, status execve_argc:2 exit:0 inode0:1037415 inode1:10192 inode2:23451 path0:/usr/lib/cgi-bin/status path1:/bin/bash path2:/lib64/ld-linux, _source:audit.log comm:status

, _source:audit.log exe:/usr/sbin/apache2 exit:8 pid:5815 ppid:5813 saddr:0100 success:yes syscall:43 type, orig_bytes:123 orig_ip_bytes:435 orig_pkts:6 proto:tcp resp_bytes:141 resp_ip_bytes:461 resp_pkts:6 service:http uid:C2Y2q7DC004BDktp3, p.42

, Bro network security monitor

. Etw,

, Linux audit framework

. Netfilter,

. Ossec,

A. M. Bates, D. Tian, K. R. Butler, and T. Moyer, Trustworthy wholesystem provenance for the linux kernel, Proceedings of the USENIX Security Symposium. USENIX Association, 2015.

I. Beschastnikh, Y. Brun, M. D. Ernst, A. Krishnamurthy, and T. E. Anderson, Mining temporal invariants from partially ordered logs, ACM SIGOPS Operating Systems Review, vol.45, issue.3, 2012.

J. Chow, T. Garfinkel, and P. M. Chen, Decoupling dynamic program analysis from execution in virtual environments, Proceedings of the USENIX Annual Technical Conference (ATC). USENIX Association, 2008.

F. Cuppens and R. Ortalo, Lambda: A language to model a database for detection of attacks, Proceedings of the International Workshop on Recent Advances in Intrusion Detection (RAID), 2000.

B. , Implementing secure dependencies over a network by designing a distributed security subsystem, Proceedings of the European Symposium on Research in Computer Security (ESORICS)

. Springer, , 1994.

D. Devecsery, M. Chow, X. Dou, J. Flinn, and P. M. Chen, Eidetic systems, Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), vol.14, 2014.

S. T. Eckmann, G. Vigna, and R. A. Kemmerer, Statl: An attack language for state-based intrusion detection, Journal of Computer Security, vol.10, issue.1-2, 2002.

, Standard on logging and monitoring, European Commission, 2010.

C. J. Fidge, Timestamps in Message-Passing Systems that Preserve the Partial Ordering, Proceedings of the Australian Computer Science Conference, 1988.

S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, A sense of self for unix processes, Proceedings of the IEEE Symposium on Security and Privacy (S&P), 1996.

A. Gehani and D. Tariq, Spade: support for provenance auditing in distributed environments, Proceedings of the International Middleware Conference, 2012.
URL : https://hal.archives-ouvertes.fr/hal-01555544

L. Georget, M. Jaume, G. Piolle, F. Tronel, and V. V. Tong, Information flow tracking for linux handling concurrent system calls and shared memory, Proceedings of the International Conference on Software Engineering and Formal Methods (SEFM), 2017.
URL : https://hal.archives-ouvertes.fr/hal-01535949

E. Godefroy, E. Totel, M. Hurfin, and F. Majorczyk, Generation and assessment of correlation rules to detect complex attack scenarios, Proceedings of the IEEE Conference on Communications and Network Security (CNS), 2015.
URL : https://hal.archives-ouvertes.fr/hal-01241813

J. Goubault-larrecq and J. Olivain, A smell of orchids, International Workshop on Runtime Verification, 2008.

C. Hauser, F. Tronel, C. Fidge, and L. Mé, Intrusion detection in distributed systems, an approach based on taint marking, Proceedings of the IEEE International Conference on Communications (ICC), 2013.
URL : https://hal.archives-ouvertes.fr/hal-00840338

M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo et al., Sleuth: real-time attack scenario reconstruction from cots audit data, Proceedings of the USENIX Security Symposium. USENIX Association, 2017.

S. Jajodia and S. Noel, Advanced cyber attack modeling analysis and visualization, 2010.

Y. Ji, S. Lee, E. Downing, W. Wang, M. Fazzini et al., Rain: Refinable attack investigation with on-demand interprocess information flow tracking, Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2017.

S. T. King and P. M. Chen, Backtracking intrusions, ACM SIGOPS Operating Systems Review, vol.37, issue.5, 2003.

Y. Kwon, F. Wang, W. Wang, K. H. Lee, W. Lee et al., Mci: Modeling-based causality inference in audit logging for attack investigation, Proceedings of the Network and Distributed System Security Symposium (NDSS). Internet Society, 2018.

L. Lamport, Time, clocks, and the ordering of events in a distributed system, Communications of the ACM, vol.21, issue.7, 1978.

D. Lanoë, M. Hurfin, and E. Totel, A scalable and efficient correlation engine to detect multi-step attacks in distributed systems, Proceedings of the IEEE International Symposium on Reliable Distributed Systems (SRDS), 2018.

K. H. Lee, X. Zhang, and D. Xu, High Accuracy Attack Provenance via Binary-based Execution Partition, Proceedings of the Network and Distributed Systems Security Symposium (NDSS). Internet Society, 2013.

, Loggc: garbage collecting audit log, Proceedings of the ACM SIGSAC Conference on Computer & Communications Security (CCS)

Y. Liu, M. Zhang, D. Li, K. Jee, Z. Li et al., Towards a timely causality analysis for enterprise security, Proceedings of the Network and Distributed System Security Symposium (NDSS), 2018.

S. Ma, K. H. Lee, C. H. Kim, J. Rhee, X. Zhang et al., Accurate, low cost and instrumentation-free security audit logging for windows, Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2015.

S. Ma, J. Zhai, F. Wang, K. H. Lee, X. Zhang et al., Mpi: Multiple perspective attack investigation with semantics aware execution partitioning, Proceedings of the USENIX Security Symposium. USENIX Association, 2017.

S. Ma, X. Zhang, and D. Xu, ProTracer: towards practical provenance tracing by alternating between logging and tainting, Proceedings of the Network and Distributed Systems Security Symposium (NDSS). Internet Society, 2016.

F. Mattern, Virtual time and global states of distributed systems, 1988.

L. Moreau, B. Clifford, J. Freire, J. Futrelle, Y. Gil et al., The open provenance model core specification (v1. 1), Future Generation Computer Systems, vol.27, issue.6, 2011.

B. Morin, L. Mé, H. Debar, and M. Ducassé, A logic-based model to support alert correlation in intrusion detection, Information Fusion, vol.10, issue.4, 2009.
URL : https://hal.archives-ouvertes.fr/hal-00353059

K. Muniswamy-reddy, U. Braun, D. A. Holland, P. Macko, D. L. Mclean et al., Layering in provenance systems, Proceedings of the USENIX Annual Technical Conference (ATC). USENIX Association, 2009.

K. Muniswamy-reddy, D. A. Holland, U. Braun, and M. I. Seltzer, Provenance-aware storage systems, Proceedings of the USENIX Annual Technical Conference (ATC). USENIX Association, 2006.

T. Pasquier, X. Han, M. Goldstein, T. Moyer, D. Eyers et al., Practical whole-system provenance capture, Proceedings of the Symposium on Cloud Computing (SoCC), 2017.

K. Pei, Z. Gu, B. Saltaformaggio, S. Ma, F. Wang et al., Hercule: Attack story reconstruction via community discovery on correlated log graph, Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2016.

D. J. Pohly, S. Mclaughlin, P. Mcdaniel, and K. Butler, Hi-fi: collecting high-fidelity whole-system provenance, Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2012.

R. Schwarz and F. Mattern, Detecting causal relationships in distributed computations: In search of the holy grail, Distributed Computing, vol.7, issue.3, 1994.

E. Totel, B. Vivinis, and L. Mé, A language driven intrusion detection system for event and alert correlation, Security and Protection in Information Processing Systems, 2004.

P. Vadrevu, J. Liu, B. Li, B. Rahbarinia, K. H. Lee et al., Enabling Reconstruction of Attacks on Users via Efficient Browsing Snapshots, Proceedings of the Network and Distributed Systems Security Symposium (NDSS). Internet Society, 2017.

F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer, A Comprehensive Approach to Intrusion Detection Alert Correlation, IEEE Transactions on Dependable and Secure Computing (TDSC), vol.1, issue.3, 2004.

Z. Xu, Z. Wu, Z. Li, K. Jee, J. Rhee et al., High fidelity data reduction for big data security dependency analyses, Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.