Papers
Topics
Authors
Recent
Search
2000 character limit reached

CLIProv: Log-to-Intelligence Threat Detection

Updated 6 July 2026
  • CLIProv is a multimodal approach that aligns low-level system logs with high-level MITRE ATT&CK descriptions using dual-encoder embeddings.
  • It formulates threat detection as semantic search, achieving higher precision and improved efficiency over state-of-the-art methods.
  • The system reconstructs complete attack scenarios through temporal and causal linkage of behavior subgraphs, enhancing TTP-level interpretability.

Searching arXiv for the CLIProv paper to ground the article in the cited source. CLIProv is a contrastive log-to-intelligence multimodal approach for threat detection and provenance analysis in host systems. It is designed to close the semantic gap between low-level provenance logs and high-level threat intelligence, particularly Tactics, Techniques, and Procedures (TTP) descriptions from MITRE ATT&CK. The method aligns provenance-derived behavior sequences with textual threat intelligence in a shared semantic space, formulates threat detection as semantic search over that space, and reconstructs complete attack scenarios by temporally and causally linking suspicious subgraphs. In the reported experiments, CLIProv identifies attack behaviors in system provenance logs, provides TTP-level interpretability, and achieves higher precision and significantly improved detection efficiency than the compared state-of-the-art methods (Li et al., 12 Jul 2025).

1. Problem setting and formal representation

CLIProv addresses a specific mismatch in cyber defense workflows: host provenance logs record low-level, fine-grained execution histories, whereas threat intelligence is written in high-level natural language. Provenance logs contain system calls, process/file/socket interactions, and timestamps; TTP intelligence describes tactics, techniques, and procedures. This difference in abstraction and syntax makes it difficult to translate threat intelligence into actionable policies over raw logs.

The provenance data are modeled as directed graphs

Gprov=(V,E),G_{\mathrm{prov}} = (V, E),

where VV contains process, file, and socket entities, and EE contains directed edges representing causal interactions and operations such as open, read, execute, and connect, with timestamps as edge attributes. In this formulation, provenance captures causal dependencies and information flows. CLIProv uses these properties not only for local detection, but also for provenance-based attack scenario reconstruction.

The core detection objective is to identify suspicious host behaviors and map them to known TTPs by learning an alignment between sequences extracted from provenance logs and textual threat intelligence. The reconstruction objective is complementary: given multiple suspicious behavior subgraphs, or local behavior windows, the system reconstructs a global and coherent attack narrative by temporally and causally linking those subgraphs into a complete attack graph with interpretable TTP labels.

A useful distinction within the CLIProv design is between the local unit of analysis and the global attack narrative. The local unit is the “system behavior subgraph,” centered around a specific process and constrained by temporal density. The global narrative is a merged attack graph obtained after semantic labeling and causal linkage. This structure is central to how CLIProv converts a large provenance graph into an interpretable scenario rather than a disconnected set of alerts.

2. Multimodal architecture and contrastive alignment

CLIProv uses two modalities. The log modality consists of sequences derived from provenance graphs, specifically system behavior subgraphs converted to ordered behavior sequences of (source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity}) triples. The threat intelligence modality consists of free-text descriptions, including MITRE ATT&CK TTP descriptions and examples, augmented intelligence sentences, and an explicit benign description: “This is a benign sequence.”

The model adopts a dual-encoder architecture with RoBERTa for both modalities. The log encoder treats log sequences as sentences of tokens, using entity names and event type symbols, and outputs a [CLS][\mathrm{CLS}] embedding. The text encoder processes ATT&CK descriptions and generated variants and also outputs a [CLS][\mathrm{CLS}] embedding. Both embeddings are then projected into a common semantic space by a two-layer MLP with residual connection and ReLU activation:

h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),

g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).

The embedding functions for logs LL and intelligence TT are

VV0

and, for sample VV1, CLIProv normalizes the projected embeddings as

VV2

Similarity is cosine similarity via normalized dot product:

VV3

which in the implementation becomes VV4 after VV5 normalization.

Training uses a bidirectional InfoNCE-style loss. The log-to-text direction is

VV6

and the text-to-log direction is

VV7

Here VV8 is a learnable temperature initialized to VV9.

At inference time, threat detection is formulated as semantic retrieval. Given a log sequence embedding EE0 and a set of intelligence embeddings EE1, CLIProv retrieves the top-EE2 techniques by

EE3

The paper also gives the decision rule as

EE4

Operationally, the detected label is the TTP whose intelligence text is most semantically similar to the log sequence. This makes the method neither a pure query-graph matcher nor a conventional anomaly detector; it is a semantic alignment system that uses ATT&CK text as the retrieval target.

3. Provenance reduction, segmentation, and intelligence curation

CLIProv begins with provenance log sources such as Windows ETW, Linux Audit, and similar host auditing frameworks. These logs are converted into provenance graphs whose entities are processes, files, and sockets, and whose edges record operations such as open, read, execute, and connect.

To reduce redundancy, the paper describes several graph-reduction rules. For network communications, repeated or rapid successive connections from the same process to the same IP within a fixed time window are merged into a single edge. If multiple ports or multiple event types occur, the port IDs and event types are concatenated with underscores, and the merged timestamp is the earliest in the set. For file directories, cascading parent-directory access events are removed while retaining the final directory-level events. For similar file objects, nodes within the same parent directory and time window are merged when name similarity exceeds EE5 using Levenshtein distance.

Subgraph partitioning proceeds in two stages. First, dependency subgraphs are built with DFS. Second, these subgraphs are partitioned by temporal gaps where

EE6

with EE7 defaulting to EE8 minutes. Each resulting partition is a “system behavior subgraph” with dense, temporally contiguous operations centered around a specific process. The paper gives the subgraph representation for process EE9 as

(source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity})0

The DFS-based dependency extraction followed by time-based partitioning has complexity (source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity})1.

Each behavior subgraph is then converted into an ordered sequence of triples:

(source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity})2

where each (source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity})3 is an ordered list of (source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity})4 events. These tokenized sequences become inputs to the log encoder.

Threat intelligence curation combines manually aligned ground truth with text augmentation. Ground-truth segments are aligned from threat reports such as DARPA TC GT and KAIROS narratives to subgraphs, while benign sequences are assigned the text “This is a benign sequence.” Augmentation uses GPT-3 with the prompt “Please rewrite the following sentence, keeping the original meaning intact.” The system generates (source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity})5 paraphrases per attack text. Positive training pairs are matched log-sequence/intelligence-text pairs from ground truth or augmentation, while negative pairs are mismatched pairs across the batch. The intelligence repository queried at inference time contains MITRE ATT&CK TTP texts, totaling (source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity})6 items, plus the benign text.

4. Threat labeling and attack-scenario reconstruction

The inference pipeline follows the same decomposition as training, but applies it to full-system provenance. The full provenance graph is partitioned into behavior subgraphs, each subgraph is tokenized into a sequence, and each sequence is embedded and matched against the ATT&CK repository. Subgraphs whose retrieved label is not benign are selected as attacks.

CLIProv then reconstructs an end-to-end attack scenario through temporal causal reasoning. For each attack subgraph (source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity})7, the method introduces a virtual node (source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity})8 connected to all nodes in (source entity,event type,destination entity)(\text{source entity}, \text{event type}, \text{destination entity})9, and assigns a time [CLS][\mathrm{CLS}]0 equal to the earliest edge time:

[CLS][\mathrm{CLS}]1

These virtual nodes are sorted by [CLS][\mathrm{CLS}]2. For each subgraph after the first, the system searches backward for the nearest predecessor virtual node that is causally connected via provenance paths. It then runs a time-dependent shortest-path search, described as a Dijkstra variant, to obtain

[CLS][\mathrm{CLS}]3

The final attack graph is assembled by removing virtual nodes and unioning subgraphs and paths:

[CLS][\mathrm{CLS}]4

This reconstruction procedure gives each local behavior window a TTP label while preserving end-to-end causality. The ATT&CK labels provide high-level interpretability for each subgraph, and the shortest time-dependent causal paths provide the linkage criterion between subgraphs.

The paper’s THEIA browser-extension example illustrates this process as a three-stage scenario. Subgraph 1 is labeled T1189 Drive-by Compromise and includes a Firefox exploit, an external shellcode server at 141.43.176.203, and Native Messaging. Subgraph 2 is labeled T1546 Event Triggered Execution and includes pass_mgr cloning dash and gtcache tampering with var/log/wdev to persist. Subgraph 3 is labeled T1046 Network Service Discovery and includes profile injecting into a mail process and scanning multiple ports against external IPs. The reconstructed paths connect these successive steps while respecting timestamps, yielding a concise and interpretable attack graph.

5. Evaluation, baselines, and empirical behavior

The reported experiments use four datasets after reduction and partitioning: CADETS, THEIA, ATLAS, and CICAPT-IIoT. CADETS is DARPA TC E3 FreeBSD/Nginx backdoor data of [CLS][\mathrm{CLS}]5GB with [CLS][\mathrm{CLS}]6 train scenarios and [CLS][\mathrm{CLS}]7 test scenarios. THEIA is DARPA TC E3 Ubuntu Firefox/extension/phishing data of [CLS][\mathrm{CLS}]8GB with [CLS][\mathrm{CLS}]9 train scenarios and [CLS][\mathrm{CLS}]0 test scenario. ATLAS is a Windows APT reproduction dataset of [CLS][\mathrm{CLS}]1GB with [CLS][\mathrm{CLS}]2 incidents across CVEs; the test set includes CVE-2015-5122 and CVE-2015-5119 scenarios. CICAPT-IIoT is an Industrial IoT APT29 via Caldera dataset of [CLS][\mathrm{CLS}]3MB with many IIoT techniques and no ground truth for process-level labels; it is used to test cross-dataset generalization. The ATT&CK query intelligence repository contains [CLS][\mathrm{CLS}]4 items (Li et al., 12 Jul 2025).

Dataset Configuration Role
CADETS 2 train, 2 test Standard evaluation
THEIA 2 train, 1 test Standard evaluation
ATLAS Majority train; CVE-2015-5122 and CVE-2015-5119 in test Cross-vulnerability evaluation
CICAPT-IIoT No GT for process-level labels Cross-dataset generalization

The evaluation uses node-level precision, recall, and accuracy; graph-level precision and recall for attack-subgraph detection; alignment score for scenario quality; and efficiency metrics for preprocessing, training, and query runtime. Baselines include the query graph-based methods POIROT and ProvG-Searcher, and the anomaly-based methods Threatrace and KAIROS.

The headline graph-level results are [CLS][\mathrm{CLS}]5 precision and recall on CADETS, THEIA, and ATLAS. On CICAPT-IIoT, graph-level performance is Precision [CLS][\mathrm{CLS}]6 and Recall [CLS][\mathrm{CLS}]7. At node level, CADETS achieves [CLS][\mathrm{CLS}]8 precision and [CLS][\mathrm{CLS}]9 recall; THEIA achieves h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),0 precision and h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),1 recall; ATLAS achieves h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),2 precision and h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),3 recall; CICAPT-IIoT achieves h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),4 precision and h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),5 recall.

The efficiency results are similarly explicit. Threat search requires approximately h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),6 seconds per scenario and approximately h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),7 ms per subgraph, while total training requires approximately h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),8 hours for h1=σ(W1x+b1),h_1 = \sigma(W_1 x + b_1),9 epochs on g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).0 attack scenarios. The paper states that inference is faster than ProvG-Searcher and avoids the long exhaustive matching time of POIROT, whose query times are reported as g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).1 to g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).2 hours. CLIProv and POIROT had no graph-level false positives, whereas ProvG-Searcher had false-positive rates of g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).3 on CADETS and g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).4 on THEIA due to entity-type simplification. Alignment scores are reported as comparable: CLIProv g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).5–g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).6, POIROT g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).7–g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).8, and ProvG-Searcher approximately g(x)=h1+σ(W2h1+b2).g(x) = h_1 + \sigma(W_2 h_1 + b_2).9.

The ablation study indicates that a single-modal classifier and a dual-encoder contrastive-plus-classifier design both had lower precision due to data imbalance and dispersed attack representations. Semantic search over ATT&CK, as implemented in CLIProv, mitigated both issues and achieved perfect graph-level metrics on the primary datasets. The reported robustness results further show cross-scenario, cross-vulnerability, and cross-dataset generalization: behavior consistent with T1189 was identified in THEIA browser-extension data despite the absence of identical attacks in training; attacks in ATLAS CVE-2015-5122 were detected without training on that CVE, using patterns such as T1204, T1105, and T1083; and CICAPT-IIoT recall remained approximately LL0 despite no pretraining on that dataset.

A common misunderstanding would be to interpret the perfect graph-level scores on three datasets as evidence of unrestricted open-world coverage. The paper does not make that claim. Instead, the cross-dataset results and the limitations section indicate that performance is knowledge-bound and degrades when techniques overlap with normal operations or when the intelligence coverage is limited.

6. Implementation, deployment, and limitations

The implementation uses pre-trained RoBERTa encoders with embedding dimension LL1 for both modalities, and a two-layer residual MLP projection network with hidden size LL2 in each layer. The hyperparameters are batch size LL3, epochs LL4, learning rate LL5, dropout LL6, learnable temperature initialized to LL7, temporal partitioning threshold LL8 minutes, and augmentation count LL9. The system is implemented in PyTorch, with Python TT0 and NetworkX for provenance graph processing. The reported hardware is Ubuntu 20.04, a GeForce RTX A6000 GPU, TT1 CPUs at TT2GHz, and TT3TB RAM. The paper reports a prototype and does not provide a public code or model link (Li et al., 12 Jul 2025).

For deployment in enterprise environments, CLIProv is described as an analytics service that can be integrated into SIEM or EDR pipelines. Continuous provenance logs from ETW, Auditd, or similar sources are fed to the preprocessor to build reduced graphs and behavior subgraphs. The pretrained dual encoders embed each subgraph’s log sequence, semantic search is performed against a curated ATT&CK intelligence repository plus the benign text, and alerts can be streamed with TTP labels, matched intelligence text, subgraph visualization, and confidence scores. The paper also recommends translating retrieved TTPs into playbook actions such as isolating a process, killing a connection to a suspicious IP, searching for persistence files, or blocking suspicious downloads.

Several configuration guidelines are explicitly stated. The temporal threshold TT4 can be tightened for high-velocity environments or relaxed for stealthy APTs. A benign sampling rate of at least TT5 is recommended to balance training time and generalization. Augmentation with TT6 improves recall and reduces false-positive rate. Similarity thresholds for semantic retrieval should be calibrated on validation sets to balance precision and recall. Caching text embeddings of the ATT&CK repository is recommended to accelerate retrieval, and distributed training is suggested as a way to reduce training time further.

The limitations are substantive rather than incidental. CLIProv is knowledge-bound: performance depends on the coverage of training intelligence, and unseen techniques with substantial semantic differences may be missed. Some benign service-related nodes may appear in reconstructed scenarios, and the paper suggests that combining anomaly filters could reduce this noise. The paper also identifies fake intelligence risk: external intelligence poisoning could mislead training, and source validation together with adversarial training using fake intelligence as negatives is recommended. Optional removal of service-related nodes using domain heuristics or anomaly scores is mentioned as a future enhancement.

These constraints clarify the method’s scope. CLIProv is not presented as a replacement for provenance collection, threat intelligence curation, or response engineering. Its contribution is the semantic alignment layer that maps low-level provenance behavior into ATT&CK-level interpretations and then uses provenance causality to reconstruct a coherent, interpretable attack scenario.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to CLIProv.