MAD: A Meta-Learning Approach to Detect Advanced Persistent Threats using Provenance Data in Industrial IoT
Abstract: The increasing reliance on Industrial Internet of Things (IIoT) systems in critical infrastructure has made these environments prime targets for stealthy and prolonged Advanced Persistent Threats (APTs) that evade traditional security systems. This study introduces MAD (Meta-learning based APT Detection), a novel framework designed to detect APTs in IIoT environments by leveraging provenance data. This data provides a detailed view of system-level interactions, capturing subtle and persistent malicious behaviors. We evaluate MAD on the CICAPT-IIoT dataset, which simulates real-world APT scenarios with severe class imbalance due to the "low and slow" nature of APT attacks. MAD includes two variants: MAD v1, utilizing a multi-layer perceptron (MLP), and MAD v2, employing Model-Agnostic Meta-Learning (MAML) to improve detection of rare attack behaviors. MAD v1 achieves F1-score of 0.91 and outperforms the existing baselines. MAD v2 achieves F1-score of 0.95 surpassess existing baselines as well as MAD v1, which demonstrates its enhanced capability to detect rare APT activities despite the dominance of benign samples. This work combines provenance-based detection with meta-learning to address class imbalance and enhance APT detection in IIoT, demonstrating MAD’s potential in tackling emerging IIoT security challenges.
Loading