ProvAgent: Threat Detection Based on Identity-Behavior Binding and Multi-Agent Collaborative Attack Investigation

ProvAgent is a novel framework that enhances threat detection and investigation by integrating graph contrastive learning for high-fidelity alert generation with a multi-agent collaborative system to autonomously reconstruct complex APT attack processes, thereby overcoming the limitations of traditional human-model collaboration.

The Gist

Imagine you are the head of security for a massive, bustling city (your computer network). Every day, millions of people (processes) walk the streets, open doors (files), and make phone calls (network connections). Your job is to spot the spies (hackers) hiding among the crowd.

The problem? There are too many people, and the spies are very good at blending in.

The Old Way: The Overworked Detective

Traditionally, security systems acted like a nervous guard dog. They barked at everything that looked slightly weird.

• The Problem: The dog barks at a cat, a leaf blowing in the wind, and a real intruder. You get thousands of "barks" (alerts) a day.
• The Result: A human detective (the security analyst) gets exhausted trying to check every single bark. They suffer from "alert fatigue," eventually ignoring the real threats because they are too tired to care.
• The Paradox: The detective needs the dog to find the bad guys, but the dog is so noisy that the detective can't do their job.

The New Solution: ProvAgent

The paper introduces ProvAgent, a new system that changes the game. Instead of just a guard dog and a tired human, ProvAgent creates a high-tech detective agency with two specialized teams working together.

Team 1: The "ID Check" Squad (EPD Module)

• The Metaphor: Imagine a bouncer at a club who doesn't just look at what you are doing, but who you are supposed to be.
• How it works: In a normal city, a "Firefighter" (a specific program) should only put out fires. If you see a "Firefighter" suddenly trying to break into a bank vault, that's weird, even if they are wearing a firefighter's uniform.
• The Innovation: ProvAgent learns the "Identity-Behavior" profile of every entity. It knows that a process named nginx (a web server) usually talks to the internet. If that same nginx process suddenly starts reading sensitive password files, the system flags it immediately.
• The Benefit: It filters out the noise. It doesn't bark at the cat or the wind. It only alerts the agency when someone is wearing a "Firefighter" costume but acting like a "Bank Robber." This drastically reduces false alarms.

Team 2: The "Detective Squad" (MAI Module)

• The Metaphor: Once the ID Check Squad finds a suspicious person, they don't just call the police. They send in a team of AI detectives who work together like a human squad.
• The Team Roles:
  1. The Investigator: Goes to the scene to gather raw evidence (logs, files, connections).
  2. The Analyst: Checks the evidence against a massive database of "normal behavior" to see if it's a real crime or just a misunderstanding.
  3. The Leader: The "Sherlock Holmes." They look at the big picture. They ask, "If this person stole a key, where did they go next? Did they call a getaway driver?" They form a hypothesis about the whole crime.
  4. The Reporter: Writes the final story for the human boss, explaining exactly what happened in plain English.
• The "Hypothesis-Verification" Loop:
  • The Leader says: "I think the hacker stole a key and is now hiding in the basement."
  • The Investigator goes to the basement to check.
  • The Analyst verifies if the evidence found in the basement actually proves the theory.
  • If the evidence is weak, the Leader changes the theory. If it's strong, they move to the next step.
  • They keep doing this until they have reconstructed the entire crime story, from the first break-in to the final escape.

Why This is a Game Changer

1. No More Alert Fatigue: Because Team 1 filters out the noise, the human analyst only gets high-quality, verified reports.
2. Autonomous Investigation: The AI detectives don't just say "Something is wrong." They figure out why, how, and what happened next. They can find attacks that were missed by the initial scan because they are smart enough to connect the dots.
3. Cheap and Fast: The paper mentions this system costs as little as $0.06 per day to run. It's like hiring a team of super-detectives for the price of a cup of coffee.

The Bottom Line

ProvAgent is like upgrading from a noisy, barking dog that wakes up the whole neighborhood to a smart, self-driving security team.

• It knows exactly who belongs where.
• It investigates clues like a human detective but never gets tired.
• It tells you the whole story of the attack, not just a single scary moment.

It bridges the gap between "machines that detect" and "humans who understand," creating a partnership where the machine does the heavy lifting, and the human makes the final strategic decisions.

Technical Summary

Here is a detailed technical summary of the paper "ProvAgent: Threat Detection Based on Identity-Behavior Binding and Multi-Agent Collaborative Attack Investigation."

1. Problem Statement

Advanced Persistent Threats (APTs) pose a critical challenge to modern cybersecurity due to their multi-stage, stealthy nature. Current Provenance-based Endpoint Detection and Response (P-EDR) systems face two paradoxical issues:

• Expert Skepticism: Human analysts often doubt the capability of traditional models to identify complex, zero-day attacks, leading to a reliance on manual verification.
• Expert Dependence: Analysts cannot manually process the massive volume of raw audit logs required to detect threats without automated assistance.

Existing solutions suffer from specific limitations:

• Heuristic/Rule-based methods fail against zero-day exploits and polymorphic variants.
• Anomaly-based methods (using Graph Neural Networks) often generate high volumes of false positives because they detect topological anomalies without considering Identity-Behavior consistency. They struggle to distinguish between benign administrative operations and malicious attacks that share similar interaction patterns.
• LLM-based methods often act merely as passive classifiers or advisors within rigid workflows, lacking the autonomous investigative authority to reconstruct global attack narratives or validate hypotheses dynamically.

This results in alert fatigue, where analysts are overwhelmed by low-quality alerts, and superficial investigations, where the root cause and full scope of an attack remain unclear.

2. Methodology: ProvAgent Framework

ProvAgent proposes a paradigm shift from "Human-Model Collaboration" to "Multi-Agent System and Traditional Model Collaboration." It consists of two synergistic modules:

A. Entity-Profile-based Detection (EPD)

The EPD module acts as the initial screening layer, designed to generate high-fidelity alerts with minimal false positives.

• Identity-Behavior Binding: Unlike previous methods that use coarse-grained categories (e.g., "file" or "process"), EPD defines fine-grained identities based on specific attributes (e.g., process name, file path, port number).
• Graph Contrastive Learning:
  • Graph Construction: Raw audit logs are converted into provenance graphs where nodes represent entities (processes, files, sockets) and edges represent causal interactions.
  • Feature Encoding: Nodes are initialized with semantic attributes (via Word2Vec), action frequency distributions, and temporal statistics.
  • Contrastive Training: A Graph Neural Network (GNN) is trained using InfoNCE loss to pull together nodes with the same identity and push apart nodes with different identities. This creates a latent space where entities with the same identity exhibit consistent behavioral patterns.
• Anomaly Detection: During inference, the system checks for Identity-Behavior Consistency Violations. An anomaly is flagged if:
  1. A node's behavior deviates significantly from the learned behavioral profile of its declared identity (e.g., an nginx process behaving like a find utility).
  2. The node's observed behavior matches a different identity class than its declared attributes.
• Output: High-quality alerts that serve as investigation entry points, stored alongside a graph database for forensic retrieval.

B. Multi-Agent Investigation (MAI)

The MAI module simulates a Security Operations Center (SOC) using a collaborative team of four LLM-driven agents operating in a Hypothesis-Verification closed-loop framework.

• Agents:
  1. Analyst: Acts as a gatekeeper. Validates alerts by comparing them against a benign reference repository (using both attribute matching and vector similarity) to filter out false positives caused by legitimate operational heterogeneity.
  2. Investigator: Performs event-level forensic analysis. Traverses the provenance neighborhood of validated Indicators of Compromise (IOCs) to reconstruct atomic attack steps and discover new leads (neighboring entities).
  3. Leader: Conducts strategic reasoning. Synthesizes fragmented IOCs into a coherent Kill Chain (e.g., MITRE ATT&CK stages). It generates hypotheses about missing attack steps or potential false positives and directs the other agents to verify them.
  4. Reporter: Compiles the final, human-readable attack narrative and remediation guidance.
• Mechanism: The system operates iteratively. The Leader formulates hypotheses (e.g., "If lateral movement occurred, credentials must have been stolen"), and the Investigator/Analyst retrieve evidence to confirm or refute them. This process continues until a complete attack narrative is formed or all hypotheses are exhausted.
• Shared Memory: All agents access a shared repository of validated IOCs, evidence, and hypotheses to prevent hallucinations and ensure consistency.

3. Key Contributions

1. Synergistic Framework: Integrates the efficiency of traditional GNN-based detection with the deep reasoning capabilities of a multi-agent LLM system.
2. Fine-Grained Identity-Behavior Binding (EPD): Introduces a novel detection mechanism using graph contrastive learning to enforce strict consistency between an entity's identity and its behavior, significantly reducing false positives.
3. Autonomous Multi-Agent Investigation (MAI): Proposes a "Hypothesis-Verification" framework where LLMs act as active security analysts with investigative authority, capable of iterative reasoning, cross-validation, and reconstructing near-complete attack chains.
4. Comprehensive Evaluation: Demonstrates superior performance on real-world datasets (DARPA E3, E5, and OpTC) compared to state-of-the-art baselines.

4. Experimental Results

The authors evaluated ProvAgent on DARPA E3, E5, and OpTC datasets against six SOTA baselines (including Threatrace, Kairos, Flash, Orthrus, and OCR-APT).

• Anomaly Detection (RQ1):
  • ProvAgent outperformed all baselines in balancing True Positives (TP) and False Positives (FP).
  • While methods like Orthrus had near-zero FPs but missed most attacks (low recall), and others like Threatrace had high recall but massive FPs, ProvAgent achieved high detection rates with significantly fewer false positives.
  • On the CADETS-E3 dataset, ProvAgent detected 19 true positives with 1,941 false positives, whereas Threatrace detected 61 TPs but generated 252,117 FPs.
• Investigation Performance (RQ3):
  • ProvAgent successfully reconstructed near-complete attack narratives, covering the majority of APT stages (Initial Compromise, C&C, Privilege Escalation, etc.).
  • IOC Expansion: Unlike OCR-APT, which reduced the number of IOCs after investigation (due to over-pruning), ProvAgent expanded the detected IOC set by 160.7% by uncovering missed attack steps through its iterative investigation.
• Cost and Efficiency (RQ5):
  • The system is highly cost-effective, with a minimum daily investigation cost of $0.06 (using DeepSeek-V3.2) and an average runtime of 0.25 hours per day of logs.
• Robustness (RQ6):
  • ProvAgent demonstrated strong resilience against mimicry attacks (where attackers inject benign structures to hide malicious activity). Because ProvAgent relies on identity-behavior consistency rather than just structural similarity, injected benign behaviors that contradict the entity's identity actually amplified detection confidence.

5. Significance

ProvAgent addresses the critical gap between automated detection and expert-level forensic analysis.

• Reduces Alert Fatigue: By filtering out false positives at the detection stage (EPD) and validating them rigorously (MAI), it prevents analysts from being overwhelmed.
• Enables Autonomous Investigation: It moves beyond simple alert correlation to active hypothesis generation and verification, allowing for the reconstruction of complex, multi-stage APT campaigns without constant human intervention.
• Scalability and Cost: It proves that sophisticated, multi-agent investigation can be performed at a negligible cost, making it viable for large-scale enterprise deployment.
• Explainability: The system provides analyst-oriented reports with clear evidence trails, bridging the gap between black-box AI detection and human-understandable security narratives.

In summary, ProvAgent represents a significant advancement in P-EDR systems by combining the precision of identity-aware graph learning with the reasoning power of collaborative multi-agent systems to automate the full lifecycle of APT detection and investigation.