Differential dependency tracking for attack forensics

What is claimed is: 1. A computer-implemented method for intrusion attack recovery, comprising: monitoring two or more hosts in a network to generate audit logs of system events; generating one or more dependency graphs (DGraphs) based on the audit logs; building a reference model, and determining a relevancy score for each of a plurality of edges of the DGraphs based on the reference model; pruning irrelevant events from the DGraphs to generate a condensed backtracking graph based on the relevance score, the pruning comprising: removing events from the DGraphs that are in paths exceeding a threshold length from an attack detection point, and removing resources determined to be unrelated to an attack; and backtracking from the attack detection point in the condensed backtracking graph to locate an origin. 2. The method of claim 1 , wherein pruning irrelevant events further comprises removing events from the DGraphs that do not lead to a relevant event in a path from the attack detection point. 3. The method of claim 1 , wherein pruning irrelevant events further comprises comparing events to a relevancy threshold. 4. The method of claim 3 , wherein pruning irrelevant events further comprises removing paths having no event that exceeds a relevancy threshold. 5. The method of claim 1 , wherein pruning irrelevant events further comprises removing events having an associated time that occurred after the attack detection point. 6. The method of claim 1 , wherein determining the relevancy score for each of a plurality of edges comprises performing a depth-limited search. 7. A system for intrusion attack recovery, comprising: a remote host monitor configured to monitoring two or more hosts in a network to generate audit logs of system events and to generate one or more dependency graphs (DGraphs) based on the audit logs; a relevance determiner comprising a memory coupled to a processor, the processor being configured to build a reference model, to determine a relevancy score for each of a plurality of edges of the DGraphs based on the reference model, and to for pruning irrelevant events from the DGraphs to generate a condensed backtracking graph based on the relevancy score, the pruning comprising: removing events from the DGraphs that are in paths exceeding a threshold length from an attack detection point; and removing resources determined to be unrelated to an attack; and a backtracker configured to backtrack from the attack detection point in the condensed backtracking graph to locate an origin. 8. The system of claim 7 , wherein the relevance determiner is further configured to remove events from the DGraphs that do not lead to a relevant event in a path from the attack detection point. 9. The system of claim 7 , wherein the relevance determiner is further configured to compare events to a relevancy threshold. 10. The system of claim 9 , wherein the relevance determiner is further configured to remove paths having no event that exceeds a relevancy threshold. 11. The system of claim 7 , wherein the relevance determiner is further configured to remove events having an associated time that occurred after the attack detection point. 12. The system of claim 7 , wherein the relevance determiner is further configured to perform a depth-limited search.