A pattern-aware LSTM-based approach for APT detection leveraging a realistic dataset for critical infrastructure security

Advanced Persistent Threats (APTs) represent some of the most sophisticated and coordinated cyberattacks, often targeting critical infrastructure with stealthy, multi-stage techniques. Despite the availability of numerous intrusion detection datasets, most fail to capture the sequential and strategic nature of APT campaigns as outlined in frameworks like MITRE ATT&CK. This paper introduces a novel dataset based on a realistic emulation of the Sandworm APT group targeting the Supervisory Control and Data Acquisition (SCADA) system of a Wide Area Measurement System (WAMS). The dataset captures the full lifecycle of an APT attack, from initial access to impact, in a structured and time-ordered manner, enabling the study of both atomic and multi-step intrusion behaviours. We train and evaluate supervised multiclass sequence-aware models, specifically Long Short-Term Memory (LSTM) and Bidirectional LSTM (BiLSTM) architectures, to detect these behaviours using network flow data, assessing their performance and analysing their strengths and limitations. Our results show that BiLSTM models offer greater stability and generalization, while LSTM models achieve competitive performance with optimal configurations. These findings highlight the importance of realistic, sequence-aware datasets for developing robust intrusion detection systems tailored to modern APT threats.