Threat detection and investigation with system-level provenance graphs: A survey

Zhenyuan Li, Qi Alfred Chen, Runqing Yang, Yan Chen, Wei Ruan*

*Corresponding author for this work

Research output: Contribution to journalReview articlepeer-review

12 Scopus citations


With the development of information technology, the border of the cyberspace gets much broader and thus also exposes increasingly more vulnerabilities to attackers. Traditional mitigation-based defence strategies are challenging to cope with the current complicated situation. Security practitioners urgently need better tools to describe and modelling attacks for defense. The provenance graph seems like an ideal method for threat modelling with powerful semantic expression ability and attacks historic correlation ability. In this paper, we firstly introduce the basic concepts about system-level provenance graph and present a typical system architecture for provenance graph-based threat detection and investigation. A comprehensive provenance graph-based threat detection system can be divided into three modules: data collection module, data management module, and threat detection modules. Each module contains several components and involves different research problems. We systematically taxonomize and compare the existing algorithms and designs involved in them. Based on these comparisons, we identify the strategy of technology selection for real-world deployment. We also provide insights and challenges about the existing work to guide future research in this area.

Original languageEnglish (US)
Article number102282
JournalComputers and Security
StatePublished - Jul 2021


  • Cyber Threat
  • Digital Forensic
  • Information Flow
  • Intrusion Detection
  • Provenance Graph

ASJC Scopus subject areas

  • Computer Science(all)
  • Law


Dive into the research topics of 'Threat detection and investigation with system-level provenance graphs: A survey'. Together they form a unique fingerprint.

Cite this