A Source Domain is All You Need: Source-Only Cross-OS Transfer Learning for APT Anomaly Detection via Semantic Alignment and Optimal Transport

Researchers propose a novel framework for detecting Advanced Persistent Threats (APTs) across different operating systems without labeled target data, using semantic embeddings and Optimal Transport theory. The source-only approach combines language models, graph autoencoders, and transport-based anomaly scoring to identify malicious processes in cross-OS environments, demonstrating improved detection performance across Linux, Windows, BSD, and Android platforms.

This research addresses a critical gap in cybersecurity: detecting sophisticated cyberattacks when deploying threat detection systems across different operating systems without access to labeled target data. Traditional anomaly detection methods struggle with severe class imbalance and scarce labeled examples, making cross-platform deployment particularly challenging. The proposed framework leverages semantic abstraction by converting system-level provenance traces into natural-language descriptions, enabling knowledge transfer across architecturally diverse platforms.

The technical innovation centers on combining three complementary detection signals: semantic deviation using pretrained language models, structural deviation through graph autoencoders, and geometric deviation via Optimal Transport. The Optimal Transport component is particularly novel—it projects target embeddings onto the source-normal manifold to quantify anomalies without requiring target-domain supervision. The researchers further enhance this with entropy-weighted, angle-aware, and density-aware OT variants to capture uncertainty and behavioral patterns.

For cybersecurity practitioners and enterprises, this research offers practical implications. Organizations can train APT detectors on one platform and deploy them across heterogeneous environments without expensive data labeling campaigns. The demonstrated improvements in ROC-AUC and nDCG metrics across twelve cross-OS transfer pairs suggest the framework handles real-world complexity effectively.

The work represents a meaningful advancement in domain adaptation for security, though deployment success depends on the quality of underlying provenance data and the generalizability of semantic descriptions across OS architectures. Future work should explore integration with existing security infrastructure and validation against zero-day APT campaigns.

• →Framework enables APT detection across operating systems without target-domain labeled data, reducing deployment costs.
• →Semantic abstraction using language models enables knowledge transfer between structurally different platforms.
• →Optimal Transport-based scoring quantifies anomalies by projecting target behavior onto source-normal manifolds.
• →Evaluation on DARPA data across Linux, Windows, BSD, and Android demonstrates practical cross-platform effectiveness.
• →Entropy-weighted and density-aware variants capture uncertainty and sparse-support malicious behavior patterns.