Threat Detection and Investigation with System-level Provenance Graphs: A Survey

With the development of information technology, the border of the cyberspace gets much broader, exposing more and more vulnerabilities to attackers. Traditional mitigation-based defence strategies are challenging to cope with the current complicated situation. Security practitioners urgently need better tools to describe and modelling attacks for defence. The provenance graph seems like an ideal method for threat modelling with powerful semantic expression ability and attacks historic correlation ability. In this paper, we firstly introduce the basic concepts about system-level provenance graph and proposed typical system architecture for provenance graph-based threat detection and investigation. A comprehensive provenance graph-based threat detection system can be divided into three modules, namely, "data collection module", "data management module", and "threat detection modules". Each module contains several components and involves many research problem. We systematically analyzed the algorithms and design details involved. By comparison, we give the strategy of technology selection. Moreover, we pointed out the shortcomings of the existing work for future improvement.