Advanced Persistent Threats (APTs) pose critical challenges to modern cybersecurity due to their multi-stage and stealthy nature. While provenance-based detection approaches show promise in capturing causal attack semantics, current threat provenance practices face two paradoxical issues: (1) expert skepticism, where human analysts doubt the capability of traditional detection models to identify complex attacks; and (2) expert dependence, as analysts cannot manually process large-scale raw logs to detect threats without these models. Consequently, collaboration between humans and traditional models remains the prevailing paradigm. However, this renders investigation quality contingent upon human expertise and frequently results in alert fatigue. To address these challenges, we present ProvAgent, a framework that evolves the threat provenance paradigm from human-model collaboration to a novel collaboration between multi-agent systems and traditional models. ProvAgent leverages the speed and cost-efficiency of traditional models for initial anomaly screening over large-scale logs. By enforcing fine-grained identity-behavior consistency via graph contrastive learning, it profiles entities based on specific attributes to generate high-fidelity alerts. With these alerts serving as investigation entry points, ProvAgent achieves in-depth autonomous investigation through a hypothesis-verification multi-agent framework. Evaluations with real-world datasets demonstrate that ProvAgent outperforms six state-of-the-art (SOTA) baselines in anomaly detection. Through automated investigation, ProvAgent reconstructs near-complete attack processes at a minimum cost of \$0.06 per day.

翻译：高级持续性威胁（APTs）因其多阶段与隐蔽特性，对现代网络安全构成严峻挑战。基于溯源图的检测方法虽在捕获因果攻击语义方面展现出潜力，但当前的威胁溯源实践面临两个矛盾性问题：（1）专家怀疑论：分析人员质疑传统检测模型识别复杂攻击的能力；（2）专家依赖症：若无这些模型，分析人员无法手动处理大规模原始日志以检测威胁。因此，人机协作仍是主流范式，但这使得调查质量受制于人工经验，并常导致告警疲劳。为应对这些挑战，我们提出ProvAgent框架，将威胁溯源范式从人机协作演进为多智能体系统与传统模型的新型协作。ProvAgent利用传统模型的速度与成本效益，对大规模日志进行初步异常筛查。通过基于图对比学习实施细粒度身份-行为一致性约束，该框架依据特定属性对实体进行画像，生成高保真告警。以这些告警作为调查切入点，ProvAgent通过假设-验证多智能体框架实现深度自主调查。基于真实数据集的评估表明，ProvAgent在异常检测性能上优于六种先进基线方法。通过自动化调查，ProvAgent能以每日最低0.06美元的成本重建近乎完整的攻击过程。