Advanced Persistent Threat (APT) attacks exhibit evasive, gradual evolution in dynamic provenance graphs, making them difficult to distinguish from benign system perturbations and leading to high false-positive rates. Method: This paper proposes a deviation-aware self-supervised learning framework for temporal provenance graphs. It pioneers the integration of temporal graph neural networks with a dedicated deviation network to model subtle, consecutive structural shifts in provenance graphs, enabling unsupervised learning of benign behavioral evolution patterns. Additionally, it introduces multi-scale attribute-temporal joint representation learning and self-supervised neighborhood interaction modeling to achieve fine-grained, time-window-level attack localization. Contribution/Results: Evaluated on multiple real-world provenance datasets, the framework significantly outperforms state-of-the-art methods without requiring any labeled data. It accurately identifies APT attack time windows and reduces false-positive rates substantially.

Advanced Persistent Threat (APT) have grown increasingly complex and concealed, posing formidable challenges to existing Intrusion Detection Systems in identifying and mitigating these attacks. Recent studies have incorporated graph learning techniques to extract detailed information from provenance graphs, enabling the detection of attacks with greater granularity. Nevertheless, existing studies have largely overlooked the continuous yet subtle temporal variations in the structure of provenance graphs, which may correspond to surreptitious perturbation anomalies in ongoing APT attacks. Therefore, we introduce TFLAG, an advanced anomaly detection framework that for the first time integrates the structural dynamic extraction capabilities of temporal graph model with the anomaly delineation abilities of deviation networks to pinpoint covert attack activities in provenance graphs. This self-supervised integration framework leverages the graph model to extract neighbor interaction data under continuous temporal changes from historical benign behaviors within provenance graphs, while simultaneously utilizing deviation networks to accurately distinguish authentic attack activities from false positive deviations due to unexpected subtle perturbations. The experimental results indicate that, through a comprehensive design that utilizes both attribute and temporal information, it can accurately identify the time windows associated with APT attack behaviors without prior knowledge (e.g., labeled data samples), demonstrating superior accuracy compared to current state-of-the-art methods in differentiating between attack events and system false positive events.