Zebra: Deeply Integrating System-Level Provenance Search and Tracking for Efficient Attack Investigation. (arXiv:2211.05403v1 [cs.CR])

System auditing has emerged as a key approach for monitoring system call
events and investigating sophisticated attacks. Based on the collected audit
logs, research has proposed to search for attack patterns or track the causal
dependencies of system events to reveal the attack sequence. However, existing
approaches either cannot reveal long-range attack sequences or suffer from the
dependency explosion problem due to a lack of focus on attack-relevant parts,
and thus are insufficient for investigating complex attacks.

To bridge the …

arxiv investigation provenance search tracking