An End-to-End Framework for Functionality-Embedded Provenance Graph Construction and Threat Interpretation

TL;DR

Auto-Prov is an innovative framework that uses large language models to automatically build enriched provenance graphs from logs, improving attack detection and providing interpretable summaries to aid analysts.

Contribution

The paper introduces Auto-Prov, a novel end-to-end system that automates provenance graph construction, embeds functional context, and enhances attack detection and explanation using LLMs.

Findings

Auto-Prov improves detection accuracy across multiple detectors.

It generalizes well to diverse and evolving log formats.

Produces stable, natural-language attack summaries.

Abstract

Provenance graphs model causal system-level interactions from logs, enabling anomaly detectors to learn normal behavior and detect deviations as attacks. However, existing approaches rely on brittle, manually engineered rules to build provenance graphs, lack functional context for system entities, and provide limited support for analyst investigation. We present Auto-Prov, an adaptive, end-to-end framework that leverages large language models (LLMs) to automatically construct provenance graphs from heterogeneous and evolving logs, embed system-level functional attributes into the graph, enable provenance graph-based anomaly detectors to learn from these enriched graphs, and summarize the detected attacks to assist an analyst's investigation. Auto-Prov clusters unseen log types and efficiently extracts provenance edges and entity-level information via automatically generated rules. It further infers system-level functional context for both known and previously unseen system entities using a combination of LLM inference and behavior-based estimation. Attacks detected by provenance-graph-based anomaly detectors trained on Auto-Prov's graphs are then summarized into natural-language text. We evaluate Auto-Prov with four state-of-the-art provenance graph-based detectors across diverse logs. Results show that Auto-Prov consistently enhances detection performance, generalizes across heterogeneous log formats, and produces stable, interpretable attack summaries that remain robust under system evolution.