Addressing key challenges in APT detection—including strong environmental noise, heavy reliance on scarce labeled data and domain-specific prior knowledge, and difficulty modeling long-range inter-entity dependencies—this paper proposes an unsupervised multi-scenario provenance graph learning framework. The method constructs provenance graphs from audit logs and jointly models behavioral patterns across diverse scenarios using graph neural networks, enabling graph-aware and scenario-coordinated learning of normal behavior without any APT labels or domain priors. Innovatively, it introduces a bias-driven anomaly detection mechanism that simultaneously suppresses noise and precisely captures long-range, cross-entity and cross-temporal intent dependencies. Evaluated on three real-world datasets, the framework achieves 96% precision and 99% recall, and supports fine-grained, node-level APT intent identification.

Advanced Persistent Threats (APTs) are challenging to detect due to their complexity and stealth. To mitigate such attacks, many approaches utilize provenance graphs to model entities and their dependencies, detecting the covert and persistent nature of APTs. However, existing methods face several challenges: 1) Environmental noise hinders precise detection; 2) Reliance on hard-to-obtain labeled data and prior knowledge of APTs limits their ability to detect unknown threats; 3) The difficulty in capturing long-range interaction dependencies, leading to the loss of critical context. We propose Sentient, a threat detection system based on behavioral intent analysis that detects node-level threats from audit logs. Sentient constructs a provenance graph from the audit logs and uses this graph to build multiple scenarios. By combining graph comprehension with multiple scenario comprehension, Sentient learns normal interaction behaviors. Sentient detects anomalies by identifying interactions that deviate from the established behavior patterns. We evaluated Sentient on three widely used datasets covering both real-world and simulated attacks. The results confirm that Sentient consistently delivers strong detection performance. Notably, Sentient achieves entity-level APT detection with a precision of 96% and a recall of 99%.