Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

An End-to-End Framework for Functionality-Embedded Provenance Graph Construction and Threat Interpretation

Kushankur Ghosh, Mehar Klair, Kian Kyars, Euijin Choo, Jörg Sander

Abstract

Provenance graphs model causal system-level interactions from logs, enabling anomaly detectors to learn normal behavior and detect deviations as attacks. However, existing approaches rely on brittle, manually engineered rules to build provenance graphs, lack functional context for system entities, and provide limited support for analyst investigation. We present Auto-Prov, an adaptive, end-to-end framework that leverages large language models (LLMs) to automatically construct provenance graphs from heterogeneous and evolving logs, embed system-level functional attributes into the graph, enable provenance graph-based anomaly detectors to learn from these enriched graphs, and summarize the detected attacks to assist an analyst's investigation. Auto-Prov clusters unseen log types and efficiently extracts provenance edges and entity-level information via automatically generated rules. It further infers system-level functional context for both known and previously unseen system entities using a combination of LLM inference and behavior-based estimation. Attacks detected by provenance-graph-based anomaly detectors trained on Auto-Prov's graphs are then summarized into natural-language text. We evaluate Auto-Prov with four state-of-the-art provenance graph-based detectors across diverse logs. Results show that Auto-Prov consistently enhances detection performance, generalizes across heterogeneous log formats, and produces stable, interpretable attack summaries that remain robust under system evolution.

An End-to-End Framework for Functionality-Embedded Provenance Graph Construction and Threat Interpretation

Abstract

Provenance graphs model causal system-level interactions from logs, enabling anomaly detectors to learn normal behavior and detect deviations as attacks. However, existing approaches rely on brittle, manually engineered rules to build provenance graphs, lack functional context for system entities, and provide limited support for analyst investigation. We present Auto-Prov, an adaptive, end-to-end framework that leverages large language models (LLMs) to automatically construct provenance graphs from heterogeneous and evolving logs, embed system-level functional attributes into the graph, enable provenance graph-based anomaly detectors to learn from these enriched graphs, and summarize the detected attacks to assist an analyst's investigation. Auto-Prov clusters unseen log types and efficiently extracts provenance edges and entity-level information via automatically generated rules. It further infers system-level functional context for both known and previously unseen system entities using a combination of LLM inference and behavior-based estimation. Attacks detected by provenance-graph-based anomaly detectors trained on Auto-Prov's graphs are then summarized into natural-language text. We evaluate Auto-Prov with four state-of-the-art provenance graph-based detectors across diverse logs. Results show that Auto-Prov consistently enhances detection performance, generalizes across heterogeneous log formats, and produces stable, interpretable attack summaries that remain robust under system evolution.
Paper Structure (28 sections, 7 figures, 3 tables)

This paper contains 28 sections, 7 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Threat Model
  4. Auto-Prov
  5. Overview
  6. Finding Different Log Types
  7. Candidate Provenance Extractor
  8. Rule Generator
  9. Learning with Functional Node Features
  10. Attack Graph Assistant
  11. Experiments
  12. Datasets
  13. Setup
  14. Detection Performance
  15. Framework Analysis
  16. ...and 13 more sections

Figures (7)

  • Figure 1: Examples of Different Log Entries
  • Figure 2: Auto-Prov workflow.
  • Figure 3: (a): Clustering performance of DBStream hahsler2016clustering across different log embedding models. (b): Clustering performance of DBStream hahsler2016clustering and DenStream cao2006density. (c)–(d): Detection performance on THEIA darpa_tc_e3 and ATLAS alsaheel2021atlas with different embedding models for node features, respectively. (e): Number of edges generated by different LLMs as the candidate provenance extractor.
  • Figure 4: (a)–(c): Detection performance with different LLMs as candidate provenance extractor, rule generator, and node enricher, respectively. (d): Number of entities for which functionality features cannot be inferred due to insufficient LLM knowledge. (e): Assistant robustness under entity-name poisoning, measured by tactic correctness$\alpha_{TC}$, summary similarity $\alpha_{BERT}$, and tactic consistency$\alpha_{R}$, averaged over attacks in THEIA darpa_tc_e3 and ATLAS alsaheel2021atlas at varying poisoning rates.
  • Figure 5: Tactic correctness across attacks in THEIA darpa_tc_e3 and ATLAS alsaheel2021atlas.
  • ...and 2 more figures