A Review of Provenance Graph based APT Attack Detection:Applications and Developments
Yang Lv, Shaona Qin, Zifeng Zhu, Zhuocheng Yu, Shudong Li, Weihong Han
Abstract
With the development of information technology, the cyberspace also derives an increasing number of security risks and threats. There are more and more advanced cyber-attacks of which the APT is one of the most sophisticated attacks and is commonly adopted by modern attackers. Traditional detection methods are challenging to cope with complicated and persistent APT-style attacks. Provenance graph models the interactions between system-level entities within a specific system, it possesses powerful semantic expression ability and correlation analysis ability and many works have been conducted using provenance graph to detect APT-style multi-step attacks. This article mainly discusses the current research situation and tendency of APT attack detection based on provenance graph. We firstly introduce basic concepts of APT and provenance graph, and then review the existing representative works and conclude a general framework design for provenance graph based attack detection system. Finally, we also provide several promising research directions in the future.