Threat Detection and Investigation with System-level Provenance Graphs: A Survey
It provides a comprehensive overview for security practitioners, but it is incremental as it surveys existing work rather than introducing new methods.
This survey addresses the need for better threat detection tools by exploring system-level provenance graphs as a method for modeling attacks, analyzing their architecture and algorithms across data collection, management, and detection modules.
With the development of information technology, the border of the cyberspace gets much broader, exposing more and more vulnerabilities to attackers. Traditional mitigation-based defence strategies are challenging to cope with the current complicated situation. Security practitioners urgently need better tools to describe and modelling attacks for defence. The provenance graph seems like an ideal method for threat modelling with powerful semantic expression ability and attacks historic correlation ability. In this paper, we firstly introduce the basic concepts about system-level provenance graph and proposed typical system architecture for provenance graph-based threat detection and investigation. A comprehensive provenance graph-based threat detection system can be divided into three modules, namely, "data collection module", "data management module", and "threat detection modules". Each module contains several components and involves many research problem. We systematically analyzed the algorithms and design details involved. By comparison, we give the strategy of technology selection. Moreover, we pointed out the shortcomings of the existing work for future improvement.