{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,21]],"date-time":"2026-05-21T00:05:49Z","timestamp":1779321949602,"version":"3.51.4"},"publisher-location":"Cham","reference-count":24,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032200792","type":"print"},{"value":"9783032200808","type":"electronic"}],"license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-20080-8_11","type":"book-chapter","created":{"date-parts":[[2026,5,20]],"date-time":"2026-05-20T23:23:04Z","timestamp":1779319384000},"page":"177-201","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Research on\u00a0Emergency Response Attack Scenario Reconstruction Method Based on\u00a0Steiner Trees"],"prefix":"10.1007","author":[{"given":"Manyuan","family":"Hua","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Fenghua","family":"Xu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yukun","family":"Zhu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Feng","family":"Yang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yanping","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yuanjian","family":"Zhou","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,5,1]]},"reference":[{"key":"11_CR1","doi-asserted-by":"crossref","unstructured":"Gehani, A., Tariq, D.: Spade: support for provenance auditing in distributed environments. In: ACM\/IFIP\/USENIX International Conference on Distributed Systems Platforms and Open Distributed Processing, pp. 101\u2013120 (2012)","DOI":"10.1007\/978-3-642-35170-9_6"},{"key":"11_CR2","doi-asserted-by":"crossref","unstructured":"Xie, Y., Feng, D., Tan, Z., et al.: A hybrid approach for efficient provenance storage. In: Proceedings of the 21st ACM International Conference on Information and Knowledge Management, pp. 1752\u20131756 (2012)","DOI":"10.1145\/2396761.2398511"},{"key":"11_CR3","doi-asserted-by":"crossref","unstructured":"Xu, Z., Wu, Z., Li, Z., et al.: High fidelity data reduction for big data security dependency analyses. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 504\u2013516 (2016)","DOI":"10.1145\/2976749.2978378"},{"key":"11_CR4","unstructured":"Hossain, M.N., Wang, J., Weisse, O., et al.: Dependence-Preserving data compaction for scalable forensic analysis. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 1723\u20131740 (2018)"},{"key":"11_CR5","doi-asserted-by":"publisher","first-page":"3312","DOI":"10.1109\/TIFS.2021.3076288","volume":"16","author":"T Zhu","year":"2021","unstructured":"Zhu, T., Wang, J., Ruan, L., et al.: General, efficient, and real-time data compaction strategy for apt forensic analysis. IEEE Trans. Inf. Forensics Secur. 16, 3312\u20133325 (2021)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"11_CR6","doi-asserted-by":"crossref","unstructured":"Lee, K.H., Zhang, X., Xu, D.: LogGC: garbage collecting audit log. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1005\u20131016 (2013)","DOI":"10.1145\/2508859.2516731"},{"key":"11_CR7","unstructured":"Ma, S., Zhai, J., Kwon, Y., et al.: Kernel-SupportedCost-effective audit logging for causality tracking. In: 2018 USENIX Annual Technical Conference (USENIX ATC 18), pp. 241\u2013254 (2018)"},{"key":"11_CR8","doi-asserted-by":"crossref","unstructured":"Tang, Y., Li, D., Li, Z., et al.: Nodemerge: template based efficient data reduction for big-data causality analysis. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1324\u20131337 (2018)","DOI":"10.1145\/3243734.3243763"},{"key":"11_CR9","doi-asserted-by":"crossref","unstructured":"Michael, N., Mink, J., Liu, J., et al.: On the forensic validity of approximated audit logs. In: Proceedings of the 36th Annual Computer Security Applications Conference, pp. 189\u2013202 (2020)","DOI":"10.1145\/3427228.3427272"},{"key":"11_CR10","doi-asserted-by":"crossref","unstructured":"Hassan, W.U., Guo, S., Li, D., et al.: Nodoze: combatting threat alert fatigue with automated provenance triage. In: Proceedings 2019 Network and Distributed System Security Symposium (2019). https:\/\/dx.doi.org\/10.14722\/ndss.2019.23349","DOI":"10.14722\/ndss.2019.23349"},{"key":"11_CR11","unstructured":"Hossain, M.N., Milajerdi, S.M., Wang, J., et al.: SLEUTH: real-time attack scenario reconstruction from COTS audit data. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 487\u2013504 (2017)"},{"key":"11_CR12","doi-asserted-by":"crossref","unstructured":"Milajerdi, S.M., Gjomemo, R., Eshete, B., et al.: Holmes: Real-time apt detection through correlation of suspicious information flows. In: IEEE Symposium on Security and Privacy (SP) 2019, pp. 1137\u20131152 (2019)","DOI":"10.1109\/SP.2019.00026"},{"key":"11_CR13","doi-asserted-by":"crossref","unstructured":"Han, X., Pasquier, T., Bates, A., et al.: Unicorn: runtime provenance-based detector for advanced persistent threats. arXiv preprint arXiv:2001.01525 (2020)","DOI":"10.14722\/ndss.2020.24046"},{"key":"11_CR14","unstructured":"Shen, Y., Stringhini, G.: ATTACK2VEC: leveraging temporal word embeddings to understand the evolution of cyberattacks. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 905\u2013921 (2019)"},{"key":"11_CR15","unstructured":"Alsaheel, A., Nan, Y., Ma, S,. et al.: ATLAS: a sequence-based learning approach for attack investigation. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 3005\u20133022 (2021)"},{"key":"11_CR16","doi-asserted-by":"crossref","unstructured":"Teng, X., Yan, M., Ertugrul, A.M., et al.: Deep into hypersphere: Robust and unsupervised anomaly discovery in dynamic networks. In: Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence, p. 378 (2018)","DOI":"10.24963\/ijcai.2018\/378"},{"key":"11_CR17","unstructured":"Yang, F., Xu, J., Xiong, C., et al.: PROGRAPHER: an anomaly detection system based on provenance graph embedding. In: 32nd USENIX Security Symposium (USENIX Security 23), pp. 4355\u20134372 (2023)"},{"key":"11_CR18","doi-asserted-by":"crossref","unstructured":"Cheng, Z., Lv, Q., Liang, J., et al.: Kairos: practical intrusion detection and investigation using whole-system provenance. In: IEEE Symposium on Security and Privacy (SP) 2024, pp. 3533\u20133551 (2024)","DOI":"10.1109\/SP54263.2024.00005"},{"key":"11_CR19","doi-asserted-by":"crossref","unstructured":"Zengy, J., Wang, X., Liu, J., et al.: Shadewatcher: recommendation-guided cyber threat analysis using system audit records. In: IEEE Symposium on Security and Privacy (SP) 2022, pp. 489\u2013506 (2022)","DOI":"10.1109\/SP46214.2022.9833669"},{"key":"11_CR20","unstructured":"Rehman, M.U., Ahmadi, H., Hassan, W.U.: Flash: a comprehensive approach to intrusion detection via provenance graph representation learning. In: IEEE Symposium on Security and Privacy (SP) 2024, pp. 139\u2013139 (2024)"},{"key":"11_CR21","doi-asserted-by":"publisher","first-page":"3972","DOI":"10.1109\/TIFS.2022.3208815","volume":"17","author":"S Wang","year":"2022","unstructured":"Wang, S., Wang, Z., Zhou, T., et al.: Threatrace: detecting and tracing host-based threats in node level through provenance graph learning. IEEE Trans. Inf. Forensics Secur. 17, 3972\u20133987 (2022)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"11_CR22","doi-asserted-by":"crossref","unstructured":"Xu, Z., Fang, P., Liu, C., et al.: DepComm: graph summarization on system audit logs for attack investigation. In: IEEE Symposium on Security and Privacy (SP) 2022, pp. 540\u2013557 (2022)","DOI":"10.1109\/SP46214.2022.9833632"},{"key":"11_CR23","doi-asserted-by":"crossref","unstructured":"Manzoor, E., Milajerdi, S.M., Akoglu, L.: Fast memory-efficient anomaly detection in streaming heterogeneous graphs. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1035\u20131044 (2016)","DOI":"10.1145\/2939672.2939783"},{"key":"11_CR24","unstructured":"Prasad, V., Cohen, W., Eigler, F., et al.: Locating system problems using dynamic instrumentation. In: Ottawa Linux Symposium 2005, pp. 49\u201364 (2005)"}],"container-title":["Lecture Notes in Computer Science","Attacks and Defenses for the Internet-of-Things"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-20080-8_11","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,20]],"date-time":"2026-05-20T23:23:07Z","timestamp":1779319387000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-20080-8_11"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"ISBN":["9783032200792","9783032200808"],"references-count":24,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-20080-8_11","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]},"assertion":[{"value":"1 May 2026","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ADIoT","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Attacks and Defenses for Internet-of-Things","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Changzhou","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"1 November 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2 November 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"8","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"adiot2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/sptagelab.github.io\/conferences\/ADIoT2025\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}