To combat increasingly sophisticated cy-ber attacks,the security community has proposed and deployed a large body of threat detection approaches to discover malicious behaviors on host systems and attack payloads in network traffic.Several studies have begun to focus on threat detection methods based on provenance data of host-level event tracing.On the other side,with the significant development of big data and artificial intelligence technologies,large-scale graph computing has been widely used.To this end,kinds of research try to bridge the gap between threat detection based on host log provenance data and graph algorithm,and propose the threat detection al-gorithm based on system provenance graph.These approaches usually generate the system provenance graph via tagging and tracking of system events,and then leverage the characteristics of the graph to con-duct threat detection and attack investigation.For the purpose of deeply understanding the correct-ness,effectiveness,and efficiency of different graph-based threat detection algorithms,we pay attention to mainstream threat detection methods based on prove-nance graphs.We select and implement 5 state-of-the-art threat detection approaches among a large number of studies as evaluation objects for further analysis.To this end,we collect about 40GB of host-level raw log data in a real-world IT environment,and simulate 6 types of cyber attack scenarios in an isolated environ-ment for malicious provenance data to build our eval-uation datasets.The crosswise comparison and lon-gitudinal assessment interpret in detail these detection approaches can detect which attack scenarios well and why.Our empirical evaluation provides a solid foun-dation for the improvement direction of the threat de-tection approach.

Rui Mei;Hanbing Yan;Qinqin Wang;Zhihui Han;Zhuohang Lyu

Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China;National Computer Network Emergency Response Technical Team/Coordination Center of China(CNCERT/CC),Beijing 100029,China

中国通信（英文版）

[1]Rui Mei;Hanbing Yan;Qinqin Wang;Zhihui Han;Zhuohang Lyu-.TDLens:Toward an Empirical Evaluation of Provenance Graph-Based Approach to Cyber Threat Detection)[J].中国通信（英文版）,2022(10):102-115

TDLens,40GB,crosswise,gitudinal

Toward,Empirical,Evaluation,Provenance,Graph,Based,Approach,Cyber,Threat,Detection,combat,increasingly,sophisticated,attacks,security,community,has,proposed,deployed,large,body,threat,detection,approaches,discover,malicious,behaviors,host,systems,payloads,network,traffic,Several,studies,have,begun,focus,methods,provenance,level,tracing,On,other,side,significant,development,big,artificial,intelligence,technologies,scale,computing,been,widely,used,this,end,kinds,research,try,bridge,gap,between,These,usually,generate,via,tagging,tracking,events,then,leverage,characteristics,con,duct,investigation,For,purpose,deeply,understanding,correct,effectiveness,efficiency,different,algorithms,attention,mainstream,graphs,We,select,implement,state,among,number,evaluation,objects,further,analysis,collect,about,raw,real,world,IT,environment,simulate,types,cyber,scenarios,isolated,build,our,datasets,comparison,lon,assessment,interpret,detail,these,which,well,why,Our,empirical,provides,solid,foun,dation,improvement,direction

0.515936