Advanced persistent threat detection through multi-modal behavioral analysis

RESEARCH ARTICLE Advanced persistent threat detection through multi-modal behavioral analysis Adel Alshamrani * Department of Cybersecurity, College of Computer Science and Engineering, University of Jeddah, Jeddah, Saudi Arabia * Abstract OPEN ACCESS Citation: Alshamrani A (2026) Advanced persistent threat detection through multimodal behavioral analysis. PLoS One 21(6): e0349607. https://doi.org/10.1371/journal. pone.0349607 Editor: Abul Bashar, Prince Mohammad Bin Fahd University, SAUDI ARABIA Received: August 1, 2025 Accepted: May 3, 2026 Published: June 2, 2026 Copyright: © 2026 Adel Alshamrani. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. Data availability statement: The data is available here: https://doi.org/10.1184/ R1/12841247. Funding: The author(s) received no specific funding for this work. Advanced Persistent Threats (APTs) represent sophisticated cyberattacks characterized by stealth, persistence, and evasion of traditional detection mechanisms. We observed that APT behaviors during lateral movement and data exfiltration share notable similarities with insider threat activities, leading us to explore cross-domain learning opportunities. This paper introduces a novel machine learning approach leveraging the CERT Insider Threat Dataset to simulate and detect APT behaviors through AI-augmented analytics. Our methodology integrates multi-modal data analysis, language model-driven behavioral understanding, and advanced machine learning to create realistic APT simulations from insider threat data. We developed three key technical components: a multi-agent language model architecture for log analysis, temporal sequence modeling for behavioral pattern recognition, and deep evidential clustering for uncertainty-aware threat detection that reduces false positives. Our research contributes four advances: a novel methodology for simulating APT patterns using insider threat data, an AI-enhanced multi-modal approach processing structured logs and communications, superior performance compared to existing methods, and practical deployment guidelines for enterprise environments. Experimental results achieved 96.3% detection accuracy while reducing false positives by 42% compared to state-of-the-art methods. Our system successfully simulates realistic APT scenarios across attack stages while providing interpretable explanations through natural language generation. The integration of large language models enables sophisticated analysis of unstructured data sources, offering contextual understanding beyond traditional approaches. This research addresses a critical gap for organizations seeking enhanced APT detection without extensive APTspecific training data. Our approach’s ability to learn from insider threat patterns while maintaining high accuracy makes it valuable for enterprise security operations and threat hunting teams facing resource constraints. Competing interests: The authors have declared that no competing interests exist. PLOS One | https://doi.org/10.1371/journal.pone.0349607 June 2, 2026 1 / 33 1 Introduction The cybersecurity landscape has undergone a fundamental transformation over the past decade, with Advanced Persistent Threats (APTs) emerging as one of the most formidable challenges facing organizations worldwide. Unlike traditional cyberattacks that focus on immediate exploitation and quick extraction of value, APTs are characterized by their sophisticated, multi-stage approach that can persist undetected within target networks for months or even years [1]. The 2020 SolarWinds supply chain attack exemplifies the devastating potential of APTs, where attackers remained undetected for over nine months while compromising 18,000 organizations and major U.S. government agencies [2]. Similarly, recent campaigns such as APT-C-36 (Blind Eagle) have demonstrated the evolving sophistication of threat actors who employ advanced social engineering, fileless malware techniques, and living-off-the-land strategies to maintain long-term presence in compromised networks [3]. APT attacks have evolved dramatically, driven by several interconnected factors. State-sponsored groups and well-funded criminal organizations now possess unprecedented resources, enabling them to develop sophisticated techniques that slip past conventional defenses [4]. Meanwhile, our increasingly complex IT infrastructure, with its cloud services, remote work tools, and IoT devices, has created an expanded attack surface that these actors eagerly exploit. Digital transformation has further complicated matters by distributing critical data across multiple systems and locations, making comprehensive protection increasingly challenging [5]. The shift toward digital transformation has fundamentally altered the way organizations store, process, and transmit sensitive information. Critical business data is now distributed across multiple systems, cloud platforms, and geographic locations, making it increasingly difficult to monitor and protect comprehensively [6]. This distributed nature of modern IT environments provides APT actors with numerous opportunities to establish footholds, move laterally through networks, and exfiltrate valuable data without triggering traditional security controls. Among the various phases of APT attacks, lateral movement represents a critical stage where attackers, having gained initial access to a target network, systematically explore and expand their presence to achieve their ultimate objectives [7]. The MITRE ATT&CK framework defines lateral movement as the techniques that adversaries use to enter and control remote systems on a network, often involving the use of legitimate credentials and administrative tools to avoid detection [8]. This phase is particularly challenging for security teams because lateral movement activities often appear indistinguishable from legitimate administrative activities, making detection extremely difficult using traditional signature-based approaches. Recent advances in Large Language Models (LLMs) have opened new possibilities for cybersecurity applications, particularly in the areas of log analysis, behavioral understanding, and threat detection [9]. LLMs possess the ability to understand complex textual patterns, temporal relationships, and contextual information that traditional machine learning approaches struggle to capture. In the context of cybersecurity, LLMs can analyze unstructured data sources such as email PLOS One | https://doi.org/10.1371/journal.pone.0349607 June 2, 2026 2 / 33 communications, system logs, and documentation to identify subtle indicators of malicious activity that might otherwise go unnoticed [10]. The integration of LLMs with traditional machine learning approaches, as shown in Fig 1 offers several advan (...truncated)