With the development of information technology, the border of the cyberspace gets much broader and thus also exposes increasingly more vulnerabilities to attackers. Traditional mitigation-based defence strategies are challenging to cope with the current complicated situation. Security practitioners urgently need better tools to describe and modelling attacks for defense.

The provenance graph seems like an ideal method for threat modelling with powerful semantic expression ability and attacks historic correlation ability. In this paper, we firstly introduce the basic concepts about system-level provenance graph and present a typical system architecture for provenance graph-based threat detection and investigation. A comprehensive provenance graph-based threat detection system can be divided into three modules: data collection module, data management module, and threat detection modules. Each module contains several components and involves different research problems. We systematically taxonomize and compare the existing algorithms and designs involved in them. Based on these comparisons, we identify the strategy of technology selection for real-world deployment. We also provide insights and challenges about the existing work to guide future research in this area.

随着信息技术的发展，网络空间的边界越来越宽，因此也向攻击者暴露了越来越多的漏洞。传统的基于缓解的防御策略对于应对当前的复杂形势具有挑战性。安全从业人员迫切需要更好的工具来描述和建模防御攻击。

起源图似乎是具有强大语义表达能力并攻击历史关联能力的威胁建模的理想方法。在本文中，我们首先介绍有关系统级出处图的基本概念，并提出一种用于基于出处图的威胁检测和调查的典型系统体系结构。全面的基于物证图的威胁检测系统可以分为三个模块：数据收集模块，数据管理模块和威胁检测模块。每个模块包含几个组件，涉及不同的研究问题。我们系统地分类并比较其中涉及的现有算法和设计。基于这些比较，我们确定了用于实际部署的技术选择策略。我们还提供有关现有工作的见解和挑战，以指导该领域的未来研究。