TRACEGADGET: Detecting and Tracing Network Level Attack Through Federal Provenance Graph

Provenance graph-based auditing offers a promising direction for APT (Advanced Persistent Threat) detection with traceability guarantees. However, most of the existing methods are based on host-level causality analysis, which is ineffective in practical APT scenarios when well-organized adversaries exploit lateral movement attacks (e.g., multi-level proxies) across multiple compromised hosts. To bridge the research gap, this paper proposes a collaborative APT detection and tracing frame-work (TRACEGADGET) based on federal provenance graphs. TRACEGADGET can efficiently reveal the whole trace of APT lateral movements through the interactions between hosts in Intranet. Specifically, the proposed framework 1) characterizes the relevance weights of all events in the given provenance graph in comparison to the POI (Point of Interest) events, 2) identifies the network entries rankings of the POI events through backward trace analysis, 3) reveals the evolution of the alarm events and confirms the network exit of penetration chain through forward propagation, and 4) aligns the network entries and network exits to derive the complete path of the lateral movement attack. Finally, we construct a dataset consisting of 280,000 edges and more than 90,000 entities through ten sets of real APT attacks. We demonstrate the feasibility and effectiveness of the proposed framework in recovering APT attack links at the network level. Particularly, TRACEGADGET achieves 100% APT path reconstruction with high robustness in all the experiments.