Yes the concept is a bit confusing, so I'll try to explain the whole concept.

Any GRANT like gives a specific permission to someone.

Any REVOKE like deletes to someone a previously given permission (the permission must exists in order to be revoked)

DENY marks someone as a "undesirable" person (it's like to say "You will never be able to ..." ), so, if someone gives the denied permission to this person, the permission WON'T take effect, unless you remove the denial.

So DENY is a mark against a specific permission, and unlike revoke, the target (person or profile) don't need to have the permission in order to apply a DENIAL.

Hope it helps to understand the concept.