🤖 AI Summary
This work addresses the high failure rates and extensive manual intervention plaguing existing provenance-graph-based attack investigation methods in real-world environments, primarily caused by dependency explosion and causal chain fragmentation. To overcome these limitations, the authors propose SherAgent, the first large language model (LLM)-driven iterative “query–filter” backtracking mechanism. SherAgent integrates unstructured contextual data and threat intelligence through semantic reasoning to dynamically adjust query scope in response to missing events, while employing precise filtering and strategic node selection to mitigate dependency explosion and enable efficient end-to-end root cause localization. Experimental results demonstrate that SherAgent improves investigation success rates by 31.1% over enterprise baselines and by 63.7% over state-of-the-art methods, achieving each analysis in under four minutes at a cost of less than \$0.10—significantly reducing the burden on human analysts.
📝 Abstract
Provenance-based attack investigation enables viable automation by standardizing data and query logic; however, it is critically hindered in practice by dependency explosions and fragmented causal chains in the wild. Towards designing a robust and automated investigation tool, we collaborated with the SOC of a major Internet corporation serving billions of users. By engaging in real-world incident response, we are able to evaluate and refine their existing LLM-based investigation workflows, which processes tens of thousands of raw alerts daily, leaving thousands for manual triage, to find out the root causes of investigation failures and major challenges in their existing tools. Motivated by these findings, we propose SherAgent, an LLM-empowered automated investigation system. Operating on an iterative ``query-filter'' backtracking paradigm over provenance graphs, SherAgent leverages the semantic reasoning capabilities of LLMs to process unstructured data, such as investigation context and threat intelligence. To overcome fragmented causal chains caused by missing events, the system dynamically calibrates query conditions to broaden the search scope. Concurrently, it performs precision result filtering and strategic nodes selection for subsequent exploration, thereby mitigating dependency explosions. Extensive evaluations in the wild demonstrate that SherAgent improves the end-to-end investigation success rate by 31.1% and 63.7% compared to both legacy enterprise baselines and SOTA approaches, respectively. Furthermore, it operates with remarkable efficiency, incurring under $0.10 in API costs and requiring less than 4 minutes per investigation. Finally, our user study confirms that SherAgent provides accurate and clear insights, significantly reducing the analytical overhead for security experts.