This work addresses the semantic gap between high-level threat intelligence (TTPs) and low-level system logs. To bridge this gap, we propose a cross-modal semantic alignment framework based on multimodal contrastive learning. For the first time, we formulate the mapping from log sequences to TTP descriptions as a semantic similarity search task. Our method jointly encodes system provenance graphs, raw log sequences, and structured TTP knowledge—enabling end-to-end attack detection with interpretable, traceable attribution. By integrating contrastive learning, multimodal representation learning, and semantic retrieval, it supports fine-grained TTP identification and concise attack scenario generation. Evaluated on standard benchmarks, our approach achieves significant improvements in both detection accuracy and inference efficiency over state-of-the-art methods, while providing auditable, human-interpretable threat analysis pathways.

With the increasing complexity of cyberattacks, the proactive and forward-looking nature of threat intelligence has become more crucial for threat detection and provenance analysis. However, translating high-level attack patterns described in Tactics, Techniques, and Procedures (TTP) intelligence into actionable security policies remains a significant challenge. This challenge arises from the semantic gap between high-level threat intelligence and low-level provenance log. To address this issue, this paper introduces CLIProv, a novel approach for detecting threat behaviors in a host system. CLIProv employs a multimodal framework that leverages contrastive learning to align the semantics of provenance logs with threat intelligence, effectively correlating system intrusion activities with attack patterns. Furthermore, CLIProv formulates threat detection as a semantic search problem, identifying attack behaviors by searching for threat intelligence that is most semantically similar to the log sequence. By leveraging attack pattern information in threat intelligence, CLIProv identifies TTPs and generates complete and concise attack scenarios. Experimental evaluations on standard datasets show that CLIProv effectively identifies attack behaviors in system provenance logs, offering valuable references for potential techniques. Compared to state-of-the-art methods, CLIProv achieves higher precision and significantly improved detection efficiency.