{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,15]],"date-time":"2026-07-15T16:09:01Z","timestamp":1784131741650,"version":"3.55.0"},"reference-count":35,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,9,1]],"date-time":"2026-09-01T00:00:00Z","timestamp":1788220800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62302428"],"award-info":[{"award-number":["62302428"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62376240"],"award-info":[{"award-number":["62376240"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100003787","name":"Natural Science Foundation of Hebei Province","doi-asserted-by":"publisher","award":["F2026203033"],"award-info":[{"award-number":["F2026203033"]}],"id":[{"id":"10.13039\/501100003787","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100008238","name":"Hebei Provincial Department of Science and Technology","doi-asserted-by":"publisher","award":["236Z0304G"],"award-info":[{"award-number":["236Z0304G"]}],"id":[{"id":"10.13039\/501100008238","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Journal of Information Security and Applications"],"published-print":{"date-parts":[[2026,9]]},"DOI":"10.1016\/j.jisa.2026.104516","type":"journal-article","created":{"date-parts":[[2026,6,8]],"date-time":"2026-06-08T13:49:21Z","timestamp":1780926561000},"page":"104516","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["An APT detection method based on provenance graph learning"],"prefix":"10.1016","volume":"101","author":[{"given":"Qian","family":"Wang","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Han","family":"Liu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yichao","family":"Wang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Sa","family":"Rong","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Bing","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"78","reference":[{"key":"10.1016\/j.jisa.2026.104516_bib0001","doi-asserted-by":"crossref","DOI":"10.1016\/j.jnca.2024.104036","article-title":"RT-APT: a real-time apt anomaly detection method for large-scale provenance graph","volume":"233","author":"Weng","year":"2025","journal-title":"J Netw Comput Appl"},{"key":"10.1016\/j.jisa.2026.104516_bib0002","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3344382","article-title":"A survey of intrusion detection systems leveraging host data","volume":"52","author":"Bridges","year":"2019","journal-title":"ACM Comput Surv"},{"key":"10.1016\/j.jisa.2026.104516_bib0003","doi-asserted-by":"crossref","DOI":"10.1016\/j.jnca.2024.104004","article-title":"Evolving techniques in cyber threat hunting: a systematic review","volume":"232","author":"Mahboubi","year":"2024","journal-title":"J Netw Comput Appl"},{"key":"10.1016\/j.jisa.2026.104516_bib0004","series-title":"10th USENIX workshop on the theory and practice of provenance (TaPP 2018)","article-title":"Provenance-based intrusion detection: opportunities and challenges","author":"Han","year":"2018"},{"key":"10.1016\/j.jisa.2026.104516_bib0005","series-title":"26th USENIX security symposium (USENIX Security 17)","first-page":"487","article-title":"{SLEUTH}: Real-time attack scenario reconstruction from {COTS} audit data","author":"Hossain","year":"2017"},{"key":"10.1016\/j.jisa.2026.104516_bib0006","series-title":"2019\u202fIEEE Symposium on security and privacy (SP)","first-page":"1137","article-title":"Holmes: real-time apt detection through correlation of suspicious information flows","author":"Milajerdi","year":"2019"},{"key":"10.1016\/j.jisa.2026.104516_bib0007","doi-asserted-by":"crossref","first-page":"551","DOI":"10.1109\/TDSC.2020.2971484","article-title":"Conan: a practical real-time apt detection system with high accuracy and efficiency","volume":"19","author":"Xiong","year":"2020","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"10.1016\/j.jisa.2026.104516_bib0008","series-title":"Security in computing and communications","first-page":"438","article-title":"Technical aspects of cyber kill chain","author":"Yadav","year":"2015"},{"key":"10.1016\/j.jisa.2026.104516_bib0009","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1109\/TNNLS.2020.2978386","article-title":"A comprehensive survey on graph neural networks","volume":"32","author":"Wu","year":"2021","journal-title":"IEEE Trans Neural Netw Learn Syst"},{"key":"10.1016\/j.jisa.2026.104516_bib0010","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1145\/2481244.2481248","article-title":"Mining heterogeneous information networks: a structural analysis approach","volume":"14","author":"Sun","year":"2013","journal-title":"ACM SIGKDD Explor Newsl"},{"key":"10.1016\/j.jisa.2026.104516_bib0011","series-title":"Proceedings of the 2017\u202fACM on Asia conference on computer and communications security","first-page":"19","article-title":"SGX-LOG: securing system logs with SGX","author":"Karande","year":"2017"},{"key":"10.1016\/j.jisa.2026.104516_bib0012","series-title":"Proceedings of the 2020\u202fACM SIGSAC conference on computer and communications security","first-page":"1551","article-title":"Logging to the danger zone: race condition attacks and defenses on system audit frameworks","author":"Paccagnella","year":"2020"},{"key":"10.1016\/j.jisa.2026.104516_bib0013","series-title":"30th USENIX security symposium (USENIX Security 21)","first-page":"2987","article-title":"{SEAL}: Storage-efficient causality analysis on enterprise logs with query-friendly compression","author":"Fei","year":"2021"},{"key":"10.1016\/j.jisa.2026.104516_bib0014","series-title":"27th USENIX security symposium (USENIX Security 18)","first-page":"1723","article-title":"{Dependence-Preserving} data compaction for scalable forensic analysis","author":"Hossain","year":"2018"},{"key":"10.1016\/j.jisa.2026.104516_bib0015","series-title":"2020\u202fIEEE Symposium on security and privacy (SP)","first-page":"1139","article-title":"Combating dependence explosion in forensic analysis using alternative tag propagation semantics","author":"Hossain","year":"2020"},{"key":"10.1016\/j.jisa.2026.104516_bib0016","series-title":"31st USENIX security symposium (USENIX Security 22)","first-page":"2461","article-title":"{Back-propagating} system dependency impact for attack investigation","author":"Fang","year":"2022"},{"key":"10.1016\/j.jisa.2026.104516_bib0017","series-title":"NDSS","article-title":"You are what you do: hunting stealthy malware via data provenance analysis","author":"Wang","year":"2020"},{"key":"10.1016\/j.jisa.2026.104516_bib0018","unstructured":"Liu Z., Wang Y., Vaidya S., et al. Kan: Kolmogorov-Arnold networks. 2024. arXiv preprint: 2404.19756."},{"key":"10.1016\/j.jisa.2026.104516_bib0019","series-title":"11th International workshop on theory and practice of provenance (TaPP 2019)","article-title":"Mining data provenance to detect advanced persistent threats","author":"Barre","year":"2019"},{"key":"10.1016\/j.jisa.2026.104516_bib0020","doi-asserted-by":"crossref","DOI":"10.1016\/j.jnca.2022.103580","article-title":"Review on the application of deep learning in network attack detection","volume":"212","author":"Yi","year":"2023","journal-title":"J Netw Comput Appl"},{"key":"10.1016\/j.jisa.2026.104516_bib0021","series-title":"Proceedings of the 2025\u202fACM SIGSAC conference on computer and communications security","first-page":"963","article-title":"Slot: provenance-driven APT detection through graph reinforcement learning","author":"Qiao","year":"2025"},{"key":"10.1016\/j.jisa.2026.104516_bib0022","doi-asserted-by":"crossref","first-page":"401","DOI":"10.1016\/j.future.2020.02.015","article-title":"A baseline for unsupervised advanced persistent threat detection in system-level provenance","volume":"108","author":"Berrada","year":"2020","journal-title":"Future Gener Comput Syst"},{"key":"10.1016\/j.jisa.2026.104516_bib0023","doi-asserted-by":"crossref","first-page":"11744","DOI":"10.1109\/TIFS.2025.3618381","article-title":"SauronEyes: disentangling voluminous logs to unveil camouflaged attack intentions","volume":"20","author":"Qiao","year":"2025","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"10.1016\/j.jisa.2026.104516_bib0024","series-title":"2025 28th international symposium on research in attacks, intrusions and defenses (RAID)","first-page":"190","article-title":"STGraph: spatio-temporal graph mining for anomaly detection in distributed system logs","author":"Li","year":"2025"},{"key":"10.1016\/j.jisa.2026.104516_bib0025","series-title":"International conference on data security and privacy protection","first-page":"507","article-title":"Chaos: robust spatio-temporal fusion for generalizable APT provenance tracing","author":"Li","year":"2025"},{"key":"10.1016\/j.jisa.2026.104516_bib0026","series-title":"Proceedings of the 23rd ACM SIGKDD international conference on knowledge discovery and data mining","first-page":"135","article-title":"Metapath2vec: scalable representation learning for heterogeneous networks","author":"Dong","year":"2017"},{"key":"10.1016\/j.jisa.2026.104516_bib0027","series-title":"NDSS","article-title":"Towards a timely causality analysis for enterprise security","author":"Liu","year":"2018"},{"key":"10.1016\/j.jisa.2026.104516_bib0028","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2021.102496","article-title":"Domain adaptation for windows advanced persistent threat detection","volume":"112","author":"Coulter","year":"2022","journal-title":"Comput Secur"},{"key":"10.1016\/j.jisa.2026.104516_bib0029","unstructured":"Blealtan A.D.. An efficient implementation of kolmogorov-arnold network. 2024. Accessed: 2024-03-15. https:\/\/github.com\/Blealtan\/efficient-kan."},{"key":"10.1016\/j.jisa.2026.104516_bib0030","unstructured":"I2O D.. transparent computing engagement 3 data release. 2024. Accessed: 2024-03-01. https:\/\/github.com\/darpa-i2o\/Transparent-Computing."},{"key":"10.1016\/j.jisa.2026.104516_bib0031","series-title":"Proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining","first-page":"1035","article-title":"Fast memory-efficient anomaly detection in streaming heterogeneous graphs","author":"Manzoor","year":"2016"},{"key":"10.1016\/j.jisa.2026.104516_bib0032","series-title":"Proceedings of the 2019\u202fACM SIGSAC conference on computer and communications security","first-page":"1777","article-title":"Log2vec: a heterogeneous graph embedding based approach for detecting cyber threats within enterprise","author":"Liu","year":"2019"},{"key":"10.1016\/j.jisa.2026.104516_bib0033","series-title":"2024\u202fIEEE Symposium on security and privacy (SP)","first-page":"139","article-title":"Flash: a comprehensive approach to intrusion detection via provenance graph representation learning","author":"Rehman","year":"2024"},{"key":"10.1016\/j.jisa.2026.104516_bib0034","doi-asserted-by":"crossref","first-page":"3972","DOI":"10.1109\/TIFS.2022.3208815","article-title":"Threatrace: detecting and tracing host-based threats in node level through provenance graph learning","volume":"17","author":"Wang","year":"2022","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"10.1016\/j.jisa.2026.104516_bib0035","series-title":"33rd USENIX security symposium (USENIX Security 24)","first-page":"5197","article-title":"{MAGIC}: detecting advanced persistent threats via masked graph representation learning","author":"Jia","year":"2024"}],"container-title":["Journal of Information Security and Applications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S2214212626001468?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S2214212626001468?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,7,15]],"date-time":"2026-07-15T15:46:14Z","timestamp":1784130374000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S2214212626001468"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,9]]},"references-count":35,"alternative-id":["S2214212626001468"],"URL":"https:\/\/doi.org\/10.1016\/j.jisa.2026.104516","relation":{},"ISSN":["2214-2126"],"issn-type":[{"value":"2214-2126","type":"print"}],"subject":[],"published":{"date-parts":[[2026,9]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"An APT detection method based on provenance graph learning","name":"articletitle","label":"Article Title"},{"value":"Journal of Information Security and Applications","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.jisa.2026.104516","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Elsevier Ltd. All rights are reserved, including those for text and data mining, AI training, and similar technologies.","name":"copyright","label":"Copyright"}],"article-number":"104516"}}