To address the challenges of detecting advanced persistent threat (APT) attacks—characterized by prolonged dormancy, stealthy behavior, and multi-stage evolution—this paper proposes a fine-grained, low-and-slow attack detection method leveraging provenance graphs and Transformer architectures. It introduces, for the first time, an encoder-decoder Transformer framework for provenance graph modeling to capture long-range dependencies in system behavior. A dual-dimension anomaly scoring mechanism is designed to jointly quantify node-level behavioral similarity and graph-topological isolation, enabling state-level fine-grained anomaly discrimination. Evaluated on five benchmark datasets—including StreamSpot and CADETS—the method achieves an average 12.7% improvement in detection rate and a 31.4% reduction in false positive rate, significantly enhancing identification of low-frequency APT activities persisting over multiple days. Key contributions include: (1) a provenance-graph-driven Transformer modeling paradigm, and (2) an integrated anomaly scoring mechanism combining behavioral similarity and topological isolation.

APT detection is difficult to detect due to the long-term latency, covert and slow multistage attack patterns of Advanced Persistent Threat (APT). To tackle these issues, we propose TBDetector, a transformer-based advanced persistent threat detection method for APT attack detection. Considering that provenance graphs provide rich historical information and have the powerful attacks historic correlation ability to identify anomalous activities, TBDetector employs provenance analysis for APT detection, which summarizes long-running system execution with space efficiency and utilizes transformer with self-attention based encoder-decoder to extract long-term contextual features of system states to detect slow-acting attacks. Furthermore, we further introduce anomaly scores to investigate the anomaly of different system states, where each state is calculated with an anomaly score corresponding to its similarity score and isolation score. To evaluate the effectiveness of the proposed method, we have conducted experiments on five public datasets, i.e., streamspot, cadets, shellshock, clearscope, and wget_baseline. Experimental results and comparisons with state-of-the-art methods have exhibited better performance of our proposed method.