The core principle of Zero Trust Architecture (ZTA), “Never Trust, Always Verify”, provides strong protection against external infiltration and lateral movement. However, most existing dynamic access control schemes evaluate users using isolated access requests, lacking awareness of the spatiotemporal causal relationships embedded in user behavior. Consequently, they remain insufficient against stealthy Advanced Persistent Threat (APT) attacks initiated through legitimate user accounts. To address this limitation, this study proposes Prov-Trust, a dynamic access control scheme grounded in provenance graph anomaly detection. The key idea of Prov-Trust is to leverage provenance graphs to capture spatiotemporal causal dependencies among system entities, thereby enabling the precise detection and timely response to APT activities. First, Prov-Trust accurately associates kernel-level system events with their corresponding users using a user-action binding method. Second, it employs a Temporal Graph Attention Network (TGAT) to learn embeddings from the provenance graph, enabling the real-time identification of anomalous activities that deviate from the normal baseline via reconstruction error computation. Finally, it introduces a multi-dimensional dynamic trust evaluation model that produces a real-time risk score for each user, maps the score to corresponding privilege levels, and dynamically adjusts the privilege threshold based on long-term trust trends, forming a self-adaptive “Monitoring–Evaluation–Control” security cycle. The experimental results demonstrated that Prov-Trust detected and blocked more than 90% of APT attack chains in real time without disrupting legitimate user activities. The experiments further verified the feasibility and effectiveness of integrating provenance graph analysis into Zero-Trust dynamic access control.
Li et al. (Thu,) studied this question.