APTHunter and RT-APT: real-time detection of advanced persistent threats via host-network anomaly and provenance graph analysis
摘要
Advanced Persistent Threats (APTs) are among the most challenging categories of cyberattacks due to their stealthy, multi-stage progression and ability to blend into legitimate system activity. Real-time detection remains difficult, as individual signals captured from host or network telemetry often lack sufficient context to distinguish APT behavior from benign anomalies. This work presents a systematic and unified evaluation of two complementary detection frameworks—APTHunter, an anomaly-driven host–network detection model, and RT-APT, a provenance-based causal analysis engine. APTHunter applies statistical and machine learning-based anomaly scoring to identify early-stage deviations, whereas RT-APT constructs and analyzes system provenance graphs to uncover multi-hop causal patterns indicative of coordinated APT activity. Using a combination of public APT datasets and controlled attack simulations, we assess each framework across different APT kill-chain phases, measuring precision, recall, false-positive rates, and detection latency. The results highlight the distinct strengths of each method APTHunter provides high-precision alerts during initial and lateral movement phases, while RT-APT offers deeper contextual explanations and improved tracing of complex attack paths. Overall, the findings demonstrate that host-network anomaly signals and provenance graphs offer complementary capabilities. The study motivates a layered hybrid detection strategy that integrates both approaches to enhance the robustness, explainability, and operational readiness of real-time APT defense systems.