A survey of provenance graph-based methods for advanced persistent threat detection
Zhang Yan 1,2,Yang Xiaofan 1,2
1. Radio, Film and Television Design and Research Institute Co., Ltd.; 2. Key Laboratory of Intelligent Supervision for Radio, Television and Audiovisual New Media, National Radio and Television Administration
Abstract: Global Advanced Persistent Threats (APTs) pose severe challenges to national cyberspace security due to their highly organized, stealthy, persistent, and cross-platform coordinated attack patterns. During APT attacks, provenance graphs constructed through multi-source data can effectively capture the traces left by attackers, thereby playing a critical role in APT detection. This paper focuses on provenance graph-based APT detection methods and systematically summarizes recent studies from international journals and conferences. Firstly, it delineates the definition of APTs, their lifecycle, and the current landscape of APT attacks faced by China. Subsequently, it categorizes and elaborates on provenance graph-based APT detection methods, dividing them into traditional technique-based methods and learning-based methods. The paper compares their advantages and limitations, summarizes and discusses future prospects in this field, and highlights that integrating traditional methods with learning models represents a critical research direction. This research provides reference guidance for researchers in this field.
Key words : advanced persistent threat; provenance graph analysis; detection; cyber space security
