Existing audit log semantic analysis is confined to system-call granularity, limiting its ability to detect stealthy attacks, and relies on manually crafted rule sets—lacking both zero-day attack detection capability and interpretability. This paper proposes a fine-grained, endpoint-oriented attack detection method that transcends call-level abstraction by enabling function-level behavioral extraction and thread-aware event modeling. We construct an audit log knowledge graph and integrate graph embedding representations with large language models (LLMs), establishing the first LLM–graph collaborative framework supporting explainable diagnosis. The framework enables zero-day attack detection, natural-language-based attribution generation, and expert-in-the-loop fine-tuning. Experiments demonstrate an average F1-score of 96%, with strong robustness across multi-model transfer scenarios and high generalizability to previously unseen attacks.

End-point monitoring solutions are widely deployed in today's enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security events. Unfortunately, existing methods of semantic analysis based on audit logs have low granularity, only reaching the system call level, making it difficult to effectively classify highly covert behaviors. Additionally, existing works mainly match audit log streams with rule knowledge bases describing behaviors, which heavily rely on expertise and lack the ability to detect unknown attacks and provide interpretive descriptions. In this paper, we propose SmartGuard, an automated method that combines abstracted behaviors from audit event semantics with large language models. SmartGuard extracts specific behaviors (function level) from incoming system logs and constructs a knowledge graph, divides events by threads, and combines event summaries with graph embeddings to achieve information diagnosis and provide explanatory narratives through large language models. Our evaluation shows that SmartGuard achieves an average F1 score of 96% in assessing malicious behaviors and demonstrates good scalability across multiple models and unknown attacks. It also possesses excellent fine-tuning capabilities, allowing experts to assist in timely system updates.