King and Chen (2005) write about their BackTracker software.  The idea is interesting:  let’s log everything needed to relate a sequence of events leading to an intrusion.  Everything in this case is processes, files, and filenames.  It can generate dependency graphs, once an anomalous process or event has been identified.  That is, something else must raise an alert, and then BackTracker helps find the cause.  It’s an interesting representation of an attack.

Taken one step further than they do, perhaps these dependency graphs could be used for intrusion detection?