A Source Domain is All You Need: Source-Only Cross-OS Transfer Learning for APT Anomaly Detection via Semantic Alignment and Optimal Transport

The article presents a novel framework for source-only cross-operating-system (cross-OS) anomaly detection targeting Advanced Persistent Threats (APTs), utilizing system-level provenance traces. This approach leverages pretrained language models for embedding process behaviors, combined with a transport-based ranking mechanism that employs an Optimal Transport (OT) method to compute an anomaly score based on deviations from source-normal prototypes. Evaluation on DARPA Transparent Computing data shows significant improvements in ROC-AUC and nDCG metrics, indicating that this method enables effective APT detection across different OS platforms without requiring target-domain labels, which is crucial for practitioners facing the challenges of limited labeled data in cybersecurity contexts.