Go to ICLR 2026 Workshop TSALM homepageAPTGuard: An APT Detection Method Based on LLM and Time-Series Augmentation
Presentation Attendance: No, we cannot present in-person
Keywords: Advanced Persistent Threat (APT); Time-Series Model; Large Language Model (LLM); Attack Chain Reasoning; Data Augmentation
Abstract: Advanced Persistent Threat(APT) attackers achieve their strategic goals through long-term latent and repeated attempts, with attacks progressing in phases and closely correlated temporal characteristics. The APT detection task is essentially a typical time-series classification task, whose core is to identify abnormal attack behaviors through device time-series data. However, in real APT detection scenarios, scarce samples, high concealment, long-term persistence, and multi-stage behaviors that necessitate fine-grained time-slice classification make traditional models ineffective. To address these problems, this paper proposes APTGuard, an APT detection framework driven by time-series data augmentation and LLM. Its core is to generate diverse data through an adaptive time-series data augmentation strategy for classification model training. To improve detection accuracy, this paper introduces an LLM to achieve comprehensive evaluation: multiple downstream time-series classification models are trained using augmented data to obtain fine-grained classification results of each time slice; then, through the semantic reasoning ability of the LLM, the slice results are correlated and analyzed, and the attack chain is restored to realize the overall judgment of APT attacks. Experimental results show that this method achieves significant performance on downstream models such as ROCKET, TCN, and RNN, and has good practical deployment value.
Track: Research Track (max 4 pages)
Submission Number: 52
Loading