A Fine-Grained Labeled Provenance Graph Dataset for Advanced Persistent Threat Detection

This dataset is a high-fidelity resource manually constructed for the evaluation of Provenance-based Intrusion Detection Systems (Prov-IDS). It comprises two main components: \benign\ logs collected during periods of normal system usage, and logs from simulated and replicated complex attack scenarios. The attack portion includes the simulated APT-VELES, activities from the disclosed APT-29, and two other replicated typical Advanced Persistent Threat (APT) scenarios. The core feature of this dataset lies in its fine-grained labeling methodology. With a thorough understanding of the attack procedures, we manually audited each log and precisely labeled only those system logs that bore direct traces of attacker operations as \anomaly.\ To facilitate provenance-based analysis, this annotation is extended to the provenance graph level. In our experiments, logs are processed entry-by-entry to systematically construct provenance graphs, where the corresponding edges (representing system activities) and affected objects (e.g., child processes or files) for logs labeled as \anomaly\ are also annotated as such. This approach establishes a clear mapping between system logs and provenance graph elements, providing a ground-truth benchmark with comprehensive traceability for evaluating and studying the performance of Prov-IDS, particularly concerning information abuse.