Neurosymbolic Learning for Advanced Persistent Threat Detection under Extreme Class Imbalance

Imagine you are the security guard for a massive, bustling city made entirely of smart devices (like smart thermostats, industrial sensors, and connected cameras). This is the Internet of Things (IoT).

Your job is to spot a very specific type of criminal: the Advanced Persistent Threat (APT). Unlike a common thief who breaks a window and runs away, an APT is a master spy. They sneak in quietly, blend in with the crowd, move from building to building, and steal secrets over weeks or months without anyone noticing.

The problem? The city is huge. For every one spy, there are 98 normal, innocent citizens. If you try to spot the spy by just looking for "weird behavior," your computer brain gets overwhelmed by the sheer number of normal people. It's like trying to find a single red needle in a haystack of a billion blue needles.

This paper introduces a new security system called Neurosymbolic Learning (specifically BERT-LTN) to solve this. Here is how it works, broken down into simple concepts:

1. The Problem: The "Needle in a Haystack" and the "Black Box"

Traditional security systems are like brute-force scanners. They look at everything and try to guess if it's bad.

The Imbalance Issue: Because 98% of traffic is normal, these systems get lazy. They just say "Everything is fine" all the time because that's statistically correct most of the time. They miss the spies.
The Black Box Issue: Even when they do catch a spy, they can't explain why. It's like a guard shouting, "Stop that person!" but having no idea which rule they broke. In a real security situation, you need to know why to trust the alarm.

2. The Solution: A Two-Part Detective Team

The authors created a hybrid system that combines two types of "brains":

Part A: The Pattern Recognizer (BERT)

Think of BERT as a super-smart, experienced detective who has read millions of books.

How it works: It looks at the flow of data (like the size of packages, how fast they move, and the time between them) and tries to find complex patterns. It's great at saying, "Hey, this sequence of events feels suspicious."
The Twist: Usually, this detective is a "black box." You don't know what it's looking at. But in this system, the authors forced the detective to show its work.

Part B: The Logic Teacher (LTN)

Think of LTN as a strict logic teacher who speaks in clear rules.

How it works: Instead of just guessing, this part uses logic statements like: "If the data packet is huge AND the port is unusual, THEN it is likely an attack."
The Magic: It teaches the detective (BERT) to pay attention to specific clues that make sense to humans. It ensures the detective isn't just guessing based on random noise, but is actually following logical rules.

3. The Strategy: The "Two-Stage Filter"

Since the spies are so rare, the system uses a clever two-step process to avoid getting overwhelmed:

Stage 1: The Bouncer (Binary Detection)
The system first asks a simple question: "Is this a normal citizen or a potential spy?"
- It ignores the tiny details and just looks for the big red flags.
- If it says "Normal," the person walks right through.
- If it says "Suspicious," they get pulled aside for a deeper check.
- Why this helps: It filters out 98% of the innocent crowd immediately, so the system doesn't waste energy on them.
Stage 2: The Interrogator (APT Categorization)
Only for the people pulled aside, the system asks: "Okay, what kind of spy is this?"
- Is it a Reconnaissance spy (scouting the area)?
- Is it a Data Exfiltration spy (stealing files)?
- Is it a Lateral Movement spy (moving between buildings)?
- Why this helps: Now the system only has to distinguish between different types of spies, which is much easier than distinguishing spies from innocent people.

4. The Results: Fast, Accurate, and Honest

The authors tested this system on a real dataset of IoT traffic. Here is what they found:

It rarely cries wolf: It has an incredibly low False Positive Rate (0.14%). This means if the alarm goes off, you can be almost 100% sure it's real. This is crucial because if a security system screams "Fire!" every time someone opens a door, people will stop listening to it.
It catches the spies: It successfully identified 95% of the actual attacks.
It explains itself: This is the biggest win. Because of the "Logic Teacher" (LTN), the system can tell you exactly why it flagged someone.
- Example: "I flagged this because the 'Forward Packet Size' was huge, and the 'PSH Flag' was weird."
- This allows human security experts to trust the system and understand the attack without needing a PhD in AI.

The Big Picture

Imagine a security system that doesn't just scream "Danger!" but instead hands you a report saying: "I stopped this person because they were carrying a backpack that was 50% heavier than normal, and they were walking in a zig-zag pattern."

This paper proves that by combining a pattern-matching AI (which is good at spotting weirdness) with logical rules (which are good at explaining things), we can build security systems that are not only smart enough to catch the most elusive hackers but also transparent enough for humans to trust and use in the real world.

1. Problem Statement

The paper addresses the critical challenge of detecting Advanced Persistent Threats (APTs) in Internet of Things (IoT) environments, specifically focusing on two major hurdles:

Extreme Class Imbalance: In real-world IoT traffic, benign traffic dominates (approx. 98.35%), while attack samples are exceedingly rare. Traditional deep learning models optimized for overall accuracy fail to detect these rare events or produce high false-positive rates.
Lack of Explainability: Existing high-performance Intrusion Detection Systems (IDS) often function as "black boxes." In autonomous IoT deployments where human oversight is limited, security analysts cannot validate alerts or understand the reasoning behind classification decisions, hindering trust and mitigation strategies.
Limitations of Current Methods: Standard approaches like SMOTE (synthetic oversampling) obscure genuine attack patterns, and post-hoc explanation methods (e.g., SHAP, LIME) do not reflect the actual decision pathways used during training.

2. Methodology: Neurosymbolic Architecture

The authors propose a Neurosymbolic Framework that unifies a BERT-based neural network (for pattern recognition) with Logic Tensor Networks (LTN) (for logical reasoning). The system processes network flow data through a hierarchical, two-stage pipeline.

A. Data Preprocessing & Feature Engineering

Dataset: The SCVIC-APT2021 dataset was used, containing over 315,000 records with a 98.35% benign traffic ratio.
Feature Selection: From an initial 84 features, a consensus-based selection (using Random Forest, Extra Trees, Mutual Information, and F-test) reduced the set to 12 discriminative features (e.g., packet sizes, inter-arrival times, TCP flags).
Encoding: The 12 tabular features are projected into BERT's 768-dimensional hidden space to create a 14-token sequence (12 feature tokens + [CLS] + [SEP]), preserving temporal dependencies and feature semantics.

B. The Neurosymbolic Model

The architecture consists of two parallel paths that process the same input:

Neural Component (BERT):
- Uses a pre-trained bert-base-uncased model adapted for network traffic.
- Mechanism: Multi-head attention mechanisms learn complex interactions between flow statistics and temporal patterns.
- Explainability: Extracts attention weights from the [CLS] token to determine feature importance (Feature Attribution).
Symbolic Component (LTN):
- Implements 16 learnable logical predicates (e.g., "large forward data transfer," "unusual port activity") realized as Multi-Layer Perceptrons (MLPs).
- Mechanism: Uses learnable attention vectors to weight input features for each predicate, outputting a "satisfaction degree" (0 to 1) indicating how well the flow matches a domain concept.
- Explainability: Provides logical reasoning by ranking predicates based on their contribution to the final decision.

C. Hierarchical Classification Strategy

To address the 98.35% vs. 1.5% imbalance, the system uses a two-stage approach:

Stage 1 (Binary Detection): A lightweight classifier distinguishes Normal vs. Attack. It uses Focal Loss to focus on hard-to-classify examples and a high decision threshold (0.98) to minimize false positives.
Stage 2 (APT Categorization): Only flows flagged as "Attack" in Stage 1 are passed to a deeper MLP to classify the specific APT stage (Initial Compromise, Reconnaissance, Lateral Movement, Pivoting, Data Exfiltration). This reduces the imbalance problem significantly for the second stage.

D. Training Objective

The model is trained using a multi-objective loss function:
$L_{total} = \alpha L_b + \beta L_a + \gamma L_l$

$L_b$ : Focal loss for binary detection (prioritizing rare attacks).
$L_a$ : Weighted cross-entropy for APT categorization (penalizing rare stages like Initial Compromise more heavily).
$L_l$ : Binary cross-entropy enforcing consistency between the LTN's logical output and the ground truth, ensuring the symbolic reasoning is grounded in actual detection tasks.

3. Key Contributions

First Neurosymbolic Transformer for IoT IDS: Unifies BERT and LTN to provide intrinsic explainability (grounded in training) rather than post-hoc approximations.
Architectural Handling of Imbalance: Introduces a hierarchical two-stage classification that avoids synthetic data generation (SMOTE), preserving the integrity of genuine attack patterns.
Statistical Validation of Explainability: Provides rigorous statistical evidence (t-tests, Cohen's d) showing that 75% of features used by the model show significant differences between attack and normal traffic, proving the explanations are not artifacts.
Operational Viability: Demonstrates a system capable of autonomous deployment with extremely low false-positive rates.

4. Results & Evaluation

Evaluated on the SCVIC-APT2021 dataset (56,432 test samples):

Binary Detection Performance:
- F1-Score: 95.27%
- False Positive Rate (FPR): 0.14% (Critical for reducing alert fatigue).
- Precision/Recall: 99.85% for Normal traffic; 90.70% for Attack traffic.
Multi-Class APT Categorization:
- Macro F1-Score: 76.75%.
- Note: Performance varies by class; "Data Exfiltration" (0.20% of data) had the lowest F1 (40.86%) due to its stealthy nature and rarity, while "Initial Compromise" achieved 86.52%.
Comparison with Baselines:
- Outperformed pure BERT (Macro F1 0.39) and other baselines (0.39–0.43) significantly.
- While slightly lower in Macro F1 than non-interpretable SOTA methods (ACM: 82.27%, PKI: 81.37%), the proposed model offers verifiable explainability and superior operational metrics (FPR).
Explainability Validation:
- Statistical analysis confirmed that 9 out of 12 features (75%) had significantly different attention weights between attack and normal traffic ( $p < 0.05$ ).
- Feature consistency analysis showed a low standard deviation (0.0185), indicating stable, repeatable explanations.

5. Significance

This paper represents a significant step forward in trustworthy AI for cybersecurity.

Autonomous Deployment: By achieving a near-zero false positive rate (0.14%) and providing intrinsic explanations, the system is viable for autonomous IoT monitoring where human intervention is scarce.
Transparency: It moves beyond "black box" detection, allowing security analysts to understand why an alert was triggered (e.g., specific packet size anomalies or port activities), facilitating faster mitigation.
Robustness: The neurosymbolic approach proves that combining deep learning with logical constraints can effectively handle extreme data imbalance without relying on potentially misleading synthetic data augmentation.

The authors conclude that while the current model requires significant computational resources (110M parameters), future work will focus on model distillation for edge deployment, solidifying the path toward secure, self-managing IoT networks.