With the increasing damage of APT attacks, the modern world has moved from individual hackers for fun to nation-wide cybercriminals for strategic advantage or profit. These APT attacks are often prolonged and have multiple stages, and they usually utilize zero-day or one-day exploits to be penetrating and stealthy. As a result, there is an urgent need to detect and investigate APT attacks. Among all kinds of security techniques, provenance tracing is regarded as a promising and important approach for attack investigation, as it discloses the root cause, the path, and the results of attacks. However, the existing techniques either suffer from the limitation of only focusing on the log type, or have non-trivial space and runtime overhead, which hinder their wide applications in practice. In this article, we provide a comprehensive survey of provenance tracing technologies in the most recent literature. Following the overview of each scheme, we present the key technical features of them and then compare the state-of-the-art solutions in terms of both security and performance. Finally, we propose and discuss several potential future research directions.

中文翻译：

---

网络空间中的攻击溯源：解决方案、挑战和未来方向


随着 APT 攻击造成的损害日益严重，现代世界已经从个人黑客以取乐为目的，转变为全国范围内的网络犯罪分子以获取战略优势或利润。这些APT攻击通常持续时间较长、具有多个阶段，通常利用零日或单日漏洞进行渗透和隐蔽。因此，迫切需要检测和调查 APT 攻击。在各种安全技术中，溯源被认为是一种有前途且重要的攻击调查方法，因为它揭示了攻击的根本原因、路径和结果。然而，现有技术要么受到仅关注日志类型的限制，要么具有不小的空间和运行时开销，这阻碍了它们在实践中的广泛应用。在本文中，我们对最新文献中的溯源技术进行了全面的调查。在概述每个方案之后，我们介绍了它们的关键技术特征，然后在安全性和性能方面比较了最先进的解决方案。最后，我们提出并讨论了几个潜在的未来研究方向。