{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,5,3]],"date-time":"2025-05-03T18:43:32Z","timestamp":1746297812960,"version":"3.40.3"},"publisher-location":"Boston, MA","reference-count":52,"publisher":"Springer US","isbn-type":[{"type":"print","value":"9781441901392"},{"type":"electronic","value":"9781441901408"}],"license":[{"start":{"date-parts":[[2009,9,30]],"date-time":"2009-09-30T00:00:00Z","timestamp":1254268800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2009,9,30]],"date-time":"2009-09-30T00:00:00Z","timestamp":1254268800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2010]]},"DOI":"10.1007\/978-1-4419-0140-8_9","type":"book-chapter","created":{"date-parts":[[2009,10,3]],"date-time":"2009-10-03T11:41:32Z","timestamp":1254570092000},"page":"179-200","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["A Declarative Framework for Intrusion Analysis"],"prefix":"10.1007","author":[{"given":"Matt","family":"Fredrikson","sequence":"first","affiliation":[]},{"given":"Mihai","family":"Christodorescu","sequence":"additional","affiliation":[]},{"given":"Jonathon","family":"Giffin","sequence":"additional","affiliation":[]},{"given":"Somesh","family":"Jhas","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2009,9,30]]},"reference":[{"key":"9_CR1","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1145\/16894.16859","volume-title":"Proceedings of the 1986 ACM SIGMOD international conference on Management of data","author":"F. Bancilhon","year":"1986","unstructured":"Bancilhon, F., Ramakrishnan, R.: An amateur\u2019s introduction to recursive query processing strategies. In: Proceedings of the 1986 ACM SIGMOD international conference on Management of data, pp. 16\u201352. ACM, New York, NY, USA (1986)"},{"key":"9_CR2","first-page":"48","volume-title":"Proceedings of the 2006 IEEE Symposium on Security and Privacy","author":"S. Bhatkar","year":"2006","unstructured":"Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow anomaly detection. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 48\u201362. IEEE Computer Society, Washington, DC, USA (2006)"},{"key":"9_CR3","unstructured":"Brewer, E.A.: Combining Systems and Databases: A Search Engine Retrospective, pp. 711\u2013724. MIT Press (2005)"},{"issue":"5","key":"9_CR4","doi-asserted-by":"crossref","first-page":"753","DOI":"10.3233\/JCS-2004-12505","volume":"12","author":"F.P. Buchholz","year":"2004","unstructured":"Buchholz, F.P., Shields, C.: Providing process origin information to aid in computer forensic investigations. Journal of Computer Security 12(5), 753\u2013776 (2004)","journal-title":"Journal of Computer Security"},{"key":"9_CR5","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1145\/1005686.1005708","volume-title":"Proceedings of the joint international conference on Measurement and modeling of computer systems","author":"M. Burtscher","year":"2004","unstructured":"Burtscher, M.: VPC3: a fast and effective trace-compression algorithm. In: Proceedings of the joint international conference on Measurement and modeling of computer systems, pp. 167\u2013176. ACM, New York, NY, USA (2004)"},{"key":"9_CR6","unstructured":"CERT Coordination Center: Overview of attack trends. http:\/\/www.cert.org\/archive\/pdf\/attack_trends.pdf. Retrieved February 16, 2009"},{"key":"9_CR7","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1109\/HOTOS.2001.990073","volume-title":"Proceedings of the Eighth Workshop on Hot Topics in Operating Systems","author":"P.M. Chen","year":"2001","unstructured":"Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, p. 133. IEEE Computer Society, Washington, DC, USA (2001)"},{"key":"9_CR8","volume-title":"13th USENIX Security Symposium","author":"J. Chow","year":"2004","unstructured":"Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: 13th USENIX Security Symposium. San Diego, California (2004)"},{"key":"9_CR9","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1145\/1287624.1287628","volume-title":"Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering","author":"M. Christodorescu","year":"2007","unstructured":"Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, pp. 5\u201314. ACM, New York, NY, USA (2007)"},{"key":"9_CR10","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1109\/SDNE.1996.502442","volume-title":"Proceedings of the 3rd Workshop on Services in Distributed and Networked Environments","author":"L. Conradie","year":"1996","unstructured":"Conradie, L., Mountzia, M.A.: A relational model for distributed systems monitoring using flexible agents. In: Proceedings of the 3rd Workshop on Services in Distributed and Networked Environments, p. 10. IEEE Computer Society, Washington, DC, USA (1996)"},{"key":"9_CR11","unstructured":"Cretu-Ciocarlie, G.F., Budiu, M., Goldszmidt, M.: Hunting for problems with Artemis. In: G. Bronevetsky (ed.) First USENIX Workshop on the Analysis of System Logs. USENIX Association (2008)"},{"key":"9_CR12","doi-asserted-by":"publisher","first-page":"202","DOI":"10.1109\/SECPRI.2002.1004372","volume-title":"Proceedings of the 2002 IEEE Symposium on Security and Privacy","author":"F. Cuppens","year":"2002","unstructured":"Cuppens, F., Mi\u00e8ge, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, p. 202. IEEE Computer Society, Washington, DC, USA (2002)"},{"key":"9_CR13","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1007\/3-540-45474-8_6","volume-title":"Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection","author":"H. Debar","year":"2001","unstructured":"Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pp. 85\u2013103. Springer-Verlag, London, UK (2001)"},{"key":"9_CR14","doi-asserted-by":"crossref","unstructured":"Dunlap, G., King, S., Cinar, S., Basrai, M., Chen, P.: ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In: 5th Symposium on Operating System Design and Implementation. Boston, Massachusetts (2002)","DOI":"10.1145\/1060289.1060309"},{"key":"9_CR15","doi-asserted-by":"publisher","first-page":"120","DOI":"10.1109\/SECPRI.1996.502675","volume-title":"Proceedings of the 1996 IEEE Symposium on Security and Privacy","author":"S. Forrest","year":"1996","unstructured":"Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, p. 120. IEEE Computer Society, Washington, DC, USA (1996)"},{"key":"9_CR16","doi-asserted-by":"crossref","unstructured":"Giffin, J.T., Dagon, D., Jha, S., Lee, W., Miller, B.P.: Environment-sensitive intrusion detection. In: 8th International Symposium on Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, vol. 3858, pp. 185\u2013206. Springer (2005)","DOI":"10.1007\/11663812_10"},{"key":"9_CR17","doi-asserted-by":"crossref","unstructured":"Giffin, J.T., Jha, S., Miller, B.P.: Automated discovery of mimicry attacks. In: Proceedings of the 9th International Symposium on Recent Advanced in Intrusion Detection, pp. 41\u201360 (2006)","DOI":"10.1007\/11856214_3"},{"issue":"3","key":"9_CR18","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1145\/1368506.1368511","volume":"42","author":"A. Goel","year":"2008","unstructured":"Goel, A., Farhadi, K., Po, K., Feng, W.c.: Reconstructing system state for intrusion analysis. ACM SIGOPS Operating System Review 42(3), 21\u201328 (2008)","journal-title":"ACM SIGOPS Operating System Review"},{"key":"9_CR19","first-page":"155","volume-title":"Proceedings of the Second International Workshop on Security in Distributed Computing Systems","author":"A. Goel","year":"2005","unstructured":"Goel, A., Feng, W.c., Maier, D., Feng, W.c., Walpole, J.: Forensix: A robust, high-performance reconstruction system. In: Proceedings of the Second International Workshop on Security in Distributed Computing Systems, pp. 155\u2013162. IEEE Computer Society, Washington, DC, USA (2005)"},{"key":"9_CR20","doi-asserted-by":"crossref","unstructured":"Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The Taser intrusion recovery system. In: 20th ACM Symposium on Operating System Principles. Brighton, United Kingdom (2005)","DOI":"10.1145\/1095810.1095826"},{"key":"9_CR21","unstructured":"Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)"},{"key":"9_CR22","doi-asserted-by":"publisher","first-page":"95","DOI":"10.1145\/1352592.1352603","volume-title":"Proceedings of the 3rd ACM SIGOPS\/EuroSys European Conference on Computer Systems 2008","author":"S. Jain","year":"2008","unstructured":"Jain, S., Shafique, F., Djeric, V., Goel, A.: Application-level isolation and recovery with solitude. In: Proceedings of the 3rd ACM SIGOPS\/EuroSys European Conference on Computer Systems 2008, pp. 95\u2013107. ACM, New York, NY, USA (2008)"},{"key":"9_CR23","doi-asserted-by":"crossref","unstructured":"Jiang, X., Buchholz, F., Walters, A., Xu, D., Wang, Y., Spafford, E.H.: Tracing worm break-in and contaminations via process coloring: A provenance-preserving approach. IEEE Transactions on Parallel and Distributed Systems 19(7) (2008)","DOI":"10.1109\/TPDS.2007.70765"},{"key":"9_CR24","unstructured":"Jiang, X., Walters, A., Buchholz, F., Xu, D., Wang, Y., Spafford, E.: Provenance-aware tracing of worm break-in and contaminations: A process coloring approach. In: 26th IEEE International Conference on Distributed Computing Systems. Lisboa, Portugal (2006)"},{"issue":"4","key":"9_CR25","doi-asserted-by":"publisher","first-page":"266","DOI":"10.1109\/TDSC.2007.70211","volume":"4","author":"G. Khanna","year":"2007","unstructured":"Khanna, G., Yu Cheng, M., Varadharajan, P., Bagchi, S., Correia, M.P., Ver\u00edssimo, P.J.: Automated rule-based diagnosis through a distributed monitor system. IEEE Transactions on Dependable and Secure Computing 4(4), 266\u2013279 (2007)","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"9_CR26","doi-asserted-by":"crossref","unstructured":"King, S.T., Chen, P.M.: Backtracking intrusions. In: Proceedings of the nineteenth ACM symposium on Operating systems principles. ACM, New York, NY, USA (2003)","DOI":"10.1145\/945445.945467"},{"key":"9_CR27","unstructured":"Kruger, L., Wang, H., Jha, S., McDaniel, P., Lee, W.: Towards discovering and containing privacy violations in software. Tech. rep., University of Wisconsin \u2013 Madison (2005)"},{"key":"9_CR28","doi-asserted-by":"publisher","first-page":"65","DOI":"10.1145\/1029208.1029219","volume-title":"Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security","author":"K. Lakkaraju","year":"2004","unstructured":"Lakkaraju, K., Yurcik, W., Lee, A.J.: NVisionIP: netflow visualizations of system state for security situational awareness. In: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pp. 65\u201372. ACM, New York, NY, USA (2004)"},{"key":"9_CR29","doi-asserted-by":"crossref","unstructured":"Liu, P., Jajodia, S., McCollum, C.D.: Intrusion confinement by isolation in information systems. In: Proceedings of the IFIP WG 11.3 Thirteenth International Conference on Database Security, pp. 3\u201318. Kluwer, B.V., Deventer, The Netherlands, The Netherlands (2000)","DOI":"10.1007\/978-0-387-35508-5_1"},{"issue":"5","key":"9_CR30","doi-asserted-by":"publisher","first-page":"75","DOI":"10.1145\/1095809.1095818","volume":"39","author":"B.T. Loo","year":"2005","unstructured":"Loo, B.T., Condie, T., Hellerstein, J.M., Maniatis, P., Roscoe, T., Stoica, I.: Implementing declarative overlays. SIGOPS Operating System Review 39(5), 75\u201390 (2005)","journal-title":"SIGOPS Operating System Review"},{"issue":"2","key":"9_CR31","doi-asserted-by":"crossref","first-page":"137","DOI":"10.1109\/TDSC.2007.1003","volume":"4","author":"K. Marzullo","year":"2007","unstructured":"Marzullo, K., Peisert, S., Bishop, M., Kevin, S.: Analysis of computer intrusions using sequences of function calls. IEEE Transactions on Dependable and Secure Computing 4(2), 137\u2013150 (2007)","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"9_CR32","unstructured":"Muniswamy-Reddy, K.K., Wright, C.P., Himmer, A., Zadok, E.: A versatile and user-oriented versioning file system. In: Proceedings of the 3rd USENIX Conference on File and Storage Technologies, pp. 115\u2013128. USENIX Association, Berkeley, CA, USA (2004)"},{"issue":"1","key":"9_CR33","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1145\/1353534.1346308","volume":"36","author":"S. Mysore","year":"2008","unstructured":"Mysore, S., Mazloom, B., Agrawal, B., Sherwood, T.: Understanding and visualizing full systems with data flow tomography. SIGARCH Computer Architecture News 36(1), 211\u2013221 (2008)","journal-title":"SIGARCH Computer Architecture News"},{"key":"9_CR34","unstructured":"Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the Network and Distributed System Security Symposium (2005)"},{"key":"9_CR35","unstructured":"Reynolds, P., Killian, C., Wiener, J.L., Mogul, J.C., Shah, M.A., Vahdat, A.: Pip: detecting the unexpected in distributed systems. In: Proceedings of the 3rd conference on Networked Systems Design & Implementation, pp. 9\u20139. USENIX Association, Berkeley, CA, USA (2006)"},{"issue":"2","key":"9_CR36","doi-asserted-by":"publisher","first-page":"442","DOI":"10.1145\/191843.191927","volume":"23","author":"K. Sagonas","year":"1994","unstructured":"Sagonas, K., Swift, T., Warren, D.S.: XSB as an efficient deductive database engine. SIGMOD Rec. 23(2), 442\u2013453 (1994)","journal-title":"SIGMOD Rec"},{"key":"9_CR37","doi-asserted-by":"crossref","unstructured":"Santry, D.J., Feeley, M.J., Hutchinson, N.C., Veitch, A.C.: Elephant: The file system that never forgets. Workshop on Hot Topics in Operating Systems 0, 2 (1999)","DOI":"10.1109\/HOTOS.1999.798369"},{"issue":"2","key":"9_CR38","doi-asserted-by":"publisher","first-page":"159","DOI":"10.1145\/317087.317089","volume":"2","author":"B. Schneier","year":"1999","unstructured":"Schneier, B., Kelsey, J.: Secure audit logs to support computer forensics. ACM Transactions on Information System Security 2(2), 159\u2013176 (1999)","journal-title":"ACM Transactions on Information System Security"},{"key":"9_CR39","unstructured":"Shen, W., Doan, A., Naughton, J.F., Ramakrishnan, R.: Declarative information extraction using datalog with embedded extraction predicates. In: Proceedings of the 33rd international conference on Very large data bases, pp. 1033\u20131044. VLDB Endowment (2007)"},{"key":"9_CR40","doi-asserted-by":"crossref","unstructured":"Singh, A., Maniatis, P., Roscoe, T., Druschel, P.: Using queries for distributed monitoring and forensics. Proceedings of the 1st ACM SIGOPS\/EuroSys European Conference on Computer Systems 2006 pp. 389\u2013402 (2006)","DOI":"10.1145\/1217935.1217973"},{"key":"9_CR41","doi-asserted-by":"publisher","first-page":"154","DOI":"10.1109\/IWIA.2005.9","volume-title":"Proceedings of the Third IEEE International Workshop on Information Assurance","author":"S. Sitaraman","year":"2005","unstructured":"Sitaraman, S., Venkatesan, S.: Forensic analysis of file system intrusions using improved backtracking. In: Proceedings of the Third IEEE International Workshop on Information Assurance, pp. 154\u2013163. IEEE Computer Society, Washington, DC, USA (2005)"},{"key":"9_CR42","doi-asserted-by":"crossref","unstructured":"Stinson, E., Mitchell, J.C.: Characterizing bot\u2019s remote control behavior. In: 4th International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment. Lucerne, Switzerland (2007)","DOI":"10.1007\/978-3-540-73614-1_6"},{"key":"9_CR43","unstructured":"Sun, W., Liang, Z., Sekar, R., Venkatakrishnan, V.N.: One-way isolation: An effective approach for realizing safe execution environments. In: Proceedings of the Network and Distributed System Security Symposium, pp. 265\u2013278 (2005)"},{"key":"9_CR44","unstructured":"The Honeynet Project: Forensic challenge. www.honeynet.org\/challenge\/index.html. Retrieved February 16, 2009"},{"key":"9_CR45","doi-asserted-by":"crossref","unstructured":"Verbowski, C., Kiciman, E., Kumar, A., Daniels, B., Lu, S., Lee, J., Wang, Y.M., Roussev, R.: Flight data recorder: monitoring persistent-state interactions to improve systems management. In: Proceedings of the 7th symposium on Operating systems design and implementation, pp. 117\u2013130. USENIX Association, Berkeley, CA, USA (2006)","DOI":"10.1145\/1140277.1140321"},{"key":"9_CR46","unstructured":"VMware, Inc.: VMware Server [Computer Software]. Available from http:\/\/www.vmware.com. Retrieved February 16, 2009"},{"key":"9_CR47","doi-asserted-by":"publisher","first-page":"255","DOI":"10.1145\/586110.586145","volume-title":"Proceedings of the 9th ACM conference on Computer and communications security","author":"D. Wagner","year":"2002","unstructured":"Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM conference on Computer and communications security, pp. 255\u2013264. ACM, New York, NY, USA (2002)"},{"key":"9_CR48","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1145\/1133572.1133607","volume-title":"Proceedings of the 11th workshop on ACM SIGOPS European workshop","author":"A. Whitaker","year":"2004","unstructured":"Whitaker, A., Cox, R.S., Gribble, S.D.: Using time travel to diagnose computer problems. In: Proceedings of the 11th workshop on ACM SIGOPS European workshop, p. 16. ACM, New York, NY, USA (2004)"},{"key":"9_CR49","doi-asserted-by":"crossref","unstructured":"Whitaker, A., Shaw, M., Gribble, S.D.: Denali: Lightweight virtual machines for distributed and networked applications. In: Proceedings of the USENIX Annual Technical Conference (2002)","DOI":"10.1145\/1133373.1133375"},{"key":"9_CR50","unstructured":"Yin, H., Liang, Z., Song, D.: HookFinder: Identifying and understanding malware hooking behaviors. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)"},{"key":"9_CR51","doi-asserted-by":"crossref","unstructured":"Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: ACM Symposium on Computer and Communications Security. Alexandria, Virginia (2007)","DOI":"10.1145\/1315245.1315261"},{"key":"9_CR52","doi-asserted-by":"publisher","first-page":"502","DOI":"10.1109\/ICSE.2004.1317472","volume-title":"Proceedings of the 26th International Conference on Software Engineering","author":"X. Zhang","year":"2004","unstructured":"Zhang, X., Gupta, R., Zhang, Y.: Efficient forward computation of dynamic slices using reduced ordered binary decision diagrams. In: Proceedings of the 26th International Conference on Software Engineering, pp. 502\u2013511. IEEE Computer Society, Washington, DC, USA (2004)"}],"container-title":["Advances in Information Security","Cyber Situational Awareness"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-1-4419-0140-8_9","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,2,12]],"date-time":"2025-02-12T14:21:31Z","timestamp":1739370091000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-1-4419-0140-8_9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2009,9,30]]},"ISBN":["9781441901392","9781441901408"],"references-count":52,"URL":"https:\/\/doi.org\/10.1007\/978-1-4419-0140-8_9","relation":{},"ISSN":["1568-2633"],"issn-type":[{"type":"print","value":"1568-2633"}],"subject":[],"published":{"date-parts":[[2009,9,30]]},"assertion":[{"value":"30 September 2009","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}}]}}