{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,28]],"date-time":"2025-03-28T00:47:08Z","timestamp":1743122828781,"version":"3.40.3"},"publisher-location":"Cham","reference-count":42,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030900182"},{"type":"electronic","value":"9783030900199"}],"license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021]]},"DOI":"10.1007\/978-3-030-90019-9_26","type":"book-chapter","created":{"date-parts":[[2021,11,2]],"date-time":"2021-11-02T18:47:48Z","timestamp":1635878868000},"page":"513-535","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["SemFlow: Accurate Semantic Identification from Low-Level System Data"],"prefix":"10.1007","author":[{"given":"Mohammad","family":"Kavousi","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Runqing","family":"Yang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shiqing","family":"Ma","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yan","family":"Chen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2021,11,3]]},"reference":[{"key":"26_CR1","unstructured":"Hardening Windows 10 with zero-day exploit mitigations (2017). https:\/\/bit.ly\/2KdiTiv. Accessed 10 June 2017"},{"key":"26_CR2","unstructured":"Taintgrind. https:\/\/github.com\/wmkhoo\/taintgrind (2017). Accessed 10 Dec 2017"},{"key":"26_CR3","unstructured":"Windows-10-Mitigation-Improvement (2018). https:\/\/ubm.io\/2IIVwtn Accessed 10 Apr 2018"},{"key":"26_CR4","unstructured":"APT1 (2019). https:\/\/bit.ly\/2D7RNHI. Accessed 4 May 2019"},{"key":"26_CR5","unstructured":"Living off the Land: Attackers Leverage Legitimate Tools for Malicious Ends (2020). https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/living-land-legitimate-tools-malicious. Accessed 10 Oct 2020"},{"key":"26_CR6","unstructured":"Living off the Land: Turning Your Infrastructure Against You (2020). https:\/\/docs.broadcom.com\/doc\/living-off-the-land-turning-your-infrastructure-against-you-en. Accessed 10 Oct 2020"},{"key":"26_CR7","unstructured":"Attariyan, M., Flinn, J.: Automating configuration troubleshooting with dynamic information flow analysis. In: OSDI, vol. 10, pp. 1\u201314 (2010)"},{"key":"26_CR8","unstructured":"Gao, P., et al.: SAQL: a stream-based query system for real-time abnormal system behavior detection. In: USENIX Security (2018)"},{"key":"26_CR9","unstructured":"Gao, P., Xiao, X., Li, Z., Xu, F., Kulkarni, S.R., Mittal, P.: AIQL: enabling efficient attack investigation from system monitoring data. In: USENIX ATC (2018)"},{"issue":"10","key":"26_CR10","doi-asserted-by":"publisher","first-page":"2348","DOI":"10.1109\/TIFS.2017.2705629","volume":"12","author":"R Harang","year":"2017","unstructured":"Harang, R., Kott, A.: Burstiness of intrusion detection process: Empirical evidence and a modeling approach. IEEE Trans. Inf. Forensics Secur. 12(10), 2348\u20132359 (2017)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"26_CR11","doi-asserted-by":"crossref","unstructured":"Hassan, W.U., Bates, A., Marino, D.: Tactical provenance analysis for endpoint detection and response systems. In: Proceedings of the IEEE Symposium on Security and Privacy (2020)","DOI":"10.1109\/SP40000.2020.00096"},{"key":"26_CR12","doi-asserted-by":"crossref","unstructured":"Hassan, W.U., et al.: Nodoze: combatting threat alert fatigue with automated provenance triage. In: NDSS (2019)","DOI":"10.14722\/ndss.2019.23349"},{"key":"26_CR13","doi-asserted-by":"crossref","unstructured":"Hassan, W.U., Noureddine, M.A., Datta, P., Bates, A.: Omegalog: high-fidelity attack investigation via transparent multi-layer log analysis. In: Proceedings of NDSS (2020)","DOI":"10.14722\/ndss.2020.24270"},{"issue":"3","key":"26_CR14","doi-asserted-by":"publisher","first-page":"151","DOI":"10.3233\/JCS-980109","volume":"6","author":"SA Hofmeyr","year":"1998","unstructured":"Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151\u2013180 (1998)","journal-title":"J. Comput. Secur."},{"key":"26_CR15","unstructured":"Hossain, M.N., et al.: $$\\{$$SLEUTH$$\\}$$: Real-time attack scenario reconstruction from $$\\{$$COTS$$\\}$$ audit data. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 487\u2013504 (2017)"},{"key":"26_CR16","unstructured":"Hu, W., Liao, Y., Vemuri, V.R.: Robust anomaly detection using support vector machines. In: Proceedings of the International Conference on Machine Learning, pp. 282\u2013289. Citeseer (2003)"},{"key":"26_CR17","unstructured":"Jee, K., Portokalidis, G., Kemerlis, V.P., Ghosh, S., August, D.I., Keromytis, A.D.: A general approach for efficiently accelerating software-based dynamic data flow tracking on commodity hardware. In: NDSS (2012)"},{"key":"26_CR18","doi-asserted-by":"crossref","unstructured":"Kim, C.H., Rhee, J., Lee, K.H., Zhang, X., Xu, D.: Perfguard: binary-centric application performance monitoring in production environments. In: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 595\u2013606 (2016)","DOI":"10.1145\/2950290.2950347"},{"issue":"1","key":"26_CR19","doi-asserted-by":"publisher","first-page":"235","DOI":"10.1145\/2637364.2592008","volume":"42","author":"CH Kim","year":"2014","unstructured":"Kim, C.H., Rhee, J., Zhang, H., Arora, N., Jiang, G., Zhang, X., Xu, D.: Introperf: transparent context-sensitive multi-layer performance inference using system stack traces. ACM SIGMETRICS Perform. Eval. Rev. 42(1), 235\u2013247 (2014)","journal-title":"ACM SIGMETRICS Perform. Eval. Rev."},{"issue":"1","key":"26_CR20","doi-asserted-by":"publisher","first-page":"51","DOI":"10.1145\/1047915.1047918","volume":"23","author":"ST King","year":"2005","unstructured":"King, S.T., Chen, P.M.: Backtracking intrusions. ACM Trans. Comput. Syst. (TOCS) 23(1), 51\u201376 (2005)","journal-title":"ACM Trans. Comput. Syst. (TOCS)"},{"key":"26_CR21","doi-asserted-by":"crossref","unstructured":"Kwon, Y., et al.: LDX: causality inference by lightweight dual execution. In: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 503\u2013515 (2016)","DOI":"10.1145\/2872362.2872395"},{"key":"26_CR22","doi-asserted-by":"crossref","unstructured":"Kwon, Y., et al.: MCI: modeling-based causality inference in audit logging for attack investigation. In: NDSS (2018)","DOI":"10.14722\/ndss.2018.23306"},{"key":"26_CR23","unstructured":"Lee, K.H., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)"},{"key":"26_CR24","doi-asserted-by":"crossref","unstructured":"Lee, K.H., Zhang, X., Xu, D.: LogGC: garbage collecting audit log. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1005\u20131016 (2013)","DOI":"10.1145\/2508859.2516731"},{"key":"26_CR25","unstructured":"Lee, W., Stolfo, S.: Data mining approaches for intrusion detection (1998)"},{"key":"26_CR26","doi-asserted-by":"crossref","unstructured":"Liu, Y., et al.: Towards a timely causality analysis for enterprise security. In: NDSS (2018)","DOI":"10.14722\/ndss.2018.23254"},{"key":"26_CR27","doi-asserted-by":"crossref","unstructured":"Ma, S., Lee, K.H., Kim, C.H., Rhee, J., Zhang, X., Xu, D.: Accurate, low cost and instrumentation-free security audit logging for windows. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 401\u2013410 (2015)","DOI":"10.1145\/2818000.2818039"},{"key":"26_CR28","unstructured":"Ma, S., Zhai, J., Wang, F., Lee, K.H., Zhang, X., Xu, D.: $$\\{$$MPI$$\\}$$: multiple perspective attack investigation with semantic aware execution partitioning. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 1111\u20131128 (2017)"},{"key":"26_CR29","doi-asserted-by":"crossref","unstructured":"Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137\u20131152. IEEE (2019)","DOI":"10.1109\/SP.2019.00026"},{"key":"26_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-89862-7_1","volume-title":"Information Systems Security","author":"D Song","year":"2008","unstructured":"Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1\u201325. Springer, Heidelberg (2008). https:\/\/doi.org\/10.1007\/978-3-540-89862-7_1"},{"issue":"06","key":"26_CR31","doi-asserted-by":"publisher","first-page":"875","DOI":"10.1142\/S0218213006003028","volume":"15","author":"G Tandon","year":"2006","unstructured":"Tandon, G., Chan, P.K.: On the learning of system call attributes for host-based anomaly detection. Int. J. Artif. Intell. Tools 15(06), 875\u2013892 (2006)","journal-title":"Int. J. Artif. Intell. Tools"},{"key":"26_CR32","doi-asserted-by":"crossref","unstructured":"Tang, Y., et al.: Nodemerge: template based efficient data reduction for big-data causality analysis. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1324\u20131337 (2018)","DOI":"10.1145\/3243734.3243763"},{"key":"26_CR33","doi-asserted-by":"crossref","unstructured":"Tiwari, M., Li, X., Wassel, H.M., Chong, F.T., Sherwood, T.: Execution leases: a hardware-supported mechanism for enforcing strong non-interference. In: Proceedings of the 42nd Annual IEEE\/ACM International Symposium on Microarchitecture, pp. 493\u2013504 (2009)","DOI":"10.1145\/1669112.1669174"},{"key":"26_CR34","doi-asserted-by":"crossref","unstructured":"Tiwari, M., Wassel, H.M., Mazloom, B., Mysore, S., Chong, F.T., Sherwood, T.: Complete information flow tracking from the gates up. In: Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 109\u2013120 (2009)","DOI":"10.1145\/1508244.1508258"},{"key":"26_CR35","doi-asserted-by":"crossref","unstructured":"Wang, F., Kwon, Y., Ma, S., Zhang, X., Xu, D.: Lprov: practical library-aware provenance tracing. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 605\u2013617 (2018)","DOI":"10.1145\/3274694.3274751"},{"key":"26_CR36","doi-asserted-by":"crossref","unstructured":"Wu, J., Peng, D., Li, Z., Zhao, L., Ling, H.: Network intrusion detection based on a general regression neural network optimized by an improved artificial immune algorithm. PloS One 10(3), e0120976 (2015)","DOI":"10.1371\/journal.pone.0120976"},{"key":"26_CR37","doi-asserted-by":"crossref","unstructured":"Xiong, C., et al.: Conan: a practical real-time apt detection system with high accuracy and efficiency. IEEE Trans. Dependable Secure Comput. (2020)","DOI":"10.1109\/TDSC.2020.2971484"},{"key":"26_CR38","doi-asserted-by":"crossref","unstructured":"Xu, Z., et al.: High fidelity data reduction for big data security dependency analyses. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 504\u2013516 (2016)","DOI":"10.1145\/2976749.2978378"},{"key":"26_CR39","doi-asserted-by":"crossref","unstructured":"Yang, R., et al.: Ratscope: recording and reconstructing missing rat semantic behaviors for forensic analysis on windows. IEEE Trans. Dependable Secure Comput. (2020)","DOI":"10.1109\/TDSC.2020.3032570"},{"key":"26_CR40","doi-asserted-by":"crossref","unstructured":"Yang, R., Ma, S., Xu, H., Zhang, X., Chen, Y.: UIscope: accurate, instrumentation-free, and visible attack investigation for GUI applications. In: Network and Distributed Systems Symposium (2020)","DOI":"10.14722\/ndss.2020.24329"},{"key":"26_CR41","unstructured":"Zhao, X., Rodrigues, K., Luo, Y., Yuan, D., Stumm, M.: Non-intrusive performance profiling for entire software stacks based on the flow reconstruction principle. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), pp. 603\u2013618 (2016)"},{"key":"26_CR42","unstructured":"Zhao, X., et al.: lprof: A non-intrusive request flow profiler for distributed systems. In: 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2014), pp. 629\u2013644 (2014)"}],"container-title":["Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering","Security and Privacy in Communication Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-90019-9_26","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,11,2]],"date-time":"2021-11-02T18:58:26Z","timestamp":1635879506000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-030-90019-9_26"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"ISBN":["9783030900182","9783030900199"],"references-count":42,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-90019-9_26","relation":{},"ISSN":["1867-8211","1867-822X"],"issn-type":[{"type":"print","value":"1867-8211"},{"type":"electronic","value":"1867-822X"}],"subject":[],"published":{"date-parts":[[2021]]},"assertion":[{"value":"3 November 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SecureComm","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Security and Privacy in Communication Systems","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2021","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"6 September 2021","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"9 September 2021","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"17","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"securecomm2021","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/securecomm.eai-conferences.org\/2021\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Confy +","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"143","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"56","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"39% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}