The rise of advanced persistent threats (APTs) has marked a significant cybersecurity challenge, characterized by sophisticated orchestration, stealthy execution, extended persistence, and targeting valuable assets across diverse sectors. Provenance graph-based kernel-level auditing has emerged as a promising approach to enhance visibility and traceability within intricate network environments. However, it still faces challenges including reconstructing complex lateral attack chains, detecting dynamic evasion behaviors, and defending smart adversarial subgraphs. To bridge the research gap, this paper proposes an efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach. Through prototype implementation and extensive experiments, we validate the effectiveness of our system. Lastly, crucial open research directions are outlined in this emerging field.

翻译：高级持续性威胁（APT）的兴起标志着网络安全领域的一项重大挑战，其特点包括高度协调的编排、隐蔽执行、长期持续，以及针对不同行业高价值资产的攻击目标。基于溯源图的内核级审计作为一种增强复杂网络环境中可见性与可追溯性的有效方法，已展现出广阔前景。然而，该方法仍面临诸多挑战，包括重构复杂横向攻击链、检测动态规避行为以及防御智能对抗子图。为弥合研究空白，本文提出了一种基于溯源图的高效稳健APT防御方案，具体包括：一种用于实现低开销横向攻击重构的网络级分布式审计模型、一种面向信任的APT规避行为检测策略，以及一种基于隐马尔可夫模型的对抗子图防御方法。通过原型系统实现与大规模实验，我们验证了系统有效性。最后，本文概述了该新兴领域的关键开放研究方向。