CLIProv: Log-to-Intelligence Threat Detection
- CLIProv is a multimodal approach that aligns low-level system logs with high-level MITRE ATT&CK descriptions using dual-encoder embeddings.
- It formulates threat detection as semantic search, achieving higher precision and improved efficiency over state-of-the-art methods.
- The system reconstructs complete attack scenarios through temporal and causal linkage of behavior subgraphs, enhancing TTP-level interpretability.
Searching arXiv for the CLIProv paper to ground the article in the cited source. CLIProv is a contrastive log-to-intelligence multimodal approach for threat detection and provenance analysis in host systems. It is designed to close the semantic gap between low-level provenance logs and high-level threat intelligence, particularly Tactics, Techniques, and Procedures (TTP) descriptions from MITRE ATT&CK. The method aligns provenance-derived behavior sequences with textual threat intelligence in a shared semantic space, formulates threat detection as semantic search over that space, and reconstructs complete attack scenarios by temporally and causally linking suspicious subgraphs. In the reported experiments, CLIProv identifies attack behaviors in system provenance logs, provides TTP-level interpretability, and achieves higher precision and significantly improved detection efficiency than the compared state-of-the-art methods (Li et al., 12 Jul 2025).
1. Problem setting and formal representation
CLIProv addresses a specific mismatch in cyber defense workflows: host provenance logs record low-level, fine-grained execution histories, whereas threat intelligence is written in high-level natural language. Provenance logs contain system calls, process/file/socket interactions, and timestamps; TTP intelligence describes tactics, techniques, and procedures. This difference in abstraction and syntax makes it difficult to translate threat intelligence into actionable policies over raw logs.
The provenance data are modeled as directed graphs
where contains process, file, and socket entities, and contains directed edges representing causal interactions and operations such as open, read, execute, and connect, with timestamps as edge attributes. In this formulation, provenance captures causal dependencies and information flows. CLIProv uses these properties not only for local detection, but also for provenance-based attack scenario reconstruction.
The core detection objective is to identify suspicious host behaviors and map them to known TTPs by learning an alignment between sequences extracted from provenance logs and textual threat intelligence. The reconstruction objective is complementary: given multiple suspicious behavior subgraphs, or local behavior windows, the system reconstructs a global and coherent attack narrative by temporally and causally linking those subgraphs into a complete attack graph with interpretable TTP labels.
A useful distinction within the CLIProv design is between the local unit of analysis and the global attack narrative. The local unit is the “system behavior subgraph,” centered around a specific process and constrained by temporal density. The global narrative is a merged attack graph obtained after semantic labeling and causal linkage. This structure is central to how CLIProv converts a large provenance graph into an interpretable scenario rather than a disconnected set of alerts.
2. Multimodal architecture and contrastive alignment
CLIProv uses two modalities. The log modality consists of sequences derived from provenance graphs, specifically system behavior subgraphs converted to ordered behavior sequences of triples. The threat intelligence modality consists of free-text descriptions, including MITRE ATT&CK TTP descriptions and examples, augmented intelligence sentences, and an explicit benign description: “This is a benign sequence.”
The model adopts a dual-encoder architecture with RoBERTa for both modalities. The log encoder treats log sequences as sentences of tokens, using entity names and event type symbols, and outputs a embedding. The text encoder processes ATT&CK descriptions and generated variants and also outputs a embedding. Both embeddings are then projected into a common semantic space by a two-layer MLP with residual connection and ReLU activation:
The embedding functions for logs and intelligence are
0
and, for sample 1, CLIProv normalizes the projected embeddings as
2
Similarity is cosine similarity via normalized dot product:
3
which in the implementation becomes 4 after 5 normalization.
Training uses a bidirectional InfoNCE-style loss. The log-to-text direction is
6
and the text-to-log direction is
7
Here 8 is a learnable temperature initialized to 9.
At inference time, threat detection is formulated as semantic retrieval. Given a log sequence embedding 0 and a set of intelligence embeddings 1, CLIProv retrieves the top-2 techniques by
3
The paper also gives the decision rule as
4
Operationally, the detected label is the TTP whose intelligence text is most semantically similar to the log sequence. This makes the method neither a pure query-graph matcher nor a conventional anomaly detector; it is a semantic alignment system that uses ATT&CK text as the retrieval target.
3. Provenance reduction, segmentation, and intelligence curation
CLIProv begins with provenance log sources such as Windows ETW, Linux Audit, and similar host auditing frameworks. These logs are converted into provenance graphs whose entities are processes, files, and sockets, and whose edges record operations such as open, read, execute, and connect.
To reduce redundancy, the paper describes several graph-reduction rules. For network communications, repeated or rapid successive connections from the same process to the same IP within a fixed time window are merged into a single edge. If multiple ports or multiple event types occur, the port IDs and event types are concatenated with underscores, and the merged timestamp is the earliest in the set. For file directories, cascading parent-directory access events are removed while retaining the final directory-level events. For similar file objects, nodes within the same parent directory and time window are merged when name similarity exceeds 5 using Levenshtein distance.
Subgraph partitioning proceeds in two stages. First, dependency subgraphs are built with DFS. Second, these subgraphs are partitioned by temporal gaps where
6
with 7 defaulting to 8 minutes. Each resulting partition is a “system behavior subgraph” with dense, temporally contiguous operations centered around a specific process. The paper gives the subgraph representation for process 9 as
0
The DFS-based dependency extraction followed by time-based partitioning has complexity 1.
Each behavior subgraph is then converted into an ordered sequence of triples:
2
where each 3 is an ordered list of 4 events. These tokenized sequences become inputs to the log encoder.
Threat intelligence curation combines manually aligned ground truth with text augmentation. Ground-truth segments are aligned from threat reports such as DARPA TC GT and KAIROS narratives to subgraphs, while benign sequences are assigned the text “This is a benign sequence.” Augmentation uses GPT-3 with the prompt “Please rewrite the following sentence, keeping the original meaning intact.” The system generates 5 paraphrases per attack text. Positive training pairs are matched log-sequence/intelligence-text pairs from ground truth or augmentation, while negative pairs are mismatched pairs across the batch. The intelligence repository queried at inference time contains MITRE ATT&CK TTP texts, totaling 6 items, plus the benign text.
4. Threat labeling and attack-scenario reconstruction
The inference pipeline follows the same decomposition as training, but applies it to full-system provenance. The full provenance graph is partitioned into behavior subgraphs, each subgraph is tokenized into a sequence, and each sequence is embedded and matched against the ATT&CK repository. Subgraphs whose retrieved label is not benign are selected as attacks.
CLIProv then reconstructs an end-to-end attack scenario through temporal causal reasoning. For each attack subgraph 7, the method introduces a virtual node 8 connected to all nodes in 9, and assigns a time 0 equal to the earliest edge time:
1
These virtual nodes are sorted by 2. For each subgraph after the first, the system searches backward for the nearest predecessor virtual node that is causally connected via provenance paths. It then runs a time-dependent shortest-path search, described as a Dijkstra variant, to obtain
3
The final attack graph is assembled by removing virtual nodes and unioning subgraphs and paths:
4
This reconstruction procedure gives each local behavior window a TTP label while preserving end-to-end causality. The ATT&CK labels provide high-level interpretability for each subgraph, and the shortest time-dependent causal paths provide the linkage criterion between subgraphs.
The paper’s THEIA browser-extension example illustrates this process as a three-stage scenario. Subgraph 1 is labeled T1189 Drive-by Compromise and includes a Firefox exploit, an external shellcode server at 141.43.176.203, and Native Messaging. Subgraph 2 is labeled T1546 Event Triggered Execution and includes pass_mgr cloning dash and gtcache tampering with var/log/wdev to persist. Subgraph 3 is labeled T1046 Network Service Discovery and includes profile injecting into a mail process and scanning multiple ports against external IPs. The reconstructed paths connect these successive steps while respecting timestamps, yielding a concise and interpretable attack graph.
5. Evaluation, baselines, and empirical behavior
The reported experiments use four datasets after reduction and partitioning: CADETS, THEIA, ATLAS, and CICAPT-IIoT. CADETS is DARPA TC E3 FreeBSD/Nginx backdoor data of 5GB with 6 train scenarios and 7 test scenarios. THEIA is DARPA TC E3 Ubuntu Firefox/extension/phishing data of 8GB with 9 train scenarios and 0 test scenario. ATLAS is a Windows APT reproduction dataset of 1GB with 2 incidents across CVEs; the test set includes CVE-2015-5122 and CVE-2015-5119 scenarios. CICAPT-IIoT is an Industrial IoT APT29 via Caldera dataset of 3MB with many IIoT techniques and no ground truth for process-level labels; it is used to test cross-dataset generalization. The ATT&CK query intelligence repository contains 4 items (Li et al., 12 Jul 2025).
| Dataset | Configuration | Role |
|---|---|---|
| CADETS | 2 train, 2 test | Standard evaluation |
| THEIA | 2 train, 1 test | Standard evaluation |
| ATLAS | Majority train; CVE-2015-5122 and CVE-2015-5119 in test | Cross-vulnerability evaluation |
| CICAPT-IIoT | No GT for process-level labels | Cross-dataset generalization |
The evaluation uses node-level precision, recall, and accuracy; graph-level precision and recall for attack-subgraph detection; alignment score for scenario quality; and efficiency metrics for preprocessing, training, and query runtime. Baselines include the query graph-based methods POIROT and ProvG-Searcher, and the anomaly-based methods Threatrace and KAIROS.
The headline graph-level results are 5 precision and recall on CADETS, THEIA, and ATLAS. On CICAPT-IIoT, graph-level performance is Precision 6 and Recall 7. At node level, CADETS achieves 8 precision and 9 recall; THEIA achieves 0 precision and 1 recall; ATLAS achieves 2 precision and 3 recall; CICAPT-IIoT achieves 4 precision and 5 recall.
The efficiency results are similarly explicit. Threat search requires approximately 6 seconds per scenario and approximately 7 ms per subgraph, while total training requires approximately 8 hours for 9 epochs on 0 attack scenarios. The paper states that inference is faster than ProvG-Searcher and avoids the long exhaustive matching time of POIROT, whose query times are reported as 1 to 2 hours. CLIProv and POIROT had no graph-level false positives, whereas ProvG-Searcher had false-positive rates of 3 on CADETS and 4 on THEIA due to entity-type simplification. Alignment scores are reported as comparable: CLIProv 5–6, POIROT 7–8, and ProvG-Searcher approximately 9.
The ablation study indicates that a single-modal classifier and a dual-encoder contrastive-plus-classifier design both had lower precision due to data imbalance and dispersed attack representations. Semantic search over ATT&CK, as implemented in CLIProv, mitigated both issues and achieved perfect graph-level metrics on the primary datasets. The reported robustness results further show cross-scenario, cross-vulnerability, and cross-dataset generalization: behavior consistent with T1189 was identified in THEIA browser-extension data despite the absence of identical attacks in training; attacks in ATLAS CVE-2015-5122 were detected without training on that CVE, using patterns such as T1204, T1105, and T1083; and CICAPT-IIoT recall remained approximately 0 despite no pretraining on that dataset.
A common misunderstanding would be to interpret the perfect graph-level scores on three datasets as evidence of unrestricted open-world coverage. The paper does not make that claim. Instead, the cross-dataset results and the limitations section indicate that performance is knowledge-bound and degrades when techniques overlap with normal operations or when the intelligence coverage is limited.
6. Implementation, deployment, and limitations
The implementation uses pre-trained RoBERTa encoders with embedding dimension 1 for both modalities, and a two-layer residual MLP projection network with hidden size 2 in each layer. The hyperparameters are batch size 3, epochs 4, learning rate 5, dropout 6, learnable temperature initialized to 7, temporal partitioning threshold 8 minutes, and augmentation count 9. The system is implemented in PyTorch, with Python 0 and NetworkX for provenance graph processing. The reported hardware is Ubuntu 20.04, a GeForce RTX A6000 GPU, 1 CPUs at 2GHz, and 3TB RAM. The paper reports a prototype and does not provide a public code or model link (Li et al., 12 Jul 2025).
For deployment in enterprise environments, CLIProv is described as an analytics service that can be integrated into SIEM or EDR pipelines. Continuous provenance logs from ETW, Auditd, or similar sources are fed to the preprocessor to build reduced graphs and behavior subgraphs. The pretrained dual encoders embed each subgraph’s log sequence, semantic search is performed against a curated ATT&CK intelligence repository plus the benign text, and alerts can be streamed with TTP labels, matched intelligence text, subgraph visualization, and confidence scores. The paper also recommends translating retrieved TTPs into playbook actions such as isolating a process, killing a connection to a suspicious IP, searching for persistence files, or blocking suspicious downloads.
Several configuration guidelines are explicitly stated. The temporal threshold 4 can be tightened for high-velocity environments or relaxed for stealthy APTs. A benign sampling rate of at least 5 is recommended to balance training time and generalization. Augmentation with 6 improves recall and reduces false-positive rate. Similarity thresholds for semantic retrieval should be calibrated on validation sets to balance precision and recall. Caching text embeddings of the ATT&CK repository is recommended to accelerate retrieval, and distributed training is suggested as a way to reduce training time further.
The limitations are substantive rather than incidental. CLIProv is knowledge-bound: performance depends on the coverage of training intelligence, and unseen techniques with substantial semantic differences may be missed. Some benign service-related nodes may appear in reconstructed scenarios, and the paper suggests that combining anomaly filters could reduce this noise. The paper also identifies fake intelligence risk: external intelligence poisoning could mislead training, and source validation together with adversarial training using fake intelligence as negatives is recommended. Optional removal of service-related nodes using domain heuristics or anomaly scores is mentioned as a future enhancement.
These constraints clarify the method’s scope. CLIProv is not presented as a replacement for provenance collection, threat intelligence curation, or response engineering. Its contribution is the semantic alignment layer that maps low-level provenance behavior into ATT&CK-level interpretations and then uses provenance causality to reconstruct a coherent, interpretable attack scenario.