Table of Contents
Fetching ...

ProGQL: A Provenance Graph Query System for Cyber Attack Investigation

Fei Shao, Jia Zou, Zhichao Cao, Xusheng Xiao

TL;DR

ProGQL presents a domain-specific graph query framework for provenance analysis in cyber-attack investigations, addressing extensibility and memory bottlenecks that limit existing PA techniques. It introduces a Cypher-inspired language with constrained graph search, edge-weight computation, value propagation, and graph merging, plus a query engine that performs incremental graph search using database backends to avoid full in-memory materialization. Empirical results on 14 real attacks show ProGQL expresses complex PA more concisely than Cypher and scales better than state-of-the-art PA (DepImpact), achieving similar runtime with 8× lower memory usage. The framework demonstrates strong practical impact by enabling expressive, scalable, cross-host provenance analyses and is adaptable to diverse backends and edge-weighting schemes.

Abstract

Provenance analysis (PA) has recently emerged as an important solution for cyber attack investigation. PA leverages system monitoring to monitor system activities as a series of system audit events and organizes these events as a provenance graph to show the dependencies among system activities, which can reveal steps of cyber attacks. Despite their potential, existing PA techniques face two critical challenges: (1) they are inflexible and non-extensible, making it difficult to incorporate analyst expertise, and (2) they are memory inefficient, often requiring>100GB of RAM to hold entire event streams, which fundamentally limits scalability and deployment in real-world environments. To address these limitations, we propose the ProGQL framework, which provides a domain-specific graph search language with a well-engineered query engine, allowing PA over system audit events and expert knowledge to be jointly expressed as a graph search query and thereby facilitating the investigation of complex cyberattacks. In particular, to support dependency searches from a starting edge required in PA, ProGQL introduces new language constructs for constrained graph traversal, edge weight computation, value propagation along weighted edges, and graph merging to integrate multiple searches. Moreover, the ProGQL query engine is optimized for efficient incremental graph search across heterogeneous database backends, eliminating the need for full in-memory materialization and reducing memory overhead. Our evaluations on real attacks demonstrate the effectiveness of the ProGQL language in expressing a diverse set of complex attacks compared with the state-of-the-art graph query language Cypher, and the comparison with the SOTA PA technique DEPIMPACT further demonstrates the significant improvement of the scalability brought by our ProGQL framework's design.

ProGQL: A Provenance Graph Query System for Cyber Attack Investigation

TL;DR

ProGQL presents a domain-specific graph query framework for provenance analysis in cyber-attack investigations, addressing extensibility and memory bottlenecks that limit existing PA techniques. It introduces a Cypher-inspired language with constrained graph search, edge-weight computation, value propagation, and graph merging, plus a query engine that performs incremental graph search using database backends to avoid full in-memory materialization. Empirical results on 14 real attacks show ProGQL expresses complex PA more concisely than Cypher and scales better than state-of-the-art PA (DepImpact), achieving similar runtime with 8× lower memory usage. The framework demonstrates strong practical impact by enabling expressive, scalable, cross-host provenance analyses and is adaptable to diverse backends and edge-weighting schemes.

Abstract

Provenance analysis (PA) has recently emerged as an important solution for cyber attack investigation. PA leverages system monitoring to monitor system activities as a series of system audit events and organizes these events as a provenance graph to show the dependencies among system activities, which can reveal steps of cyber attacks. Despite their potential, existing PA techniques face two critical challenges: (1) they are inflexible and non-extensible, making it difficult to incorporate analyst expertise, and (2) they are memory inefficient, often requiring>100GB of RAM to hold entire event streams, which fundamentally limits scalability and deployment in real-world environments. To address these limitations, we propose the ProGQL framework, which provides a domain-specific graph search language with a well-engineered query engine, allowing PA over system audit events and expert knowledge to be jointly expressed as a graph search query and thereby facilitating the investigation of complex cyberattacks. In particular, to support dependency searches from a starting edge required in PA, ProGQL introduces new language constructs for constrained graph traversal, edge weight computation, value propagation along weighted edges, and graph merging to integrate multiple searches. Moreover, the ProGQL query engine is optimized for efficient incremental graph search across heterogeneous database backends, eliminating the need for full in-memory materialization and reducing memory overhead. Our evaluations on real attacks demonstrate the effectiveness of the ProGQL language in expressing a diverse set of complex attacks compared with the state-of-the-art graph query language Cypher, and the comparison with the SOTA PA technique DEPIMPACT further demonstrates the significant improvement of the scalability brought by our ProGQL framework's design.
Paper Structure (28 sections, 5 figures, 11 tables)

This paper contains 28 sections, 5 figures, 11 tables.

Figures (5)

  • Figure 1: Overview of ProGQL framework
  • Figure 2: Representative BNF grammar of ProGQL
  • Figure 3: PG identified by ProGQL for Password Crack attack (non-critical edges are omitted)
  • Figure 4: Conciseness evaluation of queries written in ProGQL and Cypher
  • Figure 5: Feature and TopK entry nodes ablation analysis across three attack cases (Password Crack, Data Leakage, VPN Filter)