Advanced Persistent Threats (APTs) and other multi-vector attacks in modern heterogeneous enterprise networks pose significant challenges for forensic attribution due to their cross-host, stealthy, and evolving nature. Method: This paper proposes a network-level security provenance framework that transcends host-centric limitations by modeling inter-host causal dependencies and reconstructing end-to-end attack paths. It integrates SDN-enabled fine-grained traffic collection, dynamic provenance graph reconstruction, and probabilistic graphical modeling for attack evolution prediction—balancing interpretability and real-time performance. Contribution/Results: We formally define and implement *network-level provenance semantics*—enabling both retrospective attack history reconstruction and proactive threat forecasting. Evaluated on real-world APT scenarios, our framework achieves significantly improved attack localization accuracy, with system overhead below 1% throughput degradation and negligible latency. It thus enhances detection, attribution, and response efficiency against complex, adaptive threats.

Modern enterprise networks comprise diverse and heterogeneous systems that support a wide range of services, making it challenging for administrators to track and analyze sophisticated attacks such as advanced persistent threats (APTs), which often exploit multiple vectors. To address this challenge, we introduce the concept of network-level security provenance, which enables the systematic establishment of causal relationships across hosts at the network level, facilitating the accurate identification of the root causes of security incidents. Building on this concept, we present SecTracer as a framework for a network-wide provenance analysis. SecTracer offers three main contributions: (i) comprehensive and efficient forensic data collection in enterprise networks via software-defined networking (SDN), (ii) reconstruction of attack histories through provenance graphs to provide a clear and interpretable view of intrusions, and (iii) proactive attack prediction using probabilistic models. We evaluated the effectiveness and efficiency of SecTracer through a real-world APT simulation, demonstrating its capability to enhance threat mitigation while introducing less than 1% network throughput overhead and negligible latency impact.