Attack detection and investigation are an iterative process in practice, in which security analysts still play an important role as of today. Security systems for attack detection and investigation need to be designed with this human-in-the-loop aspect in mind. A practical, reliable attack detection system is not just a classification system. Rather, it facilitates the investigation process in unearthing the root causes and attack ramifications, by providing contextualized and more interpretable detection results. Security analysts often find it difficult and time consuming to investigate on, associate and understand the detection results of currently deployed security systems. 
A swift and accurate attack detection and investigation process is crucial for timely and proper attack recovery and remediation.

To support speedy and thorough attack detection and investigation, provenance-based security systems have been proposed over the past few years. These systems have proven to be inherently suitable for this critical mission: providing security analysts with insightful, contextualized, and actionable detection results for further investigation in a highly automated manner. Provenance-based systems produce attack graphs by parsing system logs recording what has occurred in a computer system at a fine-granular level. Such graphs manifest and link causally related system activities. Given a suspicious event as a starting point, a backward tracing and forward tracing in a graph can quickly expose more related malicious system activities caused by attackers, i.e., the root cause and attack ramifications, respectively. Provenance-based security systems have demonstrated excellent performance in reducing false alarms, supplying security analysts with accurate and self-explanatory attack graphs, in particular for sophisticated attacks conducted by Advanced Persistent Threat (APT) actors.

Despite the success, our examination of existing provenance-based systems yields the finding that these systems suffer from several major limitations, and can be rendered ineffective facing evasive real-world APT actors. 
This project tackles weaknesses of prior provenance-based systems, e.g., fundamentally susceptible to evasive attacks employing persistence techniques, inability to trace across machines and reveal the extend of attackers' traversal inside a network, inability to process logs from devices of embedded systems.