In advanced persistent threat (APT), attackers typically target a specific victim and lurk in the victim’s computer environment for a long time. Conventional signature-based detectors thus cannot effectively capture the long-term relation- ship among various indicators of compromise. In recent years, many methods have been proposed to solve this problem. Most unsupervised methods use carefully- crafted policies to model attack steps and detect the attack occurrence. However, these methods need prior knowledge of the attack and its behavior in advance. Policy formulation and refinement are both labor-intensive and time-consuming that increases the cost to deploy the APT detector. Therefore, in this thesis we propose a method based on unsupervised machine learning to detect APT and construct its attack scenario without requiring hand-crafted policy formulation. The proposed method automatically learns from normal behavior and detects the deviation dynamically through monitoring. To process a large number of logs in real time, we adapt the well-known tag-propagation method to reduce the size of the data. We also use the message-passing framework and a fast-localization technique to feed the data into a computer with limited memory. From experiment results, the proposed method can achieve an AUC score of 76, similar to the policy-based detector. The scenario graph thus constructed captures 67% of the malicious entities with few missing techniques that attackers use to achieve their goals. The graph reduction technique employed in this thesis can also reduce the data size by 80% to 90%, thus speeding up the analysis process, improving the overall AUC score, and yielding a more concise result for security analysts.