sentient consistently delivers strong detection performance. Notably, Sentient achieves entity-level APT detection with a precision of 96% and a recall of 99%.
View on arXiv@article{yan2025_2502.06521,
title={ Sentient: Multi-Scenario Behavioral Intent Analysis for Advanced Persistent Threat Detection },
author={ Wenhao Yan and Ning An and Wei Qiao and Weiheng Wu and Bo Jiang and Yuling Liu and Zhigang Lu and Junrong Liu },
journal={arXiv preprint arXiv:2502.06521},
year={ 2025 }
}