Provenance analysis based on system audit data has emerged as a fundamental approach for investigating Advanced Persistent Threat (APT) attacks. Due to the high concealment and long-term persistence of APT attacks, they are only represented as a minimal part of the critical path in the provenance graph. While existing techniques employ behavioral pattern matching and data flow feature matching to uncover latent associations in attack sequences through provenance graph path reasoning, their inability to establish effective attack context associations often leads to the conflation of benign system operations with real attack entities, that fail to accurately characterize real APT behaviors. We observe that while the causality of entities in the provenance graph exhibit substantial complexity, attackers often follow specific attack patterns-specifically, clear combinations of tactics and techniques to achieve their goals. Based on these insights, we propose TPPR, a novel framework that first extracts anomaly subgraphs through abnormal node detection, TTP-annotation and graph pruning, then performs attack path reasoning using mined TTP sequential pattern, and finally reconstructs attack scenarios through confidence-based path scoring and merging. Extensive evaluation on real enterprise logs (more than 100 million events) and DARPA TC dataset demonstrates TPPR's capability to achieve 99.9% graph simplification (700,000 to 20 edges) while preserving 91% of critical attack nodes, outperforming state-of-the-art solutions (SPARSE, DepImpact) by 63.1% and 67.9% in reconstruction precision while maintaining attack scenario integrity.

翻译：基于系统审计数据的溯源分析已成为调查高级持续性威胁（APT）攻击的基本方法。由于APT攻击具有高度隐蔽性和长期持续性，其在溯源图中仅表现为关键路径的极小部分。现有技术通过行为模式匹配和数据流特征匹配，利用溯源图路径推理揭示攻击序列中的潜在关联，但由于无法建立有效的攻击上下文关联，常将良性系统操作与真实攻击实体混淆，难以准确刻画真实的APT行为。我们观察到，尽管溯源图中实体的因果关系表现出高度复杂性，但攻击者通常遵循特定的攻击模式——特别是为实现目标而采用的明确战术与技术组合。基于此，我们提出TPPR这一新型框架：首先通过异常节点检测、TTP标注和图剪枝提取异常子图；随后利用挖掘的TTP序列模式进行攻击路径推理；最后通过基于置信度的路径评分与融合重构攻击场景。在真实企业日志（超1亿事件）和DARPA TC数据集上的大量实验表明，TPPR能在保留91%关键攻击节点的同时实现99.9%的图简化（边数从70万降至20条），其重构精度较前沿方案（SPARSE、DepImpact）分别提升63.1%和67.9%，且能完整保持攻击场景的完整性。