Saved in:
Bibliographic Details
Main Authors: Ghosh, Kushankur, Klair, Mehar, Kyars, Kian, Choo, Euijin, Sander, Jörg
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.17100
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918395175239680
author Ghosh, Kushankur
Klair, Mehar
Kyars, Kian
Choo, Euijin
Sander, Jörg
author_facet Ghosh, Kushankur
Klair, Mehar
Kyars, Kian
Choo, Euijin
Sander, Jörg
contents Provenance graphs model causal system-level interactions from logs, enabling anomaly detectors to learn normal behavior and detect deviations as attacks. However, existing approaches rely on brittle, manually engineered rules to build provenance graphs, lack functional context for system entities, and provide limited support for analyst investigation. We present Auto-Prov, an adaptive, end-to-end framework that leverages large language models (LLMs) to automatically construct provenance graphs from heterogeneous and evolving logs, embed system-level functional attributes into the graph, enable provenance graph-based anomaly detectors to learn from these enriched graphs, and summarize the detected attacks to assist an analyst's investigation. Auto-Prov clusters unseen log types and efficiently extracts provenance edges and entity-level information via automatically generated rules. It further infers system-level functional context for both known and previously unseen system entities using a combination of LLM inference and behavior-based estimation. Attacks detected by provenance-graph-based anomaly detectors trained on Auto-Prov's graphs are then summarized into natural-language text. We evaluate Auto-Prov with four state-of-the-art provenance graph-based detectors across diverse logs. Results show that Auto-Prov consistently enhances detection performance, generalizes across heterogeneous log formats, and produces stable, interpretable attack summaries that remain robust under system evolution.
format Preprint
id arxiv_https___arxiv_org_abs_2603_17100
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle An End-to-End Framework for Functionality-Embedded Provenance Graph Construction and Threat Interpretation
Ghosh, Kushankur
Klair, Mehar
Kyars, Kian
Choo, Euijin
Sander, Jörg
Cryptography and Security
Machine Learning
Provenance graphs model causal system-level interactions from logs, enabling anomaly detectors to learn normal behavior and detect deviations as attacks. However, existing approaches rely on brittle, manually engineered rules to build provenance graphs, lack functional context for system entities, and provide limited support for analyst investigation. We present Auto-Prov, an adaptive, end-to-end framework that leverages large language models (LLMs) to automatically construct provenance graphs from heterogeneous and evolving logs, embed system-level functional attributes into the graph, enable provenance graph-based anomaly detectors to learn from these enriched graphs, and summarize the detected attacks to assist an analyst's investigation. Auto-Prov clusters unseen log types and efficiently extracts provenance edges and entity-level information via automatically generated rules. It further infers system-level functional context for both known and previously unseen system entities using a combination of LLM inference and behavior-based estimation. Attacks detected by provenance-graph-based anomaly detectors trained on Auto-Prov's graphs are then summarized into natural-language text. We evaluate Auto-Prov with four state-of-the-art provenance graph-based detectors across diverse logs. Results show that Auto-Prov consistently enhances detection performance, generalizes across heterogeneous log formats, and produces stable, interpretable attack summaries that remain robust under system evolution.
title An End-to-End Framework for Functionality-Embedded Provenance Graph Construction and Threat Interpretation
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2603.17100