Minos: LLM-Driven Provenance Tracking

Arxiv other 2026-07-01T00:00:00
arXiv Paper — PDF not available. Only the Executive Summary is available here. To read or download the full paper, visit the arXiv abstract page.

Abstract

Sophisticated cyber attacks, particularly Advanced Persistent Threats (APTs), necessitate rigorous post-intrusion forensic analysis. Provenance-based backward tracking serves as a pivotal capability for reconstructing attack scenarios by tracing causality from initial alerts. However, existing methods frequently rely on low-level statistical features and rigid traversal strategies. These approaches fail to capture highlevel adversarial intent, especially against stealthy living-off-the-land techniques, and inevitably struggle with dependency explosion. To address these challenges, we propose Minos, a multi-agent collaborative framework that reconceptualizes backward tracking as a Large Language Model (LLM)-driven reasoning process. Minos operates via a two-tiered architecture. For individual event assessment, it introduces a structured framework to overcome the inherent limitations of LLMs: it employs a hierarchical context model for persistent state maintenance, implements retrieval-augmented reasoning with citation verification to ground inferences, and incorporates an adversarial deliberation mechanism to mitigate sycophancy bias. For end-to-end graph exploration, Minos orchestrates four specialized agents under a finite state machine (FSM), replacing exhaustive topological traversal with hypothesis-guided reasoning and count-first query protocols to prune the search space. Comprehensive evaluations on 14 attack scenarios across five public datasets demonstrate that Minos achieves average recall and precision of 0.92 and 0.64, respectively, significantly outperforming state-of-the-art baselines while generating attack subgraphs that are 49% more compact. Furthermore, Minos generates interpretable reasoning at every step, providing robust support for auditing and system refinement. Ultimately, our exploration validates the efficacy of leveraging LLMs for automated provenance-based backward tracking.

Loading executive summary...

LINK COPIED TO CLIPBOARD