To address incomplete data coverage, high monitoring overhead, and elevated false-positive rates in security detection, this paper proposes FEAD, a focused attack detection framework. FEAD introduces three key innovations: (1) an attack-effect modeling–driven mechanism for extracting critical security monitoring items, significantly enhancing key event capture; (2) a load-balanced distributed task decomposition strategy to optimize resource scheduling across heterogeneous nodes; and (3) a lightweight anomaly analysis method leveraging the localized clustering property of malicious behaviors in provenance graphs. Experimental evaluation demonstrates that FEAD achieves an 8.23% improvement in F1-score over state-of-the-art approaches while consuming only 5.4% monitoring resource overhead. The framework thus effectively balances detection accuracy, runtime efficiency, and system scalability.

Traditional security detection methods face three key challenges: inadequate data collection that misses critical security events, resource-intensive monitoring systems, and poor detection algorithms with high false positive rates. We present FEAD (Focus-Enhanced Attack Detection), a framework that addresses these issues through three innovations: (1) an attack model-driven approach that extracts security-critical monitoring items from online attack reports for comprehensive coverage; (2) efficient task decomposition that optimally distributes monitoring across existing collectors to minimize overhead; and (3) locality-aware anomaly analysis that leverages the clustering behavior of malicious activities in provenance graphs to improve detection accuracy. Evaluations demonstrate FEAD achieves 8.23% higher F1-score than existing solutions with only 5.4% overhead, confirming that focus-based designs significantly enhance detection performance.