Jiahui Wang (Zhejiang University, Hangzhou, China), Xiangmin Shen (Hofstra University, Hempstead, NY, USA), Zhengkai Wang (Zhejiang University, Hangzhou, China), Zhenyuan Li (Zhejiang University, Hangzhou, China)
Provenance-based backward tracking is a critical technique for investigating Advanced Persistent Threats (APTs). However, existing approaches utilizing reachability analysis or statistical anomaly detection often suffer from dependency explosion and a significant semantic gap. These methods cannot typically distinguish high-level adversarial intent from benign administrative activities, resulting in a substantial number of false positives.
In this paper, we introduce TRACKAGENT, a novel system that conceptualizes backward tracking as a knowledge-augmented, context-aware reasoning task. By leveraging Large Language Models (LLMs) enhanced with a knowledge augmentation module, TRACKAGENT aims to bridge the gap between low-level log events and attack intent. Furthermore, we design a context management model to handle the long-term dependencies of APT campaigns within finite context windows.
We report preliminary evaluations on DARPA TC, Aurora, and OpTC datasets to assess the feasibility of this approach. Early results suggest that compared to state-of-the-art baselines, TRACKAGENT can achieve higher fidelity (precision and recall) while generating significantly smaller attack subgraphs. These findings provide early evidence of the LLM-enhanced system’s potential to detect critical attack behaviors from massive background noise, while offering analysts concise and interpretable forensic explanations.