Advanced　persistent　threats　(APTs)　are　a　significant　threat　to　network　security　as　they　can　disintegrate　the　security　fortress　of　enterprises.　Recent　studies　have　focused　on　detecting　APT　attacks　by　matching　typical　tactics,　techniques,　and　procedures　(TTPs)　associated　with　APT　attacks.　However,　the　lack　of　positive　APT　samples　affects　the　performance　of　existing　approaches.　To　address　this　challenge,　we　propose　a　novel　attack　intent-driven　and　sequence-based　learning　approach　(AISL)　for　APT　detection.　AISL　integrates　heterogeneous　audit　data　and　creates　corresponding　security　tags　based　on　attack　intent.　Specifically,　we　investigate　various　data　sources　of　attack　detection　and　establish　a　dedicated　network　event　ontology.　Based　on　this　ontology,　we　construct　a　provenance　graph　that　integrates　audit　data　from　heterogeneous　sources.　During　the　construction　of　the　provenance　graph,　we　identify　and　tag　potential　attack　behaviors　based　on　attack　intent　to　increase　the　number　of　positive　samples　in　the　dataset.　Finally,　we　train　a　tag-sequence-based　semantic　model　for　APT　detection.　We　evaluated　AISL　through　ten　realistic　APT　attacks　and　achieved　an　average　precision　of　93.05%,　recall　of　98.12%,　and　F1-score　of　95.36%,　outperforming　state-of-the-art　approaches.　©　2024　Elsevier　Ltd