Tidal: Tackling Concept Drift in Provenance-Based Advanced Persistent Threats Detection

Yajie Zhou

Nengneng Yu

Tuo Zhao

Zaoxing Liu

Abstract

Advanced Persistent Threats (APTs) pose significant challenges to cybersecurity due to their evolving nature and ability to evade detection. We introduce Tidal, a provenance-based intrusion detection system (PIDS) designed to address concept drift in APT detection. Tidal designs a modified Transformer architecture tailored for transfer learning, including a Multi-head Transformer (MHT) with shared layers for common knowledge and task-specific head layers for unique patterns. A pre-training and fine-tuning workflow achieves high post-drift adaptation and pre-drift retention accuracy. Compared to state-of-the-art detection systems, Tidal achieves an average of 27% higher recall and 31% higher precision with only half of the new training data for post-drift adaptation.

Type

Conference paper

Publication

In New Ideas in Networked Systems (NINeS) 2026

Last updated on Jan 1, 2026

ML for Systems

← A 15-Layer Multi-Omics Dissection of Gastric Cancer Ecotypes Reveals Therapeutic Opportunities

Reliable and Resilient Collective Communication Library for LLM Training and Serving →