Multi-view Collaborative Provenance Graph Learning

• The paper introduces a dual-phase methodology combining GNN embeddings and Isolation Forest scoring to achieve high Macro-F1 scores on benchmark datasets.
• Multi-view collaborative learning fuses structural and behavioral features through co-training and meta-classifier stacking, effectively addressing label scarcity in real-world scenarios.
• The approach demonstrates robustness against adversarial manipulations, maintaining near-perfect detection performance and low false positive rates under heavy graph perturbations.

Multi-view Collaborative Provenance Graph Learning is an advanced methodology for anomaly detection and cyber-threat identification in system audit logs, with a particular emphasis on adaptive recognition of complex multi-stage attacks such as Advanced Persistent Threats (APTs). This approach leverages multiple semantically distinct feature representations (“views”) of provenance graphs and integrates them through collaborative learning strategies. The principal objective is to address fundamental challenges in real-world deployment: the scarcity and diversity of labeled attack samples, the complexities of fine-grained process labeling, and the need for robust and generalizable detection across a wide spectrum of attack tactics. Multi-view collaborative learning frameworks, such as APT-MCL and MirGuard, form the basis of recent progress in provenance-based intrusion detection (Lv et al., 13 Jan 2026, Sang et al., 14 Aug 2025).

1. Provenance Graph Foundations and Multi-View Feature Extraction

Provenance graphs encode system audit trails as directed, acyclic, and attributed graphs $G = (V, E, X_V, X_E)$, capturing fine-grained causality between entities such as processes, files, registries, and network sockets. In APT-MCL, audit records are represented as $(\text{subject}, \text{action}, \text{object})$ triads. Each unique entity, assigned by the kernel, forms a node, and causal relationships materialize as labeled, timestamped edges.

Feature extraction proceeds via the construction of multiple “views” for each node:

• Structural View: 42-dimensional vector representing counts of distinct edge-type combinations (subject-object under each action), capturing node connectivity patterns and I/O bursts associated with specific attack modalities (e.g., ransomware mass file writes).
• Behavioral View: 20-dimensional Boolean vector encapsulating 16 MITRE-style indicators of compromise (IoCs) and 4 entity type flags, reflecting domain-specific suspicious actions (e.g., execution of sensitive instructions, registry modification, suspicious IP activity).

MirGuard enhances the multi-view concept by logic-aware augmentation: generating multiple semantically valid “views” of the provenance graph through controlled node/edge/feature perturbations, strictly preserving system semantics by enforcing domain-specific rules on allowable modifications (see Table 1 below for permitted augmentation types) (Sang et al., 14 Aug 2025).

Augmentation Type	Allowed Perturbation	Causal Constraint
Edge	Add/remove read/write, exec, fork, connect	Must follow system provenance logic
Node	Add/remove Process, File, Network entities	No illegal edge types introduced
Feature	Shuffle one-hot features among same-type nodes	Entity type must match

2. Unsupervised and Contrastive Node-Level Anomaly Detection

Detection models operate under severe label scarcity by treating malicious nodes as statistical outliers in high-dimensional feature spaces. APT-MCL adopts a dual-phase unsupervised procedure:

• Self-supervised Graph Neural Network (GNN) Embedding: Each feature view is encoded independently with multi-layer GNNs (GraphSAGE, GCN, GAT), supervised only by known node-type labels. The objective is to obtain contextual node embeddings $E^{(T)} \in \mathbb{R}^{|V| \times d}$ preserving both short- and long-range dependencies.
• Isolation Forest Scoring: Learned node embeddings for process nodes are input to an Isolation Forest which assigns anomaly scores $\in [0,1]$. Initial unsupervised detection employs thresholding or ranking of these scores to extract malicious candidates.

MirGuard employs a two-layer Graph Attention Network (GAT) for each augmented view, followed by contrastive alignment via the InfoNCE loss. Positive pairs are augmented views from the same graph; negatives are views from different graphs. This strategy encourages representations invariant to benign logic-aware augmentations, enhancing resistance to adversarial graph manipulation (Sang et al., 14 Aug 2025).

3. Collaborative Learning: Co-Training and Fusion Mechanisms

To mitigate the limitations of single-view anomaly models, APT-MCL utilizes a multi-view co-training framework. Initially, the most confidently scored nodes from both structural and behavioral anomaly models are harvested as pseudo-labeled “malicious” or “benign” seeds.

• Iterative Co-Training: Two view-specific supervised classifiers—one per feature view—are trained on pseudo-labeled data. High-confidence predictions from each are iteratively transferred to the other’s pool, progressively refining both classifiers in a semi-supervised fashion until the unlabeled pool is depleted.
• Fusion Schemes: The final node classification integrates the outputs of structural and behavioral models via voting (benign/malicious), soft averaging, or meta-classifier stacking. Stacking—a meta-classification layer—consistently yields the highest Macro-F1 score across evaluated datasets (Lv et al., 13 Jan 2026).

In MirGuard, multi-view representations are unified by optimizing the encoder so that embeddings for logic-preserving augmentations coincide in the latent space, increasing robustness and discriminative capacity against graph manipulation.

4. Robustness, Generalization, and Adversarial Hardening

Multi-view collaborative frameworks directly address critical provenance-based detection challenges:

• Attack Diversity and Cross-Scenario Generalization: Structural view flags attack tactics inducing anomalous graph topologies (e.g., mass I/O), while behavioral view captures subtle IoCs indicating stealthy data theft or “living-off-the-land” behavior. Multi-view fusion ensures detection resilience to shifts in attack modality (Lv et al., 13 Jan 2026).
• Label Scarcity Mitigation: Co-training leverages high-confidence unsupervised seeds, exchanging pseudo-labels across views to bootstrap semi-supervised learning without explicit APT labels, reducing both false positives and negatives.
• Adversarial Manipulation Resistance: Logic-aware augmentation in MirGuard generates only semantically valid views; contrastive training compels invariance to benign perturbations while penalizing causal inconsistencies introduced by adversarial graph manipulation (Sang et al., 14 Aug 2025).

Empirical results demonstrate that MirGuard maintains high F1 and AUC under up to 50% graph perturbation attacks, substantially outperforming baselines such as Threatrace, MAGIC, and FLASH. This suggests significant improvement in attack surface hardening for provenance-based IDS frameworks.

5. Experimental Evaluations and Quantitative Performance

APT-MCL and MirGuard are evaluated on multiple standard datasets:

• APT-MCL: DataBreach, Ransomware, and DARPA TC E3 (TRACE, THEIA, CADETS), ranging from tens of thousands to millions of entities. Malicious node fractions are consistently $<1$–3%. Evaluation splits preserve realistic scenarios of labeled scarcity.
• MirGuard: CADETS, THEIA, TRACE, Streamspot, Wget datasets, with provenance graphs manipulated via controlled perturbations to assess adversarial robustness.

Quantitative highlights for APT-MCL (Lv et al., 13 Jan 2026):

Dataset	Macro-F1 (APT-MCL)	Macro-F1 (Best Baseline)	Precision (APT-MCL)	FPR (APT-MCL)
DataBreach	0.90	0.71 (MAGIC)	0.845	0.005
Ransomware	0.743	0.771 (MAGIC)	0.828	0.013
DARPA (all)	>0.99	0.97–0.99	near-perfect	$\approx$0

MirGuard (Sang et al., 14 Aug 2025) achieves node-level detection F1 scores above 0.99 and FPR below 0.01% on CADETS, THEIA, and TRACE, and maintains high effectiveness under 50% graph manipulation attacks.

Attack	Threatrace F1	MAGIC F1	MirGuard F1	MirGuard AUC
GSPA	0.31	0.33	0.86	0.97
GFPA	0.64	0.79	0.97	0.99
CGPA	0.48	0.53	0.87	0.98

Training and inference times are within practical bounds (APT-MCL: 2,470 s total training, peak RAM 2 GB; MirGuard: 214 s training, 437 s inference per batch, ~1.5 GB RAM), confirming operational feasibility for large-scale real-world deployment.

6. Theoretical Insights, Limitations, and Future Perspectives

Multi-view collaborative provenance graph learning frameworks offer enhanced semantic coverage, robustness to label scarcity, and adversarial resistance by leveraging the intrinsic diversity of feature views and augmentations. The enforcement of domain-specific logic in augmentation (MirGuard) precludes attacker-crafted manipulations from aligning with benign embeddings, conferring notable invariance and margin separation in latent space. A plausible implication is the emergence of provenance-based IDS systems with both high precision and resilience to evasion techniques.

Current limitations include the dependence on continuous audit stream collection, potential vulnerability to highly sophisticated stealth techniques not captured by either view, and the computational cost of multi-model fusion. Future research may extend logical augmentation methodologies, optimize co-training dynamics for even lower label budgets, and generalize multi-view frameworks to cloud and IoT provenance scenarios.

7. Comparative Overview and Position in Cybersecurity Research

Multi-view collaborative provenance graph learning constitutes a significant advance beyond single-view, single-feature models and naive concatenation approaches. Both APT-MCL and MirGuard demonstrably outperform established baselines including Log2vec, MAGIC, Threatrace, and FLASH in benchmarks reflecting node-level and graph-level threat detection, cross-scenario generalization, and robustness under adversarial manipulation (Lv et al., 13 Jan 2026, Sang et al., 14 Aug 2025). The multi-view paradigm, whether attained via explicit feature engineering and co-training (APT-MCL) or through logic-aware, contrastively aligned augmentations (MirGuard), is now recognized as fundamental to the next generation of provenance-based intrusion detection systems, with demonstration of practical, scalable, and robust deployment potential.