We present TRACE, a comprehensive provenance tracking system for scalable, real-time, enterprise-wide APT detection. TRACE uses static analysis to identify program unit structures and inter-unit dependences, such that the provenance of an output event includes the input events within the same unit. Provenance collected from individual hosts are integrated to facilitate construction of a distributed enterprise-wide causal graph. We describe the evolution of TRACE over a four-year period, during which our improvements to the system focused on performance, scalability, and fidelity. In this time span, the system call coverage increased (from 47 to 66) while the time and space overhead reduced by over one and two orders of magnitude, respectively. We also provide results from five adversarial engagements where an independent team of system evaluators conducted APT attacks and assessed system performance. The input from our system was used by three other teams to implement real-time APT detection logic. Retrospective analysis revealed that TRACE provided sufficient evidence to detect over 80% of the attack stages across all evaluations. By the last engagement, temporal and spatial overhead had been reduced significantly to 18% and 10%, respectively.

中文翻译：

---

TRACE：用于实时 APT 检测的企业级来源跟踪

我们展示了 TRACE，这是一个全面的出处跟踪系统，用于可扩展的、实时的、企业范围的 APT 检测。TRACE 使用静态分析来识别程序单元结构和单元间依赖关系，以便输出事件的来源包括同一单元内的输入事件。从单个主机收集的来源被集成以促进分布式企业范围因果图的构建。我们描述了 TRACE 在四年时间里的演变，在此期间我们对系统的改进集中在性能、可扩展性和保真度上。在这个时间跨度内，系统调用覆盖率增加（从 47 到 66），而时间和空间开销分别减少了一个和两个数量级以上。我们还提供了五个对抗性参与的结果，其中一个独立的系统评估团队进行了 APT 攻击并评估了系统性能。我们系统的输入被其他三个团队用来实现实时 APT 检测逻辑。回顾性分析表明，TRACE 提供了足够的证据来检测所有评估中超过 80% 的攻击阶段。到上次参与时，时间和空间开销已分别显着降低至 18% 和 10%。