Marlin: Knowledge-Driven Analysis of Provenance Graphs for Efficient and Robust Detection of Cyber Attacks
Zhenyuan Li, Yangyang Wei, Xiangmin Shen, Lingzhi Wang, Yan Chen, Haitao Xu, Shouling Ji, Fan Zhang, Liang Hou, Wenmao Liu, Xuhong Zhang, Jianwei Ying
TL;DR
This work addresses the challenge of efficient and robust detection of cyber attacks over large provenance graphs by reframing real-time detection as streaming graph alignment using knowledge-annotated query graphs. The authors introduce TagS (within the Marlin framework), a tag-propagation-based detection core that caches partial alignment results to avoid storing the full provenance graph, enabling real-time processing with minimal memory. By integrating fuzzy, seed-based query-graph matching into a streaming workflow and using a two-tier alignment status cache, TagS achieves high detection accuracy (recall $=1.0$, precision $=0.96$ for ground-truth attacks) and strong robustness against evasion tactics, processing up to $1.37 \times 10^5$ events per second on large, public datasets. The practical impact lies in providing an interpretable, scalable, and resilient provenance-based detector suitable for real-time security analytics on massive log streams, with configurable query graphs to cover evolving attack techniques.
Abstract
Recent research in both academia and industry has validated the effectiveness of provenance graph-based detection for advanced cyber attack detection and investigation. However, analyzing large-scale provenance graphs often results in substantial overhead. To improve performance, existing detection systems implement various optimization strategies. Yet, as several recent studies suggest, these strategies could lose necessary context information and be vulnerable to evasions. Designing a detection system that is efficient and robust against adversarial attacks is an open problem. We introduce Marlin, which approaches cyber attack detection through real-time provenance graph alignment.By leveraging query graphs embedded with attack knowledge, Marlin can efficiently identify entities and events within provenance graphs, embedding targeted analysis and significantly narrowing the search space. Moreover, we incorporate our graph alignment algorithm into a tag propagation-based schema to eliminate the need for storing and reprocessing raw logs. This design significantly reduces in-memory storage requirements and minimizes data processing overhead. As a result, it enables real-time graph alignment while preserving essential context information, thereby enhancing the robustness of cyber attack detection. Moreover, Marlin allows analysts to customize attack query graphs flexibly to detect extended attacks and provide interpretable detection results. We conduct experimental evaluations on two large-scale public datasets containing 257.42 GB of logs and 12 query graphs of varying sizes, covering multiple attack techniques and scenarios. The results show that Marlin can process 137K events per second while accurately identifying 120 subgraphs with 31 confirmed attacks, along with only 1 false positive, demonstrating its efficiency and accuracy in handling massive data.