RAPID: Robust APT detection and investigation using context-aware deep learning

Advanced persistent threats (APTs) pose a critical cybersecurity challenge, enabling attackers to maintain long-term unauthorized access while evading detection. Current APT detection approaches struggle with three key limitations: high false positive rates that lead to alert fatigue, poor adaptability to evolving system behaviors, and the inability to provide actionable investigation context. We present RAPID, a novel deep learning framework that addresses these challenges through context-aware anomaly detection and intelligent alert tracing. RAPID ’s key innovation lies in its dual-phase architecture: first, it employs self-supervised sequence learning with iteratively updated embeddings to capture dynamic system behavior patterns; second, it leverages these embeddings to reconstruct precise attack narratives through provenance graph analysis. Our comprehensive evaluation across five diverse real-world datasets demonstrates RAPID ’s effectiveness, achieving up to 74% precision with near-perfect recall while using only 30% of the data for training, substantially outperforming state-of-the-art methods that require 80% training data to achieve similar performance levels. The framework automatically generates detailed attack narratives that enable efficient incident response, significantly outperforming existing approaches in both detection accuracy and alert investigation precision.