{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,3]],"date-time":"2026-07-03T22:23:11Z","timestamp":1783117391150,"version":"3.54.6"},"reference-count":36,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U24B20148"],"award-info":[{"award-number":["U24B20148"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U24A20336"],"award-info":[{"award-number":["U24A20336"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62502106"],"award-info":[{"award-number":["62502106"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62272114"],"award-info":[{"award-number":["62272114"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100018537","name":"National Science and Technology Major Project","doi-asserted-by":"publisher","award":["PCL2024A05"],"award-info":[{"award-number":["PCL2024A05"]}],"id":[{"id":"10.13039\/501100018537","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100014881","name":"Guangzhou University","doi-asserted-by":"publisher","award":["202201020380"],"award-info":[{"award-number":["202201020380"]}],"id":[{"id":"10.13039\/501100014881","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100013076","name":"National Major Science and Technology Projects of China","doi-asserted-by":"publisher","award":["2022ZD0119602"],"award-info":[{"award-number":["2022ZD0119602"]}],"id":[{"id":"10.13039\/501100013076","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100010819","name":"Bureau of Education of Guangzhou Municipality","doi-asserted-by":"publisher","award":["2024312279"],"award-info":[{"award-number":["2024312279"]}],"id":[{"id":"10.13039\/501100010819","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers &amp; Security"],"published-print":{"date-parts":[[2026,10]]},"DOI":"10.1016\/j.cose.2026.104982","type":"journal-article","created":{"date-parts":[[2026,5,27]],"date-time":"2026-05-27T23:40:55Z","timestamp":1779925255000},"page":"104982","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["Scalable logical attack graph generation for enterprise networks through endpoint data"],"prefix":"10.1016","volume":"169","author":[{"given":"Chengliang","family":"Gao","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jing","family":"Qiu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yifei","family":"Sun","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Du","family":"Cheng","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8829-4442","authenticated-orcid":false,"given":"Lihua","family":"Yin","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"78","reference":[{"issue":"1","key":"10.1016\/j.cose.2026.104982_b1","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1007\/s10207-024-00964-3","article-title":"PR-DRA: PageRank-based defense resource allocation methods for securing interdependent systems modeled by attack graphs","volume":"24","author":"Al-Eiadeh","year":"2024","journal-title":"Int. J. Inf. Secur."},{"key":"10.1016\/j.cose.2026.104982_b2","series-title":"Proceedings of the 9th ACM Conference on Computer and Communications Security","first-page":"217","article-title":"Scalable, graph-based network vulnerability analysis","author":"Ammann","year":"2002"},{"issue":"3","key":"10.1016\/j.cose.2026.104982_b3","first-page":"17","article-title":"A fast user actual privilege reasoning framework based on privilege dependency graph reduction","author":"Bai","year":"2023","journal-title":"IET Inf. Secur."},{"key":"10.1016\/j.cose.2026.104982_b4","series-title":"IFIP Annual Conference on Data and Applications Security and Privacy","first-page":"23","article-title":"Agbuilder: An AI tool for automated attack graph building, analysis, and refinement","author":"Bezawada","year":"2019"},{"key":"10.1016\/j.cose.2026.104982_b5","doi-asserted-by":"crossref","unstructured":"Binyamini, H., Bitton, R., Inokuchi, M., Yagyu, T., Elovici, Y., Shabtai, A., 2021. A framework for modeling cyber attack techniques from security vulnerability descriptions. In: Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining. pp. 2574\u20132583.","DOI":"10.1145\/3447548.3467159"},{"key":"10.1016\/j.cose.2026.104982_b6","doi-asserted-by":"crossref","DOI":"10.1016\/j.comnet.2023.109730","article-title":"Dynamic logic-based attack graph for risk assessment in complex computer systems","volume":"228","author":"Boudermine","year":"2023","journal-title":"Comput. Netw."},{"key":"10.1016\/j.cose.2026.104982_b7","doi-asserted-by":"crossref","first-page":"10189","DOI":"10.1109\/TIFS.2024.3488533","article-title":"TriAssetRank: Ranking vulnerabilities, exploits, and privileges for countermeasures prioritization","volume":"19","author":"Bouom","year":"2024","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"10.1016\/j.cose.2026.104982_b8","doi-asserted-by":"crossref","unstructured":"Cao, C., Yuan, L.P., Singhal, A., Liu, P., Sun, X., Zhu, S., 2018. Assessing Attack Impact on Business Processes by Interconnecting Attack Graphs and Entity Dependency Graphs. In: 32nd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2018).","DOI":"10.1007\/978-3-319-95729-6_21"},{"key":"10.1016\/j.cose.2026.104982_b9","series-title":"A Hierarchical Network Security Risk Evaluation Approach Based on Multi-Goal Attack Graph","author":"Chen","year":"2009"},{"issue":"9","key":"10.1016\/j.cose.2026.104982_b10","doi-asserted-by":"crossref","DOI":"10.3390\/e22091026","article-title":"Distributed attack modeling approach based on process mining and graph segmentation","volume":"22","author":"Chen","year":"2020","journal-title":"Entropy"},{"key":"10.1016\/j.cose.2026.104982_b11","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2023.103485","article-title":"System-level data management for endpoint advanced persistent threat detection: Issues, challenges and trends","volume":"135","author":"Chen","year":"2023","journal-title":"Comput. Secur."},{"issue":"2","key":"10.1016\/j.cose.2026.104982_b12","doi-asserted-by":"crossref","first-page":"1142","DOI":"10.1109\/TMC.2022.3231567","article-title":"Towards system-level security analysis of IoT using attack graphs","volume":"23","author":"Fang","year":"2024","journal-title":"IEEE Trans. Mob. Comput."},{"key":"10.1016\/j.cose.2026.104982_b13","series-title":"2021 IEEE 37th International Conference on Data Engineering","first-page":"193","article-title":"Enabling efficient cyber threat hunting with cyber threat intelligence","author":"Gao","year":"2021"},{"key":"10.1016\/j.cose.2026.104982_b14","article-title":"Attack dynamics: An automatic attack graph generation framework based on system topology, CAPEC, CWE, and CVE databases","volume":"123","author":"Hankin","year":"2022","journal-title":"Comput. Secur."},{"issue":"5","key":"10.1016\/j.cose.2026.104982_b15","doi-asserted-by":"crossref","first-page":"519","DOI":"10.1109\/TDSC.2015.2423682","article-title":"Distributed attack graph generation","volume":"13","author":"Kaynar","year":"2016","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"10.1016\/j.cose.2026.104982_b16","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2023.103602","article-title":"Survey: Automatic generation of attack trees and attack graphs","volume":"137","author":"Konsta","year":"2024","journal-title":"Comput. Secur."},{"issue":"3","key":"10.1016\/j.cose.2026.104982_b17","doi-asserted-by":"crossref","first-page":"1179","DOI":"10.1109\/TDSC.2023.3273918","article-title":"T-trace: Constructing the APTs provenance graphs through multiple syslogs correlation","volume":"21","author":"Li","year":"2024","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"10.1016\/j.cose.2026.104982_b18","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2023.103653","article-title":"A survey on the evolution of fileless attacks and detection techniques","volume":"137","author":"Liu","year":"2024","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104982_b19","series-title":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","first-page":"139","article-title":"TREC: APT tactic \/ technique recognition via few-shot provenance subgraph learning","author":"Lv","year":"2024"},{"key":"10.1016\/j.cose.2026.104982_b20","doi-asserted-by":"crossref","DOI":"10.1016\/j.knosys.2025.114169","article-title":"Actminer: Applying causality tracking and increment aligning for graph-based threat hunting","volume":"327","author":"Ma","year":"2025","journal-title":"Knowl.-Based Syst."},{"key":"10.1016\/j.cose.2026.104982_b21","doi-asserted-by":"crossref","unstructured":"Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V., 2019. HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows. In: 2019 IEEE Symposium on Security and Privacy. SP, pp. 1137\u20131152.","DOI":"10.1109\/SP.2019.00026"},{"key":"10.1016\/j.cose.2026.104982_b22","series-title":"Proceedings of the 13th ACM Conference on Computer and Communications Security","first-page":"336","article-title":"A scalable approach to attack graph generation","author":"Ou","year":"2006"},{"key":"10.1016\/j.cose.2026.104982_b23","unstructured":"Ou, X., Govindavajhala, S., Appel, A.W., 2005. MulVAL: A Logic-based Network Security Analyzer. In: Proceedings of the 14th USENIX Security Symposium."},{"key":"10.1016\/j.cose.2026.104982_b24","series-title":"European Symposium on Research in Computer Security","first-page":"229","article-title":"It is time to steer: A scalable framework for analysis-driven attack graph generation","author":"Palma","year":"2024"},{"key":"10.1016\/j.cose.2026.104982_b25","doi-asserted-by":"crossref","unstructured":"Qiao, W., Feng, Y., Li, T., Ma, Z., Shen, Y., Ma, J., Liu, Y., 2025. Slot: Provenance-Driven APT Detection through Graph Reinforcement Learning. In: Proceedings of the 2025 on ACM SIGSAC Conference on Computer and Communications Security.","DOI":"10.1145\/3719027.3744788"},{"key":"10.1016\/j.cose.2026.104982_b26","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.104159","article-title":"Provenance-based APT campaigns detection via masked graph representation learning","volume":"148","author":"Ren","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104982_b27","series-title":"NOMS 2022-2022 IEEE\/IFIP Network Operations and Management Symposium","first-page":"1","article-title":"Identification of attack paths using kill chain and attack graphs","author":"Sadlek","year":"2022"},{"key":"10.1016\/j.cose.2026.104982_b28","series-title":"2024 20th International Conference on Network and Service Management","first-page":"1","article-title":"Hierarchical modeling of cyber assets in kill chain attack graphs","author":"Sadlek","year":"2024"},{"key":"10.1016\/j.cose.2026.104982_b29","series-title":"Scenario Graphs and Attack Graphs","author":"Sheyner","year":"2004"},{"key":"10.1016\/j.cose.2026.104982_b30","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2020.101869","article-title":"Automatic network restructuring and risk mitigation through business process asset dependency analysis","volume":"96","author":"Stergiopoulos","year":"2020","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104982_b31","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.104296","article-title":"CORAL: Container online risk assessment with logical attack graphs","volume":"150","author":"Tayouri","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104982_b32","doi-asserted-by":"crossref","DOI":"10.1016\/j.jnca.2024.104036","article-title":"RT-APT: A real-time APT anomaly detection method for large-scale provenance graph","volume":"233","author":"Weng","year":"2025","journal-title":"J. Netw. Comput. Appl."},{"key":"10.1016\/j.cose.2026.104982_b33","first-page":"2033","article-title":"Attack graph generation algorithm for large-scale network system","volume":"10","author":"Yie","year":"2013","journal-title":"J. Comput. Res. Dev."},{"key":"10.1016\/j.cose.2026.104982_b34","series-title":"2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications\/ 12th IEEE International Conference on Big Data Science and Engineering (TrustCom\/BigDataSE)","first-page":"212","article-title":"A reinforcement learning approach for attack graph analysis","author":"Yousefi","year":"2018"},{"key":"10.1016\/j.cose.2026.104982_b35","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2022.103081","article-title":"Attack graph analysis: An explanatory guide","volume":"126","author":"Zenitani","year":"2023","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104982_b36","doi-asserted-by":"crossref","DOI":"10.1016\/j.ins.2023.119703","article-title":"From attack graph analysis to attack function analysis","volume":"650","author":"Zenitani","year":"2023","journal-title":"Inform. Sci."}],"container-title":["Computers &amp; Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826001586?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826001586?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,7,3]],"date-time":"2026-07-03T22:04:13Z","timestamp":1783116253000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404826001586"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,10]]},"references-count":36,"alternative-id":["S0167404826001586"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2026.104982","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2026,10]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Scalable logical attack graph generation for enterprise networks through endpoint data","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2026.104982","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Elsevier Ltd. All rights are reserved, including those for text and data mining, AI training, and similar technologies.","name":"copyright","label":"Copyright"}],"article-number":"104982"}}