{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T18:08:41Z","timestamp":1770228521548,"version":"3.49.0"},"publisher-location":"Singapore","reference-count":34,"publisher":"Springer Nature Singapore","isbn-type":[{"value":"9789819624164","type":"print"},{"value":"9789819624171","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-981-96-2417-1_13","type":"book-chapter","created":{"date-parts":[[2025,3,3]],"date-time":"2025-03-03T09:52:04Z","timestamp":1740995524000},"page":"236-253","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["GNNexPIDS: An Interpretation Method for\u00a0Provenance-Based Intrusion Detection Based on\u00a0GNNExplainer"],"prefix":"10.1007","author":[{"given":"Ziyang","family":"Yu","sequence":"first","affiliation":[]},{"given":"Wentao","family":"Li","sequence":"additional","affiliation":[]},{"given":"Xiu","family":"Ma","sequence":"additional","affiliation":[]},{"given":"Baorui","family":"Zheng","sequence":"additional","affiliation":[]},{"given":"Xinbo","family":"Han","sequence":"additional","affiliation":[]},{"given":"Ning","family":"Li","sequence":"additional","affiliation":[]},{"given":"Qiujian","family":"Lv","sequence":"additional","affiliation":[]},{"given":"Weiqing","family":"Huang","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,3,4]]},"reference":[{"key":"13_CR1","doi-asserted-by":"crossref","unstructured":"Wang, R., Nie, K., Wang, T., Yang, Y., Long, B.: Deep learning for anomaly detection. In: Proceedings of the 13th International Conference on Web Search and Data Mining, pp. 894\u2013896 (2020)","DOI":"10.1145\/3336191.3371876"},{"issue":"3","key":"13_CR2","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1541880.1541882","volume":"41","author":"V Chandola","year":"2009","unstructured":"Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 1\u201358 (2009)","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"13_CR3","doi-asserted-by":"crossref","unstructured":"Han, X., Pasquier, T., Bates, A., Mickens, J., Seltzer, M.: UNICORN: runtime provenance-based detector for advanced persistent threats. In: Network and Distributed Systems Security (NDSS) Symposium 2020, pp. 1\u201318. Internet Society (2020)","DOI":"10.14722\/ndss.2020.24046"},{"key":"13_CR4","doi-asserted-by":"crossref","unstructured":"Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.N.: HOLMES: real-time APT detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137\u20131152. IEEE (2019)","DOI":"10.1109\/SP.2019.00026"},{"key":"13_CR5","doi-asserted-by":"crossref","unstructured":"Zengy, J., et al.: SHADEWATCHER: recommendation-guided cyber threat analysis using system audit records. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 489\u2013506. IEEE (2022)","DOI":"10.1109\/SP46214.2022.9833669"},{"key":"13_CR6","doi-asserted-by":"publisher","first-page":"3972","DOI":"10.1109\/TIFS.2022.3208815","volume":"17","author":"S Wang","year":"2022","unstructured":"Wang, S., et al.: THREATRACE: detecting and tracing host-based threats in node level through provenance graph learning. IEEE Trans. Inf. Forensics Secur. 17, 3972\u20133987 (2022)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"13_CR7","doi-asserted-by":"crossref","unstructured":"Cheng, Z., et al.: KAIROS: practical intrusion detection and investigation using whole-system provenance. In: 2024 IEEE Symposium on Security and Privacy (SP), p. 5. IEEE Computer Society (2023)","DOI":"10.1109\/SP54263.2024.00005"},{"key":"13_CR8","unstructured":"Han, X., et al.: SIGL: securing software installations through deep graph learning. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 2345\u20132362 (2021)"},{"issue":"1","key":"13_CR9","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1109\/TKDE.2020.2981333","volume":"34","author":"Z Zhang","year":"2020","unstructured":"Zhang, Z., Cui, P., Zhu, W.: Deep learning on graphs: a survey. IEEE Trans. Knowl. Data Eng. 34(1), 249\u2013270 (2020)","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"13_CR10","doi-asserted-by":"publisher","first-page":"57","DOI":"10.1016\/j.aiopen.2021.01.001","volume":"1","author":"J Zhou","year":"2020","unstructured":"Zhou, J., et al.: Graph neural networks: a review of methods and applications. AI Open 1, 57\u201381 (2020)","journal-title":"AI Open"},{"key":"13_CR11","unstructured":"Zhang, M., Chen, Y.: Link prediction based on graph neural networks. In: Advances in Neural Information Processing Systems 31 (2018)"},{"key":"13_CR12","unstructured":"Ying, Z., You, J., Morris, C., Ren, X., Hamilton, W., Leskovec, J.: Hierarchical graph representation learning with differentiable pooling. In: Advances in Neural Information Processing Systems 31 (2018)"},{"key":"13_CR13","unstructured":"Hamilton, W., Ying, Z., Leskovec, J.: Inductive representation learning on large graphs. In: Advances in Neural Information Processing Systems 30 (2017)"},{"key":"13_CR14","doi-asserted-by":"publisher","first-page":"52138","DOI":"10.1109\/ACCESS.2018.2870052","volume":"6","author":"A Adadi","year":"2018","unstructured":"Adadi, A., Berrada, M.: Peeking inside the black-box: a survey on explainable artificial intelligence (XAI). IEEE access 6, 52138\u201352160 (2018)","journal-title":"IEEE access"},{"issue":"5","key":"13_CR15","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3236009","volume":"51","author":"R Guidotti","year":"2018","unstructured":"Guidotti, R., Monreale, A., Ruggieri, S., Turini, F., Giannotti, F., Pedreschi, D.: A survey of methods for explaining black box models. ACM Comput. Surv. (CSUR) 51(5), 1\u201342 (2018)","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"13_CR16","unstructured":"Baldassarre, F., Azizpour, H.: Explainability techniques for graph convolutional networks. In: International Conference on Machine Learning (ICML) Workshops, 2019 Workshop on Learning and Reasoning with Graph-Structured Representations (2019)"},{"key":"13_CR17","doi-asserted-by":"crossref","unstructured":"Pope, P.E., Kolouri, S., Rostami, M., Martin, C.E., Hoffmann, H.: Explainability methods for graph convolutional neural networks. In: Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, pp. 10772\u201310781 (2019)","DOI":"10.1109\/CVPR.2019.01103"},{"issue":"5","key":"13_CR18","first-page":"5782","volume":"45","author":"H Yuan","year":"2022","unstructured":"Yuan, H., Yu, H., Gui, S., Ji, S.: Explainability in graph neural networks: a taxonomic survey. IEEE Trans. Pattern Anal. Mach. Intell. 45(5), 5782\u20135799 (2022)","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"13_CR19","doi-asserted-by":"crossref","unstructured":"Huang, Q., Yamada, M., Tian, Y., Singh, D., Chang, Y.: GraphLIME: local interpretable model explanations for graph neural networks. IEEE Trans. Knowl. Data Eng. (2022)","DOI":"10.1109\/TKDE.2022.3187455"},{"key":"13_CR20","unstructured":"Vu, M., Thai, M.T.: PGM-Explainer: probabilistic graphical model explanations for graph neural networks. In: Advances in Neural Information Processing Systems 33, pp. 12225\u201312235 (2020)"},{"key":"13_CR21","unstructured":"Baldassarre, F., Azizpour, H.: Explainability techniques for graph convolutional networks. arXiv preprint arXiv:1905.13686 (2019)"},{"key":"13_CR22","doi-asserted-by":"publisher","first-page":"838","DOI":"10.1109\/TIFS.2020.3021924","volume":"16","author":"M Fan","year":"2020","unstructured":"Fan, M., Wei, W., Xie, X., Liu, Y., Guan, X., Liu, T.: Can we trust your explanations? Sanity checks for interpreters in Android malware analysis. IEEE Trans. Inf. Forensics Secur. 16, 838\u2013853 (2020)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"13_CR23","doi-asserted-by":"crossref","unstructured":"Warnecke, A., Arp, D., Wressnegger, C., Rieck, K.: Evaluating explanation methods for deep learning in security. In: 2020 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 158\u2013174. IEEE (2020)","DOI":"10.1109\/EuroSP48549.2020.00018"},{"key":"13_CR24","unstructured":"Luo, D., et al.: Parameterized explainer for graph neural network. In: Advances in Neural Information Processing Systems 33, pp. 19620\u201319631 (2020)"},{"key":"13_CR25","unstructured":"Ying, Z., Bourgeois, D., You, J., Zitnik, M., Leskovec, J.: GNNExplainer: generating explanations for graph neural networks. In: Advances in Neural Information Processing Systems 32 (2019)"},{"issue":"7","key":"13_CR26","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3539605","volume":"55","author":"M Zipperle","year":"2022","unstructured":"Zipperle, M., Gottwalt, F., Chang, E., Dillon, T.: Provenance-based intrusion detection systems: a survey. ACM Comput. Surv. 55(7), 1\u201336 (2022)","journal-title":"ACM Comput. Surv."},{"key":"13_CR27","unstructured":"Keromytis, A.D.: Transparent computing engagement 3 data release (2018). https:\/\/github.com\/darpa-i2o\/Transparent-Computing\/blob\/master\/READMEE3:md"},{"key":"13_CR28","unstructured":"scikit-learn: machine learning in Python (2021). https:\/\/scikit-learn.org\/"},{"key":"13_CR29","unstructured":"Fey, M., Lenssen, J.E.: Fast graph representation learning with PyTorch Geometric. In: ICLR Workshop on Representation Learning on Graphs and Manifolds (2019)"},{"key":"13_CR30","doi-asserted-by":"crossref","unstructured":"Guo, W., Mu, D., Xu, J., Su, P., Wang, G., Xing, X.: LEMNA: explaining deep learning based security applications. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 364\u2013379 (2018)","DOI":"10.1145\/3243734.3243792"},{"key":"13_CR31","doi-asserted-by":"crossref","unstructured":"Ribeiro, M.T., Singh, S., Guestrin, C.: \u201cWhy should i trust you?\u201d Explaining the predictions of any classifier. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1135\u20131144 (2016)","DOI":"10.1145\/2939672.2939778"},{"key":"13_CR32","doi-asserted-by":"crossref","unstructured":"Manzoor, E., Momeni, S., Venkatakrishnan, V., et al.: Fast memory-efficient anomaly detection in streaming heterogeneous graphs. In: International Conference on Knowledge Discovery and Data Mining (KDD\u201916) (2016)","DOI":"10.1145\/2939672.2939783"},{"key":"13_CR33","unstructured":"Wei, F., Li, H., Zhao, Z., Hu, H.: xNIDS: explaining deep learning-based network intrusion detection systems for active intrusion responses. In: 32nd USENIX Security Symposium (USENIX Security 23), pp. 4337\u20134354 (2023)"},{"key":"13_CR34","doi-asserted-by":"crossref","unstructured":"Han, D., et al.: DeepAID: interpreting and improving deep learning-based anomaly detection in security applications. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 3197\u20133217(2021)","DOI":"10.1145\/3460120.3484589"}],"container-title":["Lecture Notes in Computer Science","Science of Cyber Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-96-2417-1_13","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,6]],"date-time":"2025-09-06T06:53:17Z","timestamp":1757141597000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-981-96-2417-1_13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9789819624164","9789819624171"],"references-count":34,"URL":"https:\/\/doi.org\/10.1007\/978-981-96-2417-1_13","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"4 March 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SciSec","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Science of Cyber Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Copenhagen","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Denmark","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 August 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16 August 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"6","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"scisec2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.scisec.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}