Advanced persistent threat (APT) in real scenes, especially in industrial scenes, is complex and long-term, but the current methods can not effectively extract the long-term relationship in the attack. An attack detection method with provenance graphs, which is called SeqNet, is proposed. SeqNet uses sequence feature extraction to detect APT attacks. In SeqNet, the provenance graph sequence describing the running state of the system is transformed into the feature sequence firstly, then the

more »

... Gate Recurrent Unit) model is used to extract the feature of the system. The encoder-decoder model with the local attention mechanism is used to train the GRU model. Finally, the K-means clustering method is used to model the normal behavior of the system. In this paper, experiments are carried out on five public datasets, including StreamSpot, wget, shellshock, ClearScope, and CADETS, compared with the state-of-the-art methods. The method in this paper achieves similar or better results on all five datasets. Experimental results show that the proposed method can detect real-life APT scenarios.