To address the challenges of strong stealth, rapid evolution, and poor interpretability in Advanced Persistent Threat (APT) detection, this paper proposes an end-to-end detection framework integrating system provenance graphs with graph-based reinforcement learning. Methodologically, it pioneers the application of deep reinforcement learning to provenance graph modeling, jointly leveraging graph neural networks and hierarchical clustering to uncover multi-level implicit causal relationships, enhance adversarial robustness, and automatically generate attack chains. Key contributions include: (i) dynamic adaptability to evolving attack strategies; (ii) inherent perturbation resilience and high interpretability; and (iii) the first fully automated construction of semantically enriched attack chains directly from raw provenance events. Experiments on real-world datasets demonstrate that our approach consistently outperforms state-of-the-art methods in detection accuracy, robustness, and adaptability, and has been deployed to support operational APT defense decision-making.

Advanced Persistent Threats (APTs) represent sophisticated cyberattacks characterized by their ability to remain undetected within the victim system for extended periods, aiming to exfiltrate sensitive data or disrupt operations. Existing detection approaches often struggle to effectively identify these complex threats, construct the attack chain for defense facilitation, or resist adversarial attacks. To overcome these challenges, we propose Slot, an advanced APT detection approach based on provenance graphs and graph reinforcement learning. Slot excels in uncovering multi-level hidden relationships, such as causal, contextual, and indirect connections, among system behaviors through provenance graph mining. By pioneering the integration of graph reinforcement learning, Slot dynamically adapts to new user activities and evolving attack strategies, enhancing its resilience against adversarial attacks. Additionally, Slot automatically constructs the attack chain according to detected attacks with clustering algorithms, providing precise identification of attack paths and facilitating the development of defense strategies. Evaluations with real-world datasets demonstrate Slot's outstanding accuracy, efficiency, adaptability, and robustness in APT detection, with most metrics surpassing state-of-the-art methods. Additionally, case studies conducted to assess Slot's effectiveness in supporting APT defense further establish it as a practical and reliable tool for cybersecurity protection.