“…Currently, several pieces of research are developed to build and analyze provenance graphs. These approaches span from system monitoring tools [55], [80], data storage [26], [47], [62], [89], [101], and attack detection and investigation [45], [74], [46], [37], [73], [13]. Following the existing work [25], [92], [74], [46], [45], [13], [105], we focus on the system events that are critical to attack steps, which we list in Table I.…”