{"id":"https://openalex.org/W7134898639","doi":"https://doi.org/10.48550/arxiv.2603.09358","title":"ProvAgent: Threat Detection Based on Identity-Behavior Binding and Multi-Agent Collaborative Attack Investigation","display_name":"ProvAgent: Threat Detection Based on Identity-Behavior Binding and Multi-Agent Collaborative Attack Investigation","publication_year":2026,"publication_date":"2026-03-10","ids":{"openalex":"https://openalex.org/W7134898639","doi":"https://doi.org/10.48550/arxiv.2603.09358"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.09358","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.09358","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.09358","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5128774274","display_name":"Wenhao Yan","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Yan, Wenhao","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5085558612","display_name":"Ning An","orcid":"https://orcid.org/0000-0002-3066-1112"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"An, Ning","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128708198","display_name":"Linxu Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Linxu","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5117249387","display_name":"Bingsheng Bi","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Bi, Bingsheng","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128794561","display_name":"Bo Jiang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jiang, Bo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128779601","display_name":"Zhigang Lu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lu, Zhigang","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128748764","display_name":"Baoxu Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Baoxu","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128708286","display_name":"Junrong Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Junrong","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5104507925","display_name":"Cong Dong","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Dong, Cong","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5128774274"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.24529999494552612,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.24529999494552612,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.22759999334812164,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.0892999991774559,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/consistency","display_name":"Consistency (knowledge bases)","score":0.6164000034332275},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.6044999957084656},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.5652999877929688},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.3919000029563904},{"id":"https://openalex.org/keywords/quality","display_name":"Quality (philosophy)","score":0.38519999384880066}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7311999797821045},{"id":"https://openalex.org/C2776436953","wikidata":"https://www.wikidata.org/wiki/Q5163215","display_name":"Consistency (knowledge bases)","level":2,"score":0.6164000034332275},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.6044999957084656},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.5652999877929688},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4903999865055084},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.3919000029563904},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.391400009393692},{"id":"https://openalex.org/C2779530757","wikidata":"https://www.wikidata.org/wiki/Q1207505","display_name":"Quality (philosophy)","level":2,"score":0.38519999384880066},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.3156999945640564},{"id":"https://openalex.org/C2779304628","wikidata":"https://www.wikidata.org/wiki/Q3503480","display_name":"Face (sociological concept)","level":2,"score":0.3057999908924103},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3003000020980835},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.26969999074935913},{"id":"https://openalex.org/C132964779","wikidata":"https://www.wikidata.org/wiki/Q2110223","display_name":"Raw data","level":2,"score":0.2572000026702881},{"id":"https://openalex.org/C2776633304","wikidata":"https://www.wikidata.org/wiki/Q6038026","display_name":"Insider threat","level":3,"score":0.25369998812675476}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.09358","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.09358","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.09358","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.09358","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.5202186107635498,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Advanced":[0],"Persistent":[1],"Threats":[2],"(APTs)":[3],"pose":[4],"critical":[5],"challenges":[6],"to":[7,11,49,65,115,157],"modern":[8],"cybersecurity":[9],"due":[10],"their":[12],"multi-stage":[13],"and":[14,53,75,91,122,129],"stealthy":[15],"nature.":[16],"While":[17],"provenance-based":[18],"detection":[19,47],"approaches":[20],"show":[21],"promise":[22],"in":[23,94,191],"capturing":[24],"causal":[25],"attack":[26,200],"semantics,":[27],"current":[28],"threat":[29,109],"provenance":[30,110],"practices":[31],"face":[32],"two":[33],"paradoxical":[34],"issues:":[35],"(1)":[36],"expert":[37,55],"skepticism,":[38],"where":[39],"human":[40,89],"analysts":[41,58],"doubt":[42],"the":[43,79,108,127],"capability":[44],"of":[45,131,206],"traditional":[46,76,123,132],"models":[48,77,133],"identify":[50],"complex":[51],"attacks;":[52],"(2)":[54],"dependence,":[56],"as":[57,165],"cannot":[59],"manually":[60],"process":[61],"large-scale":[62,139],"raw":[63],"logs":[64],"detect":[66],"threats":[67],"without":[68],"these":[69,99,162],"models.":[70,124],"Consequently,":[71],"collaboration":[72,114,118],"between":[73,119],"humans":[74],"remains":[78],"prevailing":[80],"paradigm.":[81],"However,":[82],"this":[83],"renders":[84],"investigation":[85,166,173],"quality":[86],"contingent":[87],"upon":[88],"expertise":[90],"frequently":[92],"results":[93],"alert":[95],"fatigue.":[96],"To":[97],"address":[98],"challenges,":[100],"we":[101],"present":[102],"ProvAgent,":[103],"a":[104,116,175,203],"framework":[105],"that":[106,184],"evolves":[107],"paradigm":[111],"from":[112],"human-model":[113],"novel":[117],"multi-agent":[120,177],"systems":[121],"ProvAgent":[125,169,185,197],"leverages":[126],"speed":[128],"cost-efficiency":[130],"for":[134],"initial":[135],"anomaly":[136,192],"screening":[137],"over":[138],"logs.":[140],"By":[141],"enforcing":[142],"fine-grained":[143],"identity-behavior":[144],"consistency":[145],"via":[146],"graph":[147],"contrastive":[148],"learning,":[149],"it":[150],"profiles":[151],"entities":[152],"based":[153],"on":[154],"specific":[155],"attributes":[156],"generate":[158],"high-fidelity":[159],"alerts.":[160],"With":[161],"alerts":[163],"serving":[164],"entry":[167],"points,":[168],"achieves":[170],"in-depth":[171],"autonomous":[172],"through":[174],"hypothesis-verification":[176],"framework.":[178],"Evaluations":[179],"with":[180],"real-world":[181],"datasets":[182],"demonstrate":[183],"outperforms":[186],"six":[187],"state-of-the-art":[188],"(SOTA)":[189],"baselines":[190],"detection.":[193],"Through":[194],"automated":[195],"investigation,":[196],"reconstructs":[198],"near-complete":[199],"processes":[201],"at":[202],"minimum":[204],"cost":[205],"\\$0.06":[207],"per":[208],"day.":[209]},"counts_by_year":[],"updated_date":"2026-03-12T06:18:43.230356","created_date":"2026-03-12T00:00:00"}