Adaptive Detection of Advanced Persistent Threats (APT) With Graph Neural Networks and Rehearsal-Based Continual Learning on Wazuh EDR Telemetry

Abstract

In the rapidly evolving cybersecurity landscape, Advanced Persistent Threats (APTs) pose major challenges due to their stealthy and adaptive behavior. Traditional detection methods based on signatures or heuristics are limited in identifying novel and evolving attacks, while static deep learning models suffer from concept drift and catastrophic forgetting, leading to degraded performance over time. This paper proposes an adaptive APT detection framework that integrates Graph Neural Networks (GNNs) with rehearsal-based continual learning using telemetry data from Wazuh, an open-source Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) platform. Endpoint telemetry is represented as graphs where nodes denote system components and edges describe behavioral interactions among them. Experimental evaluations on real-world Wazuh telemetry augmented with sandbox-executed APT scenarios demonstrate that the proposed approach consistently achieves F1-scores above 0.98, outperforming static and fine-tuned baselines in both adaptability and knowledge retention. These results confirm that combining graph-based representations with continual learning offers a scalable, interpretable, and resilient solution for modern SOC and EDR environments facing advanced and evolving cyber threats.