Abstract: In order to improve detection accuracy, a detection method for identifying APT attacks is proposed based on the foothold phase of the APT attack lifecycle. On the basis of the original PE view features, the activity behavior features and similarity features were proposed. Considering the behavior of APT in the foothold phase with a strong temporal relationship, the LSTM was selected as the basic model. In order to distinguish the importance of different features, the LSTM was improved by adding an attention mechanism layer to it, thus constructing an A-LSTM model, from which the APT in the foothold phase could be detected more effectively and accurately. Comparative experimental results under a specific APT dataset show that the accuracy of the A-LSTM model proposed in this paper reaches 90.06%, which is significantly improved compared with the existing benchmark model.