{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T03:34:19Z","timestamp":1760240059705,"version":"build-2065373602"},"publisher-location":"Cham","reference-count":33,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032079008","type":"print"},{"value":"9783032079015","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T00:00:00Z","timestamp":1760227200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T00:00:00Z","timestamp":1760227200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-07901-5_10","type":"book-chapter","created":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T12:30:03Z","timestamp":1760185803000},"page":"190-210","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["GET-AID: Graph-Enhanced Transformer for\u00a0Provenance-Based Advanced Persistent Threats Investigation and\u00a0Detection"],"prefix":"10.1007","author":[{"given":"Zhicheng","family":"Huang","sequence":"first","affiliation":[]},{"given":"Fengyuan","family":"Xu","sequence":"additional","affiliation":[]},{"given":"Jiahong","family":"Yang","sequence":"additional","affiliation":[]},{"given":"Wenting","family":"Li","sequence":"additional","affiliation":[]},{"given":"Zonghua","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Chenbin","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Meng","family":"Ma","sequence":"additional","affiliation":[]},{"given":"Ping","family":"Wang","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,10,12]]},"reference":[{"key":"10_CR1","unstructured":"MANDIANT: Mandiant: Exposing one of china\u2019s cyber espionage units (2016). https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/services\/pdfs\/mandiant-apt1-report.pdf\/"},{"key":"10_CR2","unstructured":"Archive, N.S.: Cyber brief: Russian apts and the olympics (2019). https:\/\/nsarchive.gwu.edu\/news\/cyber-vault\/2019-08-05\/cyber-brief-russian-apts-olympics"},{"key":"10_CR3","unstructured":"Cloud, G.: 3cx software supply chain compromise (2023). https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/3cx-software-supply-chain-compromise\/"},{"key":"10_CR4","unstructured":"Security.com: X_trader affects critical infrastructure organizations in U.S. and Europe (2023). https:\/\/www.security.com\/threat-intelligence\/xtrader-3cx-supply-chain"},{"key":"10_CR5","doi-asserted-by":"crossref","unstructured":"Stojanovi\u0107, B., Hofer-Schmitz, K., Kleb, U.: Apt datasets and attack modeling for automated detection methods: a review. Comput. Secur. 92, 101734 (2020)","DOI":"10.1016\/j.cose.2020.101734"},{"key":"10_CR6","unstructured":"Cybersecurity, (CISA), I.S.A.: Incident detection, response, and prevention (2025). https:\/\/www.cisa.gov\/topics\/cyber-threats-and-advisories\/incident-detection-response-and-prevention"},{"key":"10_CR7","unstructured":"Hossain, M.N., et al.: Sleuth: real-time attack scenario reconstruction from cots audit data. In: Proceedings of the 26th USENIX Security Symposium (USENIX Security 17), pp. 487\u2013504 (2017)"},{"key":"10_CR8","doi-asserted-by":"crossref","unstructured":"Milajerdi, S.M., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1795\u20131812 (2019)","DOI":"10.1145\/3319535.3363217"},{"key":"10_CR9","doi-asserted-by":"crossref","unstructured":"Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (S &P), pp. 1137\u20131152 (2019)","DOI":"10.1109\/SP.2019.00026"},{"key":"10_CR10","doi-asserted-by":"crossref","unstructured":"Hossain, M.N., Sheikhi, S., Sekar, R.: Combating dependence explosion in forensic analysis using alternative tag propagation semantics. In: Proceedings of the 2020 IEEE Symposium on Security and Privacy (S &P), pp. 1139\u20131155 (2020)","DOI":"10.1109\/SP40000.2020.00064"},{"key":"10_CR11","doi-asserted-by":"publisher","unstructured":"Hassan, W.U., et al.: Nodoze: combatting threat alert fatigue with automated provenance triage. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS 19) (2019). https:\/\/doi.org\/10.14722\/ndss.2019.23349","DOI":"10.14722\/ndss.2019.23349"},{"key":"10_CR12","doi-asserted-by":"publisher","unstructured":"Wang, Q., et\u00a0al.: You are what you do: Hunting stealthy malware via data provenance analysis. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS 20) (2020). https:\/\/doi.org\/10.14722\/ndss.2020.24167","DOI":"10.14722\/ndss.2020.24167"},{"key":"10_CR13","doi-asserted-by":"crossref","unstructured":"Han, X., Pasquier, T., Bates, A., Mickens, J., Seltzer, M.: Unicorn: runtime provenanunicorce-based detector for advanced persistent threats. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS 20), pp. 1\u201318 (2020)","DOI":"10.14722\/ndss.2020.24046"},{"key":"10_CR14","unstructured":"Alsaheel, A., et al.: Atlas: a sequence-based learning approach for attack investigation. In: Proceedings of the 30th USENIX Security Symposium (USENIX Security 21), pp. 3005\u20133022 (2021)"},{"key":"10_CR15","doi-asserted-by":"crossref","unstructured":"Wang, S., et al.: Threatrace: detecting and tracing host-based threats in node level through provenance graph learning. IEEE Trans. Inf. Forensics Secur. 17, 3972\u20133987 (2022)","DOI":"10.1109\/TIFS.2022.3208815"},{"issue":"1","key":"10_CR16","doi-asserted-by":"publisher","first-page":"58","DOI":"10.23919\/cje.2022.00.173","volume":"33","author":"L Zeyi","year":"2024","unstructured":"Zeyi, L., Pan, W., Zixuan, W.: Flowgananomaly: flow-based anomaly network intrusion detection with adversarial learning. Chin. J. Electron. 33(1), 58\u201371 (2024). https:\/\/doi.org\/10.23919\/cje.2022.00.173","journal-title":"Chin. J. Electron."},{"key":"10_CR17","doi-asserted-by":"crossref","unstructured":"Cheng, Z., et al.: Kairos: practical intrusion detection and investigation using whole-system provenance. In: Proceedings of the 2024 IEEE Symposium on Security and Privacy (S &P), pp. 3533\u20133551. IEEE (2024)","DOI":"10.1109\/SP54263.2024.00005"},{"key":"10_CR18","unstructured":"Jia, Z., Xiong, Y., Nan, Y., Zhang, Y., Zhao, J., Wen, M.: Magic: detecting advanced persistent threats via masked graph representation learning. In: Proceedings of the 33rd USENIX Security Symposium (USENIX Security 24), pp. 5197\u20135214 (2024)"},{"key":"10_CR19","doi-asserted-by":"crossref","unstructured":"Ur\u00a0Rehman, M., Ahmadi, H., Ul\u00a0Hassan, W.: Flash: a comprehensive approach to intrusion detection via provenance graph representation learning. In: Proceedings of the 2024 IEEE Symposium on Security and Privacy (S &P), pp. 3552\u20133570 (2024)","DOI":"10.1109\/SP54263.2024.00139"},{"key":"10_CR20","doi-asserted-by":"crossref","unstructured":"Goyal, A., Wang, G., Bates, A.: R-caid: embedding root cause analysis within provenance-based intrusion detection. In: Proceedings of the 2024 IEEE Symposium on Security and Privacy (S &P), pp. 3515\u20133532. IEEE (2024)","DOI":"10.1109\/SP54263.2024.00253"},{"key":"10_CR21","doi-asserted-by":"crossref","unstructured":"Wei, R., Cai, L., Zhao, L., Yu, A., Meng, D.: Deephunter: a graph neural network based approach for robust cyber threat hunting. In: Proceedings of the 2021 Security and Privacy in Communication Networks, pp. 3\u201324 (2021)","DOI":"10.1007\/978-3-030-90019-9_1"},{"key":"10_CR22","doi-asserted-by":"crossref","unstructured":"Li, Z., Cheng, X., Sun, L., Zhang, J., Chen, B.: A hierarchical approach for advanced persistent threat detection with attention-based graph neural networks. Secur. Commun. Netw. 2021, 1939\u20130114 (2021)","DOI":"10.1155\/2021\/9961342"},{"key":"10_CR23","unstructured":"Zhao, J., Yan, Q., Liu, X., Li, B., Zuo, G.: Cyber threat intelligence modeling based on heterogeneous graph convolutional network. In: Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 20), pp. 241\u2013256 (2020)"},{"key":"10_CR24","unstructured":"Manzoor, E., Momeni, S., Venkatakrishnan, V., Akoglu, L.: Streamspot code and data (2016). https:\/\/sbustreamspot.github.io\/"},{"key":"10_CR25","unstructured":"Torrey, J.: Transparent computing engagement 5 data release (2020). https:\/\/github.com\/darpa-i2o\/Transparent-Computing"},{"key":"10_CR26","doi-asserted-by":"crossref","unstructured":"Satvat, K., Gjomemo, R., Venkatakrishnan, V.: Extractor: extracting attack behavior from threat reports. In: Proceedings of the 2021 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 598\u2013615 (2021)","DOI":"10.1109\/EuroSP51992.2021.00046"},{"issue":"2","key":"10_CR27","doi-asserted-by":"publisher","first-page":"1851","DOI":"10.1109\/COMST.2019.2891891","volume":"21","author":"A Alshamrani","year":"2019","unstructured":"Alshamrani, A., Myneni, S., Chowdhary, A., Huang, D.: A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE Commun. Surv. Tutorials 21(2), 1851\u20131877 (2019)","journal-title":"IEEE Commun. Surv. Tutorials"},{"key":"10_CR28","unstructured":"Kaspersky: Kaspersky endpoint detection and response expert (2023). https:\/\/www.kaspersky.com\/enterprise-security\/endpoint-detection-response-edr\/"},{"key":"10_CR29","unstructured":"Gartner: Endpoint detection and response (EDR) solutions reviews and ratings (2023). https:\/\/www.gartner.com\/reviews\/market\/endpoint-detection-and-response-solutions\/"},{"key":"10_CR30","doi-asserted-by":"crossref","unstructured":"Pei, K., et al.: Hercule: attack story reconstruction via community discovery on correlated log graph. In: Proceedings of the 32rd Annual Conference on Computer Security Applications (ACSAC 16), pp. 583\u2013595 (2016)","DOI":"10.1145\/2991079.2991122"},{"key":"10_CR31","doi-asserted-by":"crossref","unstructured":"Fu, Z., et al.: Encrypted malware traffic detection via graph-based network analysis. In: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 22), pp. 495\u2013509 (2022)","DOI":"10.1145\/3545948.3545983"},{"key":"10_CR32","doi-asserted-by":"crossref","unstructured":"Kapoor, M., Melton, J., Ridenhour, M., Krishnan, S., Moyer, T.: Prov-gem: automated provenance analysis framework using graph embeddings. In: Proceedings of the 20th IEEE International Conference on Machine Learning and Applications (ICMLA 21), pp. 1720\u20131727 (2021)","DOI":"10.1109\/ICMLA52953.2021.00273"},{"key":"10_CR33","doi-asserted-by":"crossref","unstructured":"Church, K., Gale, W.: Inverse document frequency (IDF): a measure of deviations from poisson. In: Natural Language Processing Using Very Large Corpora, pp. 283\u2013295. Springer, Cham (1999)","DOI":"10.1007\/978-94-017-2390-9_18"}],"container-title":["Lecture Notes in Computer Science","Computer Security \u2013 ESORICS 2025"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-07901-5_10","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T12:30:13Z","timestamp":1760185813000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-07901-5_10"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,12]]},"ISBN":["9783032079008","9783032079015"],"references-count":33,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-07901-5_10","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,12]]},"assertion":[{"value":"12 October 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ESORICS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"European Symposium on Research in Computer Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Toulouse","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"France","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22 September 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"24 September 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"esorics2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.esorics2025.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}