Existing provenance analysis faces two key bottlenecks: limited flexibility—particularly in integrating domain expertise—and prohibitively high memory overhead, often exceeding 100 GB. This paper proposes ProGQL, the first framework to uniformly model system audit events and domain knowledge as constrained graph queries, enabling both dependency-path search and value propagation along edges. Its core contributions include novel language primitives—such as edge-weight computation and graph merging—and an incremental graph query engine that avoids full-graph in-memory instantiation while supporting collaborative execution across heterogeneous databases. Experiments on real-world attack scenarios demonstrate that ProGQL surpasses Cypher in expressive power, reduces memory consumption by an order of magnitude compared to DEPIMPACT, and significantly improves scalability. ProGQL thus enables low-memory, real-time, and knowledge-embeddable provenance analysis.

Provenance analysis (PA) has recently emerged as an important solution for cyber attack investigation. PA leverages system monitoring to monitor system activities as a series of system audit events and organizes these events as a provenance graph to show the dependencies among system activities, which can reveal steps of cyber attacks. Despite their potential, existing PA techniques face two critical challenges: (1) they are inflexible and non-extensible, making it difficult to incorporate analyst expertise, and (2) they are memory inefficient, often requiring>100GB of RAM to hold entire event streams, which fundamentally limits scalability and deployment in real-world environments. To address these limitations, we propose the PROGQL framework, which provides a domain-specific graph search language with a well-engineered query engine, allowing PA over system audit events and expert knowledge to be jointly expressed as a graph search query and thereby facilitating the investigation of complex cyberattacks. In particular, to support dependency searches from a starting edge required in PA, PROGQL introduces new language constructs for constrained graph traversal, edge weight computation, value propagation along weighted edges, and graph merging to integrate multiple searches. Moreover, the PROGQL query engine is optimized for efficient incremental graph search across heterogeneous database backends, eliminating the need for full in-memory materialization and reducing memory overhead. Our evaluations on real attacks demonstrate the effectiveness of the PROGQL language in expressing a diverse set of complex attacks compared with the state-of-the-art graph query language Cypher, and the comparison with the SOTA PA technique DEPIMPACT further demonstrates the significant improvement of the scalability brought by our PROGQL framework's design.