Existing provenance graph analysis methods face limitations in modeling temporal causal relationships, supporting flexible security policies, and balancing real-time detection with deep forensic investigation. This paper introduces Answer Set Programming (ASP) to provenance graph modeling for the first time, proposing a declarative, interpretable, and scalable security reasoning framework. Leveraging ASP, the framework precisely encodes causal and temporal dependencies among system entities, enabling attack path reconstruction, data leak localization, and anomalous behavior identification. It further supports rule-driven, dynamic policy injection and threat-adaptive analysis. Experiments on large-scale real-world provenance graphs demonstrate that the approach achieves both high query efficiency and high-precision threat detection. It significantly enhances the expressiveness, verifiability, and practicality of provenance-based security analysis.

Provenance graphs are useful and powerful tools for representing system-level activities in cybersecurity; however, existing approaches often struggle with complex queries and flexible reasoning. This paper presents a novel approach using Answer Set Programming (ASP) to model and analyze provenance graphs. We introduce an ASP-based representation that captures intricate relationships between system entities, including temporal and causal dependencies. Our model enables sophisticated analysis capabilities such as attack path tracing, data exfiltration detection, and anomaly identification. The declarative nature of ASP allows for concise expression of complex security patterns and policies, facilitating both real-time threat detection and forensic analysis. We demonstrate our approach's effectiveness through case studies showcasing its threat detection capabilities. Experimental results illustrate the model's ability to handle large-scale provenance graphs while providing expressive querying. The model's extensibility allows for incorporation of new system behaviors and security rules, adapting to evolving cyber threats. This work contributes a powerful, flexible, and explainable framework for reasoning about system behaviors and security incidents, advancing the development of effective threat detection and forensic investigation tools.