通信学报2025,Vol.46Issue(4):15-32,18.DOI:10.11959/j.issn.1000-436x.2025062
ProvNavigator:基于影子路径引导的网络攻击调查方法
ProvNavigator:shadow path guided attack investigation method
摘要
Abstract
After cyber attacks,conducting an investigation to analyze its root cause and impact is crucial.Currently,prov-enance graph-based techniques have become mainstream methods,but these methods face the challenge of dependency explosion problems.Recent research has alleviated this issue to some extent by integrating audit logs and application logs,showcasing advantages such as no need for program instrumentation,model training,or taint analysis.However,existing log fusion techniques either rely on complex fusion rules or require reverse engineering of applications,necessitating algo-rithm adjustments when facing new applications,which limits their general applicability.To address these issues,a new log fusion-based attack investigation method,ProvNavigator,was proposed.In the graph construction phase,individual provenance graphs from different log sources were merged into a global fused provenance graph by analyzing correlations between logs.In the attack investigation phase,nodes with dependency explosion were handled through"shadow path pairs,"and appropriate edges were selected to reconstruct the entire attack chain.ProvNavigator required no instrumenta-tion or reverse analysis and demonstrated general applicability.A prototype system was developed and was experimen-tally evaluated in 6 real attack scenarios,including 4 DARPA TC datasets.The experimental results show that ProvNavi-gator can effectively reconstruct attack stories,achieving 94.3%precision with only 6.01%runtime overhead.关键词
攻击调查/依赖爆炸/日志融合/溯源图/影子路径Key words
attack investigation/dependency explosion/log fusion/provenance graph/shadow path分类
计算机与自动化引用本文复制引用
席昊,范皓,袁沈阳,朱金宇,陈昌骅,万海,赵曦滨..ProvNavigator:基于影子路径引导的网络攻击调查方法[J].通信学报,2025,46(4):15-32,18.基金项目
国家自然科学基金资助项目(No.6212780016) The National Natural Science Foundation of China(No.6212780016) (No.6212780016)
