Provenance-based intrusion detection has emerged as a promising approach for analyzing complex attack behaviors through system-level provenance graphs. However, existing defense methods face an inherent granularity limitation. Node-centric detectors, which evaluate anomalies using entities' attributes and local structural patterns, may misclassify benign behavioral changes or configuration modifications as suspicious. In contrast, edge-centric detectors, which focus more on interactions, may lack sufficient contextual awareness of the involved entities, leading to missed detections when compromised entities perform seemingly ordinary operations. These analytical biases highlight a persistent gap between node-centric and edge-centric analyses. To mitigate this gap, we present PROVFUSION, a multi-view detection framework that integrates anomaly signals from three distinct views (i.e., attribute, structure, and causality). The framework fuses heterogeneous anomaly signals through lightweight fusion schemes and determines the final anomaly decisions through a voting-based integration process, providing a more consistent and context-aware assessment of system behavior. This design enables PROVFUSION to capture both entity level deviations and interaction-level anomalies within a consistent analytic pipeline. Experiments on nine widely used benchmark datasets demonstrate that PROVFUSION achieves higher detection accuracy and lower false-positive rates than single node- and edge-centric baselines, maintaining stable performance across scenarios. Overall, the results suggest that our multi-view anomaly fusion together with voting-based decision aggregation offers a practical and effective direction for advancing provenance-based intrusion detection.

翻译：基于溯源分析的入侵检测通过系统级溯源图对复杂攻击行为进行分析，已成为一种极具前景的方法。然而，现有防御方法面临固有的粒度限制。以节点为中心的分析器通过评估实体的属性和局部结构模式来检测异常，可能将良性行为变化或配置修改误判为可疑。相比之下，以边为中心的分析器更关注实体间的交互，可能缺乏对相关实体的充分上下文感知，导致当被攻陷实体执行看似正常的操作时出现漏检。这些分析偏差凸显了节点中心分析与边中心分析之间长期存在的鸿沟。为弥补这一鸿沟，本文提出PROVFUSION——一种多视图检测框架，整合来自三个不同视图（属性、结构与因果关系）的异常信号。该框架通过轻量级融合方案融合异构异常信号，并基于投票集成过程确定最终异常决策，从而对系统行为提供更一致且具有上下文感知的评估。这一设计使得PROVFUSION能够在统一的分析流程中同时捕获实体级偏差和交互级异常。在九个广泛使用的基准数据集上的实验表明，与单一的节点中心及边中心基线方法相比，PROVFUSION实现了更高的检测精度和更低的假阳性率，并在多种场景下保持稳定性能。总体而言，结果表明，我们的多视图异常融合方法结合基于投票的决策聚合，为推进基于溯源分析的入侵检测提供了一条实用且有效的方向。