{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,21]],"date-time":"2026-03-21T03:16:45Z","timestamp":1774063005745,"version":"3.50.1"},"reference-count":42,"publisher":"Elsevier BV","issue":"1","license":[{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,2,8]],"date-time":"2026-02-08T00:00:00Z","timestamp":1770508800000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100003327","name":"Cooperative Research Centres, Australian Government Department of Industry","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100003327","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["International Journal of Information Management Data Insights"],"published-print":{"date-parts":[[2026,6]]},"DOI":"10.1016\/j.jjimei.2026.100397","type":"journal-article","created":{"date-parts":[[2026,2,18]],"date-time":"2026-02-18T07:08:45Z","timestamp":1771398525000},"page":"100397","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"title":["BPGV: Behavioral provenance graph views to enhance anomaly detection"],"prefix":"10.1016","volume":"6","author":[{"given":"Michael","family":"Zipperle","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8747-2603","authenticated-orcid":false,"given":"Yu","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Min","family":"Wang","sequence":"additional","affiliation":[]},{"given":"Elizabeth","family":"Chang","sequence":"additional","affiliation":[]},{"given":"Tharam","family":"Dillon","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.jjimei.2026.100397_b1","series-title":"Proceedings of the 37th ACM\/SIGAPP symposium on applied computing","first-page":"1684","article-title":"ANUBIS: A provenance graph-based framework for advanced persistent threat detection","author":"Anjum","year":"2022"},{"key":"10.1016\/j.jjimei.2026.100397_b2","series-title":"Proceedings of the 11th USeNIX conference on theory and practice of provenance","first-page":"6","article-title":"Mining data provenance to detect advanced persistent threats","author":"Barre","year":"2019"},{"issue":"4","key":"10.1016\/j.jjimei.2026.100397_b3","doi-asserted-by":"crossref","DOI":"10.1145\/3062180","article-title":"Taming the costs of trustworthy provenance through policy reduction","volume":"17","author":"Bates","year":"2017","journal-title":"ACM Transactions on Internet Technology"},{"key":"10.1016\/j.jjimei.2026.100397_b4","series-title":"2024 IEEE symposium on security and privacy","first-page":"3533","article-title":"Kairos: Practical intrusion detection and investigation using whole-system provenance","author":"Cheng","year":"2024"},{"key":"10.1016\/j.jjimei.2026.100397_b5","series-title":"2021 IEEE international conference on cyber security and resilience","first-page":"35","article-title":"SK-Tree: A systematic malware detection algorithm on streaming trees via the signature kernel","author":"Cochrane","year":"2021"},{"key":"10.1016\/j.jjimei.2026.100397_b6","series-title":"Operationally transparent cyber (optc) data release","author":"DARPA","year":"2021"},{"key":"10.1016\/j.jjimei.2026.100397_b7","series-title":"Proceedings of the 28th ACM symposium on access control models and technologies","first-page":"5","article-title":"Access control vulnerabilities in network protocol implementations: How attackers exploit them and what to do about it","author":"dos Santos","year":"2023"},{"key":"10.1016\/j.jjimei.2026.100397_b8","doi-asserted-by":"crossref","unstructured":"Du, M., Li, F., Zheng, G., & Srikumar, V. (2017). Deeplog: Anomaly Detection and Diagnosis from System Logs through Deep Learning. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security (pp. 1285\u20131298).","DOI":"10.1145\/3133956.3134015"},{"key":"10.1016\/j.jjimei.2026.100397_b9","series-title":"The numbers game: How many alerts are too many to handle?","author":"FireEye","year":"2020"},{"key":"10.1016\/j.jjimei.2026.100397_b10","series-title":"UNICORN: Runtime provenance-based detector for advanced persistent threats","author":"Han","year":"2020"},{"key":"10.1016\/j.jjimei.2026.100397_b11","series-title":"Proceedings of the 9th USeNIX conference on hot topics in cloud computing","first-page":"18","article-title":"FRAPpuccino: Fault-detection through runtime analysis of provenance","author":"Han","year":"2017"},{"key":"10.1016\/j.jjimei.2026.100397_b12","series-title":"2020 IEEE symposium on security and privacy","first-page":"1172","article-title":"Tactical provenance analysis for endpoint detection and response systems","author":"Hassan","year":"2020"},{"key":"10.1016\/j.jjimei.2026.100397_b13","series-title":"Network and distributed systems security (NDSS) symposium","first-page":"1","article-title":"NODOZE: Combatting threat alert fatigue with automated provenance triage","author":"Hassan","year":"2019"},{"key":"10.1016\/j.jjimei.2026.100397_b14","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2018.23141","article-title":"Towards Scalable cluster auditing through grammatical inference over provenance graphs","author":"Hassan","year":"2018","journal-title":"Network and Distributed Systems Security Symposium"},{"key":"10.1016\/j.jjimei.2026.100397_b15","series-title":"2020 IEEE symposium on security and privacy","first-page":"1139","article-title":"Combating dependence explosion in forensic analysis using alternative tag propagation semantics","author":"Hossain","year":"2020"},{"key":"10.1016\/j.jjimei.2026.100397_b16","series-title":"27th USeNIX security symposium","first-page":"1723","article-title":"Dependence-preserving data compaction for scalable forensic analysis","author":"Hossain","year":"2018"},{"issue":"2","key":"10.1016\/j.jjimei.2026.100397_b17","doi-asserted-by":"crossref","DOI":"10.1016\/j.jjimei.2022.100134","article-title":"Intrusion detection system in cloud environment: Literature survey & future research directions","volume":"2","author":"Lata","year":"2022","journal-title":"International Journal of Information Management Data Insights"},{"key":"10.1016\/j.jjimei.2026.100397_b18","series-title":"Proceedings of the 2013 ACM SIGSAC conference on computer & communications security","first-page":"1005","article-title":"LogGC: Garbage collecting audit log","author":"Lee","year":"2013"},{"key":"10.1016\/j.jjimei.2026.100397_b19","series-title":"2018 USeNIX annual technical conference","first-page":"241","article-title":"Kernel-Supported cost-effective audit logging for causality tracking","author":"Ma","year":"2018"},{"key":"10.1016\/j.jjimei.2026.100397_b20","series-title":"23rd annual network and distributed system security symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016","first-page":"1","article-title":"ProTracer: Towards practical provenance tracing by alternating between logging and tainting","author":"Ma","year":"2016"},{"key":"10.1016\/j.jjimei.2026.100397_b21","series-title":"Information and communications security","first-page":"546","article-title":"TapTree: Process-tree based host behavior modeling and threat detection framework via sequential pattern mining","author":"Mamun","year":"2022"},{"key":"10.1016\/j.jjimei.2026.100397_b22","series-title":"2021 IEEE 20th international conference on trust, security and privacy in computing and communications","first-page":"693","article-title":"DeepTaskAPT: Insider APT detection using Task-tree based Deep Learning","author":"Mamun","year":"2021"},{"key":"10.1016\/j.jjimei.2026.100397_b23","doi-asserted-by":"crossref","unstructured":"Michael, N., Mink, J., Liu, J., Gaur, S., Hassan, W. U., & Bates, A. (2020). On the Forensic Validity of Approximated Audit Logs. In Annual computer security applications conference (pp. 189\u2013202).","DOI":"10.1145\/3427228.3427272"},{"key":"10.1016\/j.jjimei.2026.100397_b24","series-title":"Sysmon - Windows sysinternals","author":"Microsoft","year":"2020"},{"issue":"2","key":"10.1016\/j.jjimei.2026.100397_b25","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1145\/997150.997156","article-title":"A taxonomy of DDoS attack and DDoS defense mechanisms","volume":"34","author":"Mirkovic","year":"2004","journal-title":"ACM SIGCOMM Computer Communication Review"},{"key":"10.1016\/j.jjimei.2026.100397_b26","series-title":"Analytics | MITRE Cyber Analytics Repository","author":"MITR","year":"2021"},{"key":"10.1016\/j.jjimei.2026.100397_b27","series-title":"Matrix - Enterprise","author":"MITRE ATT&CK","year":"2021"},{"issue":"2","key":"10.1016\/j.jjimei.2026.100397_b28","doi-asserted-by":"crossref","DOI":"10.1016\/j.jjimei.2022.100125","article-title":"What distinguishes binary from multi-class intrusion detection systems: Observations from experiments","volume":"2","author":"Palshikar","year":"2022","journal-title":"International Journal of Information Management Data Insights"},{"key":"10.1016\/j.jjimei.2026.100397_b29","series-title":"Security and privacy in communication networks","first-page":"510","article-title":"AttackMiner: A graph neural network based approach for attack detection from audit logs","author":"Pan","year":"2023"},{"issue":"2","key":"10.1016\/j.jjimei.2026.100397_b30","doi-asserted-by":"crossref","DOI":"10.1016\/j.jjimei.2021.100013","article-title":"Information security breaches due to ransomware attacks - a systematic literature review","volume":"1","author":"Reshmi","year":"2021","journal-title":"International Journal of Information Management Data Insights"},{"key":"10.1016\/j.jjimei.2026.100397_b31","series-title":"Science of cyber security","first-page":"56","article-title":"LogSHIELD: A graph-based real-time anomaly detection framework using frequency analysis","author":"Roy","year":"2025"},{"key":"10.1016\/j.jjimei.2026.100397_b32","series-title":"Proceedings of the 2018 ACM SIGSAC conference on computer and communications security","first-page":"1324","article-title":"NodeMerge: Template based efficient data reduction for big-data causality analysis","author":"Tang","year":"2018"},{"key":"10.1016\/j.jjimei.2026.100397_b33","doi-asserted-by":"crossref","unstructured":"Wang, Q., Hassan, W. U., Li, D., Jee, K., Yu, X., Zou, K., Rhee, J., Chen, Z., Cheng, W., Gunter, C., et al. (2020). You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis. In Symposium on network and distributed system security (pp. 1\u201317).","DOI":"10.14722\/ndss.2020.24167"},{"key":"10.1016\/j.jjimei.2026.100397_b34","series-title":"TBDetector:Transformer-based detector for advanced persistent threats with provenance graph","author":"Wang","year":"2023"},{"key":"10.1016\/j.jjimei.2026.100397_b35","doi-asserted-by":"crossref","DOI":"10.1016\/j.comnet.2025.111552","article-title":"Efficient intrusion detection via heterogeneous graph attention networks and parallel provenance analysis","volume":"270","author":"Wu","year":"2025","journal-title":"Computer Networks"},{"key":"10.1016\/j.jjimei.2026.100397_b36","article-title":"Pagoda: A hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments","author":"Xie","year":"2018","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"10.1016\/j.jjimei.2026.100397_b37","doi-asserted-by":"crossref","first-page":"26","DOI":"10.1016\/j.future.2016.02.005","article-title":"Unifying intrusion detection and forensic analysis via provenance awareness","volume":"61","author":"Xie","year":"2016","journal-title":"Future Generation Computer Systems"},{"key":"10.1016\/j.jjimei.2026.100397_b38","first-page":"1","article-title":"P-Gaussian: Provenance-based Gaussian distribution for detecting intrusion behavior variants using high efficient and real time memory databases","author":"Xie","year":"2019","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"10.1016\/j.jjimei.2026.100397_b39","series-title":"Proceedings of the 2016 ACM SIGSAC conference on computer and communications security","first-page":"504","article-title":"High fidelity data reduction for big data security dependency analyses","author":"Xu","year":"2016"},{"key":"10.1016\/j.jjimei.2026.100397_b40","series-title":"32nd USeNIX security symposium","first-page":"4355","article-title":"PROGRAPHER: An anomaly detection system based on provenance graph embedding","author":"Yang","year":"2023"},{"issue":"7","key":"10.1016\/j.jjimei.2026.100397_b41","doi-asserted-by":"crossref","DOI":"10.1145\/3539605","article-title":"Provenance-based intrusion detection systems: A survey","volume":"55","author":"Zipperle","year":"2022","journal-title":"ACM Computing Surveys"},{"key":"10.1016\/j.jjimei.2026.100397_b42","doi-asserted-by":"crossref","DOI":"10.1016\/j.jisa.2023.103682","article-title":"PARGMF: A provenance-enabled automated rule generation and matching framework with multi-level attack description model","volume":"81","author":"Zipperle","year":"2024","journal-title":"Journal of Information Security and Applications"}],"container-title":["International Journal of Information Management Data Insights"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S2667096826000108?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S2667096826000108?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,3,21]],"date-time":"2026-03-21T02:08:20Z","timestamp":1774058900000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S2667096826000108"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,6]]},"references-count":42,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2026,6]]}},"alternative-id":["S2667096826000108"],"URL":"https:\/\/doi.org\/10.1016\/j.jjimei.2026.100397","relation":{},"ISSN":["2667-0968"],"issn-type":[{"value":"2667-0968","type":"print"}],"subject":[],"published":{"date-parts":[[2026,6]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"BPGV: Behavioral provenance graph views to enhance anomaly detection","name":"articletitle","label":"Article Title"},{"value":"International Journal of Information Management Data Insights","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.jjimei.2026.100397","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 The Authors. Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}],"article-number":"100397"}}