{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T01:01:14Z","timestamp":1781053274165,"version":"3.54.1"},"reference-count":56,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Future Generation Computer Systems"],"published-print":{"date-parts":[[2026,11]]},"DOI":"10.1016\/j.future.2026.108605","type":"journal-article","created":{"date-parts":[[2026,5,20]],"date-time":"2026-05-20T23:23:17Z","timestamp":1779319397000},"page":"108605","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":1,"special_numbering":"C","title":["CLIProv: A contrastive log-to-intelligence multimodal approach for threat detection and provenance analysis"],"prefix":"10.1016","volume":"184","author":[{"given":"Jingwen","family":"Li","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6641-3236","authenticated-orcid":false,"given":"Ru","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jianyi","family":"Liu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"WanGuo","family":"Zhao","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"78","reference":[{"issue":"14","key":"10.1016\/j.future.2026.108605_b1","doi-asserted-by":"crossref","DOI":"10.3390\/math11143115","article-title":"Advanced persistent threats and their defense methods in industrial internet of things: A survey","volume":"11","author":"Gan","year":"2023","journal-title":"Mathematics"},{"issue":"5","key":"10.1016\/j.future.2026.108605_b2","doi-asserted-by":"crossref","DOI":"10.1145\/3530812","article-title":"Machine learning-enabled IoT security: Open issues and challenges under advanced persistent threats","volume":"55","author":"Chen","year":"2022","journal-title":"ACM Comput. Surv."},{"issue":"5","key":"10.1016\/j.future.2026.108605_b3","doi-asserted-by":"crossref","first-page":"8440","DOI":"10.1109\/JIOT.2023.3322412","article-title":"A comprehensive detection method for the lateral movement stage of apt attacks","volume":"11","author":"He","year":"2024","journal-title":"IEEE Internet Things J."},{"key":"10.1016\/j.future.2026.108605_b4","unstructured":"L. Yu, Y. Ye, Z. Zhang, X. Zhang, Cost-effective Attack Forensics by Recording and Correlating File System Changes, in: 33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 1705\u20131722."},{"key":"10.1016\/j.future.2026.108605_b5","series-title":"Justice department announces actions to disrupt advanced persistent threat 28 botnet of infected routers and network storage devices","author":"of Justice","year":"2018"},{"issue":"5","key":"10.1016\/j.future.2026.108605_b6","doi-asserted-by":"crossref","first-page":"5589","DOI":"10.1109\/TMC.2023.3311012","article-title":"CMD: Co-analyzed IoT malware detection and forensics via network and hardware domains","volume":"23","author":"Zhao","year":"2024","journal-title":"IEEE Trans. Mob. Comput."},{"key":"10.1016\/j.future.2026.108605_b7","series-title":"32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023","first-page":"4355","article-title":"PROGRAPHER: An anomaly detection system based on provenance graph embedding","author":"Yang","year":"2023"},{"key":"10.1016\/j.future.2026.108605_b8","article-title":"APT-KGL: An intelligent APT detection system based on threat knowledge and heterogeneous provenance graph learning","author":"Chen","year":"2022","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"10.1016\/j.future.2026.108605_b9","doi-asserted-by":"crossref","unstructured":"E. Altinisik, F. Deniz, H.T. Sencar, ProvG-Searcher: A Graph Representation Learning Approach for Efficient Provenance Graph Search, in: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 2247\u20132261.","DOI":"10.1145\/3576915.3623187"},{"key":"10.1016\/j.future.2026.108605_b10","series-title":"2024 IEEE Symposium on Security and Privacy","article-title":"KAIROS: Practical intrusion detection and investigation using whole-system provenance","author":"Cheng","year":"2024"},{"key":"10.1016\/j.future.2026.108605_b11","series-title":"32nd USENIX Security Symposium (USENIX Security 23)","first-page":"373","article-title":"AIRTAG: Towards automated attack investigation by unsupervised learning with log texts","author":"Ding","year":"2023"},{"key":"10.1016\/j.future.2026.108605_b12","doi-asserted-by":"crossref","unstructured":"S.M. Milajerdi, B. Eshete, R. Gjomemo, V. Venkatakrishnan, Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting, in: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1795\u20131812.","DOI":"10.1145\/3319535.3363217"},{"key":"10.1016\/j.future.2026.108605_b13","series-title":"Logllm: Log-based anomaly detection using large language models","author":"Guan","year":"2024"},{"key":"10.1016\/j.future.2026.108605_b14","series-title":"2025 International Joint Conference on Neural Networks","first-page":"1","article-title":"LogLLaMA: Transformer-based log anomaly detection with LLaMA","author":"Yang","year":"2025"},{"key":"10.1016\/j.future.2026.108605_b15","doi-asserted-by":"crossref","DOI":"10.1016\/j.knosys.2025.114064","article-title":"LLM-LADE: Large language model-based log anomaly detection with explanation","volume":"326","author":"Zhang","year":"2025","journal-title":"Knowl.-Based Syst."},{"key":"10.1016\/j.future.2026.108605_b16","series-title":"Transparent computing (archived)","author":"DARPA","year":"2018"},{"key":"10.1016\/j.future.2026.108605_b17","doi-asserted-by":"crossref","unstructured":"E. Manzoor, S.M. Milajerdi, L. Akoglu, Fast memory-efficient anomaly detection in streaming heterogeneous graphs, in: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2016, pp. 1035\u20131044.","DOI":"10.1145\/2939672.2939783"},{"key":"10.1016\/j.future.2026.108605_b18","series-title":"27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020","article-title":"Unicorn: Runtime provenance-based detector for advanced persistent threats","author":"Han","year":"2020"},{"key":"10.1016\/j.future.2026.108605_b19","doi-asserted-by":"crossref","unstructured":"F. Liu, Y. Wen, D. Zhang, X. Jiang, X. Xing, D. Meng, Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise, in: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1777\u20131794.","DOI":"10.1145\/3319535.3363224"},{"key":"10.1016\/j.future.2026.108605_b20","doi-asserted-by":"crossref","first-page":"3972","DOI":"10.1109\/TIFS.2022.3208815","article-title":"Threatrace: Detecting and tracing host-based threats in node level through provenance graph learning","volume":"17","author":"Wang","year":"2022","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"issue":"1","key":"10.1016\/j.future.2026.108605_b21","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3559768","article-title":"APTHunter: Detecting advanced persistent threats in early stages","volume":"4","author":"Mahmoud","year":"2023","journal-title":"Digit. Threat.: Res. Pr."},{"key":"10.1016\/j.future.2026.108605_b22","series-title":"2021 IEEE 37th International Conference on Data Engineering","first-page":"193","article-title":"Enabling efficient cyber threat hunting with cyber threat intelligence","author":"Gao","year":"2021"},{"key":"10.1016\/j.future.2026.108605_b23","series-title":"2021 IEEE 37th International Conference on Data Engineering","first-page":"2705","article-title":"A system for efficiently hunting for cyber threats in computer systems using threat intelligence","author":"Gao","year":"2021"},{"key":"10.1016\/j.future.2026.108605_b24","doi-asserted-by":"crossref","DOI":"10.1109\/TIFS.2024.3396390","article-title":"MEGR-APT: A memory-efficient APT hunting system based on attack representation learning","author":"Aly","year":"2024","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"10.1016\/j.future.2026.108605_b25","series-title":"MITRE ATT&CK: Design and Philosophy","author":"Strom","year":"2020"},{"key":"10.1016\/j.future.2026.108605_b26","series-title":"2019 IEEE Symposium on Security and Privacy","first-page":"1137","article-title":"Holmes: real-time apt detection through correlation of suspicious information flows","author":"Milajerdi","year":"2019"},{"key":"10.1016\/j.future.2026.108605_b27","series-title":"2020 IEEE Symposium on Security and Privacy","first-page":"1172","article-title":"Tactical provenance analysis for endpoint detection and response systems","author":"Hassan","year":"2020"},{"key":"10.1016\/j.future.2026.108605_b28","series-title":"Security and Privacy in Communication Networks: 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6\u20139, 2021, Proceedings, Part I 17","first-page":"3","article-title":"Deephunter: A graph neural network based approach for robust cyber threat hunting","author":"Wei","year":"2021"},{"key":"10.1016\/j.future.2026.108605_b29","series-title":"2021 IEEE European Symposium on Security and Privacy (EuroS&P)","first-page":"598","article-title":"Extractor: Extracting attack behavior from threat reports","author":"Satvat","year":"2021"},{"key":"10.1016\/j.future.2026.108605_b30","series-title":"European Symposium on Research in Computer Security","first-page":"589","article-title":"AttacKG: Constructing technique knowledge graph from cyber threat intelligence reports","author":"Li","year":"2022"},{"issue":"6","key":"10.1016\/j.future.2026.108605_b31","doi-asserted-by":"crossref","first-page":"4793","DOI":"10.1109\/TDSC.2022.3233703","article-title":"Attack hypotheses generation based on threat intelligence knowledge graph","volume":"20","author":"Kaiser","year":"2023","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"10.1016\/j.future.2026.108605_b32","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2022.102828","article-title":"KRYSTAL: Knowledge graph-based framework for tactical attack discovery in audit data","volume":"121","author":"Kurniawan","year":"2022","journal-title":"Comput. Secur."},{"issue":"6","key":"10.1016\/j.future.2026.108605_b33","doi-asserted-by":"crossref","first-page":"5695","DOI":"10.1109\/TKDE.2022.3175719","article-title":"Cskg4apt: A cybersecurity knowledge graph for advanced persistent threat organization attribution","volume":"35","author":"Ren","year":"2022","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"10.1016\/j.future.2026.108605_b34","series-title":"Market guide for security threat intelligence services","author":"Gartner","year":"2014"},{"issue":"3","key":"10.1016\/j.future.2026.108605_b35","doi-asserted-by":"crossref","first-page":"1748","DOI":"10.1109\/COMST.2023.3273282","article-title":"Cyber threat intelligence mining for proactive cybersecurity defense: a survey and new perspectives","volume":"25","author":"Sun","year":"2023","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"10.1016\/j.future.2026.108605_b36","series-title":"SANS 2024 CTI survey: Managing the evolving threat landscape","author":"Brown","year":"2024"},{"issue":"2","key":"10.1016\/j.future.2026.108605_b37","doi-asserted-by":"crossref","first-page":"423","DOI":"10.1109\/TPAMI.2018.2798607","article-title":"Multimodal machine learning: A survey and taxonomy","volume":"41","author":"Baltru\u0161aitis","year":"2018","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"10.1016\/j.future.2026.108605_b38","article-title":"Devise: A deep visual-semantic embedding model","volume":"26","author":"Frome","year":"2013","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"10.1016\/j.future.2026.108605_b39","series-title":"International Conference on Machine Learning","first-page":"1247","article-title":"Deep canonical correlation analysis","author":"Andrew","year":"2013"},{"key":"10.1016\/j.future.2026.108605_b40","series-title":"International Conference on Machine Learning","first-page":"8748","article-title":"Learning transferable visual models from natural language supervision","author":"Radford","year":"2021"},{"key":"10.1016\/j.future.2026.108605_b41","series-title":"Roberta: A robustly optimized bert pretraining approach","author":"Liu","year":"2019"},{"key":"10.1016\/j.future.2026.108605_b42","series-title":"MITRE ATT&CK","author":"MITRE","year":"2024"},{"key":"10.1016\/j.future.2026.108605_b43","first-page":"707","article-title":"Binary codes capable of correcting deletions, insertions, and reversals","volume":"vol. 10","author":"Levenshtein","year":"1966"},{"issue":"2","key":"10.1016\/j.future.2026.108605_b44","doi-asserted-by":"crossref","first-page":"146","DOI":"10.1137\/0201010","article-title":"Depth-first search and linear graph algorithms","volume":"1","author":"Tarjan","year":"1972","journal-title":"SIAM J. Comput."},{"key":"10.1016\/j.future.2026.108605_b45","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.103999","article-title":"LLM-TIKG: Threat intelligence knowledge graph construction utilizing large language model","volume":"145","author":"Hu","year":"2024","journal-title":"Comput. Secur."},{"key":"10.1016\/j.future.2026.108605_b46","first-page":"48987","article-title":"Evaluation and analysis of large language models for clinical text augmentation and generation","volume":"12","author":"Latif","year":"2024","journal-title":"IEEE Access"},{"key":"10.1016\/j.future.2026.108605_b47","first-page":"1877","article-title":"Language models are few-shot learners","volume":"vol. 33","author":"Brown","year":"2020"},{"key":"10.1016\/j.future.2026.108605_b48","series-title":"ICASSP 2025 - 2025 IEEE International Conference on Acoustics, Speech and Signal Processing","first-page":"1","article-title":"MM-LogVec: System log anomaly detection method based on multimodal representation learning","author":"Li","year":"2025"},{"key":"10.1016\/j.future.2026.108605_b49","series-title":"Representation learning with contrastive predictive coding","author":"Oord","year":"2018"},{"key":"10.1016\/j.future.2026.108605_b50","doi-asserted-by":"crossref","unstructured":"Z. Wu, Y. Xiong, S.X. Yu, D. Lin, Unsupervised feature learning via non-parametric instance discrimination, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018, pp. 3733\u20133742.","DOI":"10.1109\/CVPR.2018.00393"},{"key":"10.1016\/j.future.2026.108605_b51","doi-asserted-by":"crossref","unstructured":"B. Ding, J.X. Yu, L. Qin, Finding time-dependent shortest paths over large graphs, in: Proceedings of the 11th International Conference on Extending Database Technology: Advances in Database Technology, 2008, pp. 205\u2013216.","DOI":"10.1145\/1353343.1353371"},{"key":"10.1016\/j.future.2026.108605_b52","article-title":"Pytorch: An imperative style, high-performance deep learning library","volume":"32","author":"Paszke","year":"2019","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"10.1016\/j.future.2026.108605_b53","unstructured":"A. Alsaheel, Y. Nan, S. Ma, L. Yu, G. Walkup, Z.B. Celik, X. Zhang, D. Xu, {ATLAS}: A sequence-based learning approach for attack investigation, in: 30th USENIX Security Symposium, USENIX Security 21, 2021, pp. 3005\u20133022."},{"key":"10.1016\/j.future.2026.108605_b54","series-title":"CICAPT-IIOT: A provenance-based APT attack dataset for IIoT environment","author":"Ghiasvand","year":"2024"},{"key":"10.1016\/j.future.2026.108605_b55","unstructured":"T. Mahlangu, S. January, T. Mashiane, M. Dlamini, S. Ngobeni, N. Ruxwana, Data poisoning: Achilles heel of cyber threat intelligence systems, in: Proceedings of the ICCWS 2019 14th International Conference on Cyber Warfare and Security: ICCWS, 2019, pp. 220\u2013230."},{"key":"10.1016\/j.future.2026.108605_b56","series-title":"2021 IEEE International Conference on Big Data (Big Data)","first-page":"3316","article-title":"Combating fake cyber threat intelligence using provenance in cybersecurity knowledge graphs","author":"Mitra","year":"2021"}],"container-title":["Future Generation Computer Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167739X26002396?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167739X26002396?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T00:40:36Z","timestamp":1781052036000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167739X26002396"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,11]]},"references-count":56,"alternative-id":["S0167739X26002396"],"URL":"https:\/\/doi.org\/10.1016\/j.future.2026.108605","relation":{},"ISSN":["0167-739X"],"issn-type":[{"value":"0167-739X","type":"print"}],"subject":[],"published":{"date-parts":[[2026,11]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"CLIProv: A contrastive log-to-intelligence multimodal approach for threat detection and provenance analysis","name":"articletitle","label":"Article Title"},{"value":"Future Generation Computer Systems","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.future.2026.108605","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Published by Elsevier B.V.","name":"copyright","label":"Copyright"}],"article-number":"108605"}}