{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,12]],"date-time":"2026-06-12T00:59:07Z","timestamp":1781225947928,"version":"3.54.1"},"reference-count":48,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62002324"],"award-info":[{"award-number":["62002324"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100022955","name":"Fundamental Research Funds for the Provincial Universities of Zhejiang","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100022955","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100004731","name":"Natural Science Foundation of Zhejiang Province","doi-asserted-by":"publisher","award":["LQ21F020016"],"award-info":[{"award-number":["LQ21F020016"]}],"id":[{"id":"10.13039\/501100004731","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Knowledge-Based Systems"],"published-print":{"date-parts":[[2026,6]]},"DOI":"10.1016\/j.knosys.2026.115986","type":"journal-article","created":{"date-parts":[[2026,4,17]],"date-time":"2026-04-17T06:46:28Z","timestamp":1776408388000},"page":"115986","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["ProGrasp: Storage-efficient provenance graph compression for APT forensics via structure prediction and attribute aggregation"],"prefix":"10.1016","volume":"343","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8657-662X","authenticated-orcid":false,"given":"Tiantian","family":"Zhu","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yiqian","family":"Yang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhengqiu","family":"Weng","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Haofei","family":"Sun","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhizhong","family":"Ma","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Guolang","family":"Chen","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"78","reference":[{"key":"10.1016\/j.knosys.2026.115986_b1","doi-asserted-by":"crossref","DOI":"10.1016\/j.chbr.2025.100650","article-title":"What drives new knowledge in human cybersecurity behavior? Insights from bibliometrics and thematic review","author":"Obreja","year":"2025","journal-title":"Comput. Hum. Behav. Rep."},{"key":"10.1016\/j.knosys.2026.115986_b2","doi-asserted-by":"crossref","first-page":"6","DOI":"10.1145\/3449047","article-title":"The SolarWinds hack, and a grand challenge for CS education","volume":"64","author":"Arquilla","year":"2021","journal-title":"Commun. ACM"},{"key":"10.1016\/j.knosys.2026.115986_b3","series-title":"Apache log4j security vulnerabilities","author":"The Apache Software Foundation","year":"2021"},{"key":"10.1016\/j.knosys.2026.115986_b4","unstructured":"Digital Security Technology Group, Investigative Report on Northwestern Polytechnical University\u2019s Discovery of US NSA Cyber Attack, Technical Report, China, 2022, URL: https:\/\/mp.weixin.qq.com\/s\/0ReOzQMM5GS4xXRUPpKCvA."},{"key":"10.1016\/j.knosys.2026.115986_b5","doi-asserted-by":"crossref","unstructured":"P.A. Loscocco, P.W. Wilson, J.A. Pendergrass, C.D. McDonell, Linux kernel integrity measurement using contextual inspection, in: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, 2007, pp. 21\u201329.","DOI":"10.1145\/1314354.1314362"},{"key":"10.1016\/j.knosys.2026.115986_b6","doi-asserted-by":"crossref","unstructured":"M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, X. Jiang, Mapping kernel objects to enable systematic integrity checking, in: Proceedings of the 16th ACM Conference on Computer and Communications Security, 2009, pp. 555\u2013565.","DOI":"10.1145\/1653662.1653729"},{"key":"10.1016\/j.knosys.2026.115986_b7","series-title":"Network and Distributed System Security Symposium","article-title":"Custos: Practical tamper-evident auditing of operating systems using trusted execution","author":"Paccagnella","year":"2020"},{"key":"10.1016\/j.knosys.2026.115986_b8","unstructured":"D. Yuan, S. Park, P. Huang, et al., Be conservative: Enhancing failure diagnosis with proactive logging, in: 10th USENIX Symposium on Operating Systems Design and Implementation, OSDI 12, 2012, pp. 293\u2013306."},{"key":"10.1016\/j.knosys.2026.115986_b9","series-title":"2023 IEEE Symposium on Security and Privacy","first-page":"2620","article-title":"SoK: History is a vast early warning system: Auditing the provenance of system intrusions","author":"Inam","year":"2023"},{"issue":"1","key":"10.1016\/j.knosys.2026.115986_b10","doi-asserted-by":"crossref","first-page":"491","DOI":"10.1109\/TKDE.2020.2980257","article-title":"Subgraph matching with effective matching order and indexing","volume":"34","author":"Sun","year":"2022","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"10.1016\/j.knosys.2026.115986_b11","series-title":"Proceedings of the IEEE Symposium on Security and Privacy","first-page":"1137","article-title":"HOLMES: Real-time APT detection through correlation of suspicious information flows","author":"Milajerdi","year":"2019"},{"key":"10.1016\/j.knosys.2026.115986_b12","series-title":"26th USENIX Security Symposium","first-page":"487","article-title":"SLEUTH: Real-time attack scenario reconstruction from COTS audit data","author":"Hossain","year":"2017"},{"key":"10.1016\/j.knosys.2026.115986_b13","series-title":"2020 IEEE Symposium on Security and Privacy","first-page":"1172","article-title":"Tactical provenance analysis for endpoint detection and response systems","author":"Hassan","year":"2020"},{"issue":"2","key":"10.1016\/j.knosys.2026.115986_b14","article-title":"Robust path matching and anomalous route detection using posterior weighted graphs","volume":"5","author":"Doocy","year":"2019","journal-title":"ACM Trans. Spat. Algorithms Syst."},{"key":"10.1016\/j.knosys.2026.115986_b15","series-title":"Network and Distributed System Security Symposium","article-title":"You are what you do: Hunting stealthy malware via data provenance analysis","author":"Wang","year":"2020"},{"issue":"C","key":"10.1016\/j.knosys.2026.115986_b16","doi-asserted-by":"crossref","first-page":"26","DOI":"10.1016\/j.future.2016.02.005","article-title":"Unifying intrusion detection and forensic analysis via provenance awareness","volume":"61","author":"Xie","year":"2016","journal-title":"Future Gener. Comput. Syst."},{"issue":"6","key":"10.1016\/j.knosys.2026.115986_b17","doi-asserted-by":"crossref","first-page":"1283","DOI":"10.1109\/TDSC.2018.2867595","article-title":"Pagoda: A hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments","volume":"17","author":"Xie","year":"2020","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"10.1016\/j.knosys.2026.115986_b18","doi-asserted-by":"crossref","first-page":"341","DOI":"10.1016\/j.physa.2016.06.007","article-title":"Flow interaction based propagation model and bursty influence behavior analysis of internet flows","volume":"462","author":"Wu","year":"2016","journal-title":"Phys. A"},{"key":"10.1016\/j.knosys.2026.115986_b19","series-title":"2020 IEEE Symposium on Security and Privacy","first-page":"1139","article-title":"Combating dependence explosion in forensic analysis using alternative tag propagation semantics","author":"Hossain","year":"2020"},{"key":"10.1016\/j.knosys.2026.115986_b20","series-title":"Proceedings 2019 Network and Distributed System Security Symposium","article-title":"NoDoze: Combatting threat alert fatigue with automated provenance triage","author":"Hassan","year":"2019"},{"key":"10.1016\/j.knosys.2026.115986_b21","series-title":"31st USENIX Security Symposium","article-title":"Back-propagating system dependency impact for attack investigation","author":"Fang","year":"2021"},{"key":"10.1016\/j.knosys.2026.115986_b22","series-title":"Cybersecurity Threats 2024 Annual Report","author":"Qianxin","year":"2025"},{"issue":"4","key":"10.1016\/j.knosys.2026.115986_b23","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3062180","article-title":"Taming the costs of trustworthy provenance through policy reduction","volume":"17","author":"Bates","year":"2017","journal-title":"ACM Trans. Internet Technol. (TOIT)"},{"key":"10.1016\/j.knosys.2026.115986_b24","doi-asserted-by":"crossref","unstructured":"K.H. Lee, X. Zhang, D. Xu, Loggc: Garbage collecting audit log, in: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, 2013, pp. 1005\u20131016.","DOI":"10.1145\/2508859.2516731"},{"key":"10.1016\/j.knosys.2026.115986_b25","doi-asserted-by":"crossref","unstructured":"Y. Tang, D. Li, Z. Li, et al., Nodemerge: Template based efficient data reduction for big-data causality analysis, in: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 1324\u20131337.","DOI":"10.1145\/3243734.3243763"},{"key":"10.1016\/j.knosys.2026.115986_b26","series-title":"The gzip home page","author":"Gzip.Org","year":"2021"},{"key":"10.1016\/j.knosys.2026.115986_b27","series-title":"30th USENIX Security Symposium","first-page":"2987","article-title":"SEAL: Storage-efficient causality analysis on enterprise logs with query-friendly compression","author":"Fei","year":"2021"},{"key":"10.1016\/j.knosys.2026.115986_b28","series-title":"30th USENIX Security Symposium","first-page":"3023","article-title":"ELISE: A storage efficient logging system powered by redundancy reduction and representation learning","author":"Ding","year":"2021"},{"key":"10.1016\/j.knosys.2026.115986_b29","series-title":"32nd USENIX Security Symposium","first-page":"3277","article-title":"The case for learned provenance graph storage systems","author":"Ding","year":"2023"},{"key":"10.1016\/j.knosys.2026.115986_b30","series-title":"Middleware 2012","first-page":"101","article-title":"SPADE: upport for provenance auditing in distributed environments","author":"Gehani","year":"2012"},{"key":"10.1016\/j.knosys.2026.115986_b31","series-title":"DeepZip: Lossless data compression using recurrent neural networks","author":"Goyal","year":"2018"},{"key":"10.1016\/j.knosys.2026.115986_b32","doi-asserted-by":"crossref","first-page":"3312","DOI":"10.1109\/TIFS.2021.3076288","article-title":"General, efficient, and real-time data compaction strategy for apt forensic analysis","volume":"16","author":"Zhu","year":"2021","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"issue":"6","key":"10.1016\/j.knosys.2026.115986_b33","doi-asserted-by":"crossref","first-page":"5247","DOI":"10.1109\/TDSC.2023.3243667","article-title":"Aptshield: A stable, efficient and real-time apt detection system for linux hosts","volume":"20","author":"Zhu","year":"2023","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"10.1016\/j.knosys.2026.115986_b34","series-title":"SecureBERT: A domain-specific language model for cybersecurity","author":"Aghaei","year":"2022"},{"issue":"4","key":"10.1016\/j.knosys.2026.115986_b35","doi-asserted-by":"crossref","first-page":"615","DOI":"10.3390\/jcp1040031","article-title":"CyBERT: Cybersecurity claim classification by fine-tuning the BERT language model","volume":"1","author":"Ameri","year":"2021","journal-title":"J. Cybersecur. Priv."},{"key":"10.1016\/j.knosys.2026.115986_b36","series-title":"2020 IEEE International Conference on Multisensor Fusion and Integration for Intelligent Systems","first-page":"223","article-title":"A hybrid approach to hierarchical density-based cluster selection","author":"Malzer","year":"2020"},{"issue":"3","key":"10.1016\/j.knosys.2026.115986_b37","doi-asserted-by":"crossref","first-page":"535","DOI":"10.1109\/TBDATA.2019.2921572","article-title":"Billion-scale similarity search with GPUs","volume":"7","author":"Johnson","year":"2019","journal-title":"IEEE Trans. Big Data"},{"key":"10.1016\/j.knosys.2026.115986_b38","series-title":"Transparent engagement 3","author":"Darap3","year":"2023"},{"key":"10.1016\/j.knosys.2026.115986_b39","series-title":"FastText.zip: Compressing text classification models","author":"Joulin","year":"2016"},{"key":"10.1016\/j.knosys.2026.115986_b40","series-title":"all-MiniLM-L6-v2: Sentence-transformers model","author":"Reimers","year":"2021"},{"issue":"1","key":"10.1016\/j.knosys.2026.115986_b41","doi-asserted-by":"crossref","first-page":"29","DOI":"10.1109\/TMC.2019.2891736","article-title":"A multi-user mobile computation offloading and transmission scheduling mechanism for delay-sensitive applications","volume":"19","author":"Yi","year":"2019","journal-title":"IEEE Trans. Mob. Comput."},{"issue":"1","key":"10.1016\/j.knosys.2026.115986_b42","doi-asserted-by":"crossref","first-page":"752","DOI":"10.1109\/TVT.2017.2740724","article-title":"Distributed multiuser computation offloading for cloudlet-based mobile cloud computing: A game-theoretic machine learning approach","volume":"67","author":"Cao","year":"2017","journal-title":"IEEE Trans. Veh. Technol."},{"issue":"12","key":"10.1016\/j.knosys.2026.115986_b43","doi-asserted-by":"crossref","first-page":"12262","DOI":"10.1109\/TMC.2024.3406607","article-title":"Dynamic human digital twin deployment at the edge for task execution: A two-timescale accuracy-aware online optimization","volume":"23","author":"Yang","year":"2024","journal-title":"IEEE Trans. Mob. Comput."},{"issue":"11","key":"10.1016\/j.knosys.2026.115986_b44","doi-asserted-by":"crossref","first-page":"3533","DOI":"10.1109\/JSAC.2023.3310106","article-title":"Differentially private federated multi-task learning framework for enhancing human-to-virtual connectivity in human digital twin","volume":"41","author":"Okegbile","year":"2023","journal-title":"IEEE J.Sel. A. Commun."},{"issue":"1","key":"10.1016\/j.knosys.2026.115986_b45","doi-asserted-by":"crossref","first-page":"706","DOI":"10.1109\/COMST.2023.3308717","article-title":"Networking architecture and key supporting technologies for human digital twin in personalized healthcare: A comprehensive survey","volume":"26","author":"Chen","year":"2023","journal-title":"IEEE Commun. Surv. & Tutorials"},{"key":"10.1016\/j.knosys.2026.115986_b46","first-page":"1","article-title":"Generative AI-aided QoE-aware resource allocations for RlS-assisted digital twin interaction with uncertain evolution","author":"Chen","year":"2025","journal-title":"IEEE Trans. Mob. Comput."},{"key":"10.1016\/j.knosys.2026.115986_b47","series-title":"LESS: Efficient log storage system based on learned model and minimum attribute tree","author":"Dang","year":"2024"},{"key":"10.1016\/j.knosys.2026.115986_b48","doi-asserted-by":"crossref","DOI":"10.1186\/s40537-018-0121-z","article-title":"Graphzip: a clique-based sparse graph compression method","author":"Rossi","year":"2018","journal-title":"J. Big Data"}],"container-title":["Knowledge-Based Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0950705126007124?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0950705126007124?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,6,12]],"date-time":"2026-06-12T00:13:41Z","timestamp":1781223221000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0950705126007124"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,6]]},"references-count":48,"alternative-id":["S0950705126007124"],"URL":"https:\/\/doi.org\/10.1016\/j.knosys.2026.115986","relation":{},"ISSN":["0950-7051"],"issn-type":[{"value":"0950-7051","type":"print"}],"subject":[],"published":{"date-parts":[[2026,6]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"ProGrasp: Storage-efficient provenance graph compression for APT forensics via structure prediction and attribute aggregation","name":"articletitle","label":"Article Title"},{"value":"Knowledge-Based Systems","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.knosys.2026.115986","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies.","name":"copyright","label":"Copyright"}],"article-number":"115986"}}