Workshop on Attack Provenance, Reasoning, and Investigation for Security in the Monitored Environment (PRISM) 2026 Program

Endpoint Detection and Response (EDR) systems play a crucial role in modern cybersecurity by monitoring and responding to Advanced Persistent Threats (APT) on endpoints. Provenance analysis has emerged as a powerful technique for enhancing EDR capabilities by providing detailed insights into system activities and enabling advanced threat detection. However, enterprises still face significant challenges in effectively processing and analyzing provenance data for real-time threat detection and response. In this paper, we present SYSARMOR, a practice of integrating provenance analysis into EDR systems designed to address these challenges through a novel microservices architecture. SYSARMOR integrates efficient provenance data collection, real-time streaming processing, and asynchronous detection engine that combines Falco rule-based detection with provenance graph-based anomaly detection, NODLINK and KNOWHOW, to provide end-to-end online threat detection. To help security analysts investigate alerts, SYSARMOR offers a management front end that manages alerts and visualizes provenance graphs. We deploy SYSARMOR in a real-world enterprise environment and evaluate its performance and effectiveness. Our results demonstrate that SYSARMOR can detect real-world APT attacks effectively while maintaining high throughput and low latency. SYSARMOR is also scalable and can be easily deployed in multiple endpoints.

Academic research on provenance analysis is primarily based on high-fidelity event streams captured on Linux/Unix devices (e.g., Linux Audit). Unfortunately, provenance tracing becomes much more complicated on Windows, where microkernel design principles lead to far noisier provenance graphs. These complications further compound when analyzing the efficient, low-fidelity event streams generated by commercial Endpoint Detection & Response products.

Fortunately, provenance tracing is still possible in spite of these obstacles. We first present a method of recovering whole-system provenance from commercial EDR telemetry. This graph conservatively models all possible information flows, but is even less precise than traditional whole-system provenance graphs – that is, there is more dependency explosion, or false provenance. We go on to present four heuristics that allow us to denoise the provenance graph under realistic threat investigation scenarios. The first two heuristics are process-centric, leveraging domain knowledge of Windows service control flow patterns to mitigate the dependency explosion caused by Windows IPC. The second two heuristics are data-centric, intended to cluster and denoise data accesses on Windows where accesses to environmental configuration data (i.e., Registry keys) are auditable events. In evaluations based on the MITRE Enginuity simulation of the Carbanak APT, we demonstrate that these heuristics reduce graph complexity by up to 98% as compared to a baseline tracing algorithm. These tracing strategies enable further research into provenance integrations for EDR, moving the community towards a more realistic and relevant deployment model.

Advanced Persistent Threats (APTs) are long-running stealthy attack campaigns that routinely evade modern defense mechanisms. As a result, defenders rely heavily on post-compromise forensic analysis to understand attack progression and scope. System call provenance derived from audit logs is widely regarded as the most comprehensive source for reconstructing host activity and “connecting the dots” of multi-stage attacks. However, in practice, audit-derived provenance can be incomplete, or may contain errors. This can happen due to missing context, gaps in event capture or reporting, or incorrect dependency tracking. The resulting errors undermine the central goal of audit data collection, namely, serving as the complete and authoritative source for attack investigation. In this paper, we demonstrate such problems across multiple DARPA Transparent Computing datasets. We discuss the common underlying reasons that contribute to these errors, and then present a new system Improv to address them. Improv post-processes audit data at the user-level to add additional context and provenance information by querying the OS. It builds on eAudit [1], adding a modest 2.4% additional overhead.

Provenance-based security applications are showing tremendous promise in the academic literature, but successfully transition these technologies to practice will require community stakeholders to demonstrate the business potential of provenance analysis. Customer Discovery is a structured process through which early-stage start-ups can validate the commercial potential of an idea through direct interaction with potential customers. As a provenance-based security start-up, we conducted hundreds of customer discovery interviews, and believe that many of our findings would be of interest to the broader academic community. In this position paper, we summarize our findings and consider how they could inform future research on provenance analysis.

Persistent, high-volume SSH brute-force activity frequently overwhelms security operations, yet current defenses often treat network telemetry as a terminal artifact for post-hoc diagnosis rather than a source for upstream investigation. These approaches focus on absolute volume suppression and binary alerts, often failing to provide population-aware rankings that are necessary to prioritize high-risk, relative outliers. This work addresses these gaps by introducing Nested Outlier Detection (NOD), a two-stage framework that transforms raw network telemetry into structured behavioral strata. By progressively filtering routine noise, NOD isolates ”outliers of outliers”; statistically extreme behaviors. NOD provides interpretability by mapping these outliers to three intuitive dimensions; volume, reach, and credential diversity; enabling population-level reasoning. This tiered approach reveals distinct attacker phenotypes characterized by high volume, broad target reach, and a variety of credentials. Evaluation on large-scale datasets demonstrates that NOD compresses millions of logs into compact, interpretable structures, shifting the defensive focus from per-source classification to the graded, population-level reasoning required for scalable triage and longitudinal threat analysis.

In recent years, provenance-based intrusion detection and forensic systems have attracted significant attention, leading to a rapid growth of related research efforts. However, progress in this area has been hindered by the long-standing lack of updated datasets and benchmarks. Existing datasets suffer from several critical limitations, including outdated attack techniques, short temporal scales, and incomplete or fragmented attack chains. As a result, they fail to capture the characteristics of the latest, real-world Advanced Persistent Threat (APT) attacks. Moreover, the unclear, coarse-grained attack procedures underlying existing datasets make accurate labeling and reliable evaluation difficult. Consequently, the absence of a comprehensive, up-to-date dataset has become a major bottleneck for the progress of this area. To address this, we present our efforts in building a large-scale, diverse, and well-annotated dataset for provenance-based intrusion analysis. Our dataset is generated using an automated attack emulation framework that incorporates recent attack techniques and supports fine-grained ground-truth labeling. Using this dataset, we conduct a comprehensive evaluation of state-of-the-art provenance-based intrusion detection systems, revealing weaknesses that cannot be effectively benchmarked with existing datasets. Our results demonstrate the dataset’s value in enabling clearer, more informative evaluations and highlight its potential to advance future research in provenance-based intrusion detection and graph-based security analysis.

Provenance-based backward tracking is a critical technique for investigating Advanced Persistent Threats (APTs). However, existing approaches utilizing reachability analysis or statistical anomaly detection often suffer from dependency explosion and a significant semantic gap. These methods cannot typically distinguish high-level adversarial intent from benign administrative activities, resulting in a substantial number of false positives.

In this paper, we introduce TRACKAGENT, a novel system that conceptualizes backward tracking as a knowledge-augmented, context-aware reasoning task. By leveraging Large Language Models (LLMs) enhanced with a knowledge augmentation module, TRACKAGENT aims to bridge the gap between low-level log events and attack intent. Furthermore, we design a context management model to handle the long-term dependencies of APT campaigns within finite context windows.

We report preliminary evaluations on DARPA TC, Aurora, and OpTC datasets to assess the feasibility of this approach. Early results suggest that compared to state-of-the-art baselines, TRACKAGENT can achieve higher fidelity (precision and recall) while generating significantly smaller attack subgraphs. These findings provide early evidence of the LLM-enhanced system’s potential to detect critical attack behaviors from massive background noise, while offering analysts concise and interpretable forensic explanations.

Software-defined networking (SDN) is widely adopted in enterprise networks, data centers, and wide-area networks. These infrastructures are often federated into multiple administrative domains managed by distinct organizations. In this context, forensic analysis of cross-domain attacks remains a major challenge: fragmented causal visibility across domains and privacy constraints prevent effective tracing of threat propagation. Although prior work has focused on centralized provenance systems offering causal traceability, these approaches do not scale
in multi-domain contexts with heterogeneous policies. We propose G-Prove, a decentralized forensic framework for multi-domain SDN environments. G-Prove builds local provenance graphs and anchors cross-domain events via a cryptographically signed DAG, enabling causal analysis without exposing each domain’s internal data. Our results on a cross-domain attack scenario demonstrate the feasibility and effectiveness of G-Prove, and allow us to identify areas for improvement for more complex deployments.

We present MIRAGE, the first privacy-preserving Provenance-based IDS (PIDS) that integrates Federated Learning (FL) with graph representation learning to match centralized detection accuracy while preserving privacy and improving scalability. Building MIRAGE is non-trivial due to challenges in federating graph-based models across clients with heterogeneous logs, inconsistent semantic encodings, and temporally misaligned data. To address these challenges, MIRAGE introduces a novel process entity categorization-based ensemble, where specialized submodels learn distinct system behaviors and avoid aggregation errors. To enable privacy-preserving semantic alignment, MIRAGE designs a dual-server harmonization framework: one server issues encryption keys, and the other aggregates encrypted embeddings without accessing sensitive tokens. To remain robust to temporal misalignment across clients, MIRAGE employs inductive GNNs that eliminate the need for synchronized timestamps. Evaluations on DARPA datasets show that MIRAGE matches the detection accuracy of state-of-the-art PIDS and reduces network communication costs by 170×, processes datasets in minutes rather than hours.

Federated Learning (FL) systems are susceptible to adversarial attacks, such as model poisoning attacks and backdoor attacks. Existing defense mechanisms face critical limitations in deployments, such as relying on impractical assumptions (e.g., adversaries acknowledging the presence of attacks before attacking) or undermining accuracy in model training, even in benign scenarios. To address these challenges, we propose CustodianFL, a two-staged anomaly detection method specifically designed for FL deployments. In the first stage, it flags suspicious client activities. In the second stage that is activated only when needed, it further examines these candidates using the 3σ rule to identify and exclude truly malicious local models from FL training. To ensure integrity and transparency within the FL system, CustodianFL integrates zero-knowledge proofs, enabling clients to cryptographically verify the server’s detection process without relying on the server’s goodwill. CustodianFL operates without unrealistic assumptions and avoids interfering with FL training in attack-free scenarios. It bridges the gap between theoretical advances in FL security and the practical demands of real FL systems. Experimental results demonstrate that CustodianFL consistently delivers performance comparable to benign cases, highlighting its effectiveness in identifying and eliminating malicious models with high accuracy.

Firewall rule misconfigurations is a very-well known challenge in network security management. It often leads to unintended access control behavior, storage misuse, unnecessary management overhead, and performance degradation. Existing approaches primarily rely on static rule analysis and are limited in their ability to explain how misconfigurations manifest during actual firewall execution. In this paper, we propose a provenance-based method for detecting firewall rule misconfigurations by reconstructing causal relationships between network traffic, firewall rules, and filtering decisions using firewall logs. Our methodology enables the systematic detection of well-acknowledged firewall misconfigurations, including shadowing, redundancy, generalization, specialization, and correlation. To ensure completeness and soundness, we formally specify the provenance model and prove key structural properties, including acyclicity, using the F* verification framework.

We evaluate our approach on an OPNsense firewall with some misconfigured rule sets and demonstrate that it detects all conflicts with negligible runtime and storage overhead. The results show that data provenance provides an effective and viable method for analyzing firewall misconfigurations.

Online job-application funnels are increasingly abused by automated campaigns that flood employers with non-genuine submissions, distorting metrics and eroding platform trust. We report on the first production-scale, defense-in-depth system that detects and mitigates such abuse in real time on Indeed.com, a major job marketplace processing tens of millions of applications each week. Our architecture couples lightweight client-side traps like selector obfuscation, distributed honeypots, browser-trust signals, and Google invisible reCAPTCHA with a multivariate Isolation-Forest anomaly model that operates entirely without labelled data. A novel precision-weighted F1 objective steers threshold selection to minimise user friction while preserving coverage. Deployed globally, the system blocks a significant number of fraudulent applications per day and achieves a 10.23% reduction in suspected abuse volume without degrading legitimate conversion. We detail the layered design, feature engineering, unsupervised modelling, and adaptive mitigation pipeline, and distill lessons for practitioners defending high-throughput, adversarial web services where labelled data are scarce.

The widespread availability and routine use of social media platforms have created new opportunities for covert communication over channels that are often permitted within organizational networks. This work presents SocialStego, a proof-of-concept system that demonstrates how limited social media security policies can be exploited by an insider to exfiltrate sensitive information without violating nominal access controls. Adopting an insider-threat perspective, SocialStego combines Least Significant Bit (LSB) steganography with a hybrid cryptographic scheme to protect the confidentiality of embedded payloads. Specifically, AES-256 is used for payload encryption, while RSA- 2048 supports secure key exchange. A custom encoding protocol is implemented to embed encrypted data into lossless PNG image files and WAV audio files. Encoded carrier files are transmitted using existing social media and messaging infrastructure that preserves lossless media formats. The system examines the trade-offs between embedding capacity and perceptual distortion, showing that WAV carriers support higher payload capacity under the proposed design due to their variable duration, while increasing the LSB bit depth introduces more noticeable and potentially detectable noise artifacts in the carrier. Collectively, these findings demonstrate the feasibility and associated risks of covert data exfiltration via commonly accessible social media channels and highlight the need for organizations to account for such mechanisms when developing security policies and controls.