{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,5]],"date-time":"2026-05-05T12:28:13Z","timestamp":1777984093752,"version":"3.51.4"},"reference-count":162,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"6","license":[{"start":{"date-parts":[[2025,3,15]],"date-time":"2025-03-15T00:00:00Z","timestamp":1741996800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2025,3,15]],"date-time":"2025-03-15T00:00:00Z","timestamp":1741996800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,3,15]],"date-time":"2025-03-15T00:00:00Z","timestamp":1741996800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"EU Horizon","award":["COCOON 101120221"],"award-info":[{"award-number":["COCOON 101120221"]}]},{"name":"Jumpsec Ltd. Ph.D. Scholarship"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Internet Things J."],"published-print":{"date-parts":[[2025,3,15]]},"DOI":"10.1109\/jiot.2025.3528744","type":"journal-article","created":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T15:08:10Z","timestamp":1736780890000},"page":"6371-6395","source":"Crossref","is-referenced-by-count":19,"title":["Advanced Persistent Threats Based on Supply Chain Vulnerabilities: Challenges, Solutions, and Future Directions"],"prefix":"10.1109","volume":"12","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0809-0376","authenticated-orcid":false,"given":"Zhuoran","family":"Tan","sequence":"first","affiliation":[{"name":"School of Computing Science, University of Glasgow, Glasgow, Scotland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5338-9385","authenticated-orcid":false,"given":"Shameem Puthiya","family":"Parambath","sequence":"additional","affiliation":[{"name":"School of Computing Science, University of Glasgow, Glasgow, Scotland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1517-6757","authenticated-orcid":false,"given":"Christos","family":"Anagnostopoulos","sequence":"additional","affiliation":[{"name":"School of Computing Science, University of Glasgow, Glasgow, Scotland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9462-6802","authenticated-orcid":false,"given":"Jeremy","family":"Singer","sequence":"additional","affiliation":[{"name":"School of Computing Science, University of Glasgow, Glasgow, Scotland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7996-6216","authenticated-orcid":false,"given":"Angelos K.","family":"Marnerides","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, KIOS Centre of Excellence, University of Cyprus, Nicosia, Cyprus"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"Special report: Mandiant, m-trends 2024","year":"2024"},{"key":"ref2","volume-title":"OWASP top 10 for LLM applications","year":"2023"},{"key":"ref3","volume-title":"ENISA Threat Landscape for Supply Chain Attacks","year":"2021"},{"key":"ref4","volume-title":"Tactics, techniques, and procedures (TTPS) used in the solarwinds breach","author":"Ozarslan","year":"2020"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564550"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/3412841.3442040"},{"key":"ref7","first-page":"78","article-title":"ATLAS: A sequence-based learning approach for attack investigation","volume-title":"Proc. USENIX Security Symp.","author":"Alsaheel"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3488932.3523261"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3098977"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9111864"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/ICSIoT47925.2019.00019"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564548"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23055"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484736"},{"key":"ref16","volume-title":"Taxonomy of attacks on open-source software supply chains","author":"Ladisa","year":"2022"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/3474374.3486918"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-61313-9"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2019.2891891"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3130944"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2016.2627503"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1016\/j.net.2020.08.021"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/issrew55968.2022.00081"},{"key":"ref24","volume-title":"DevPhish: Exploring social engineering in software supply chain attacks on developers","author":"Siadati","year":"2024"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.51594\/ijmer.v6i6.1241"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.3390\/fi11030063"},{"key":"ref27","volume-title":"Managing risks in supply chains with digital twins and simulation","author":"Dmitry","year":"2020"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564552"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.2978815"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.3024562"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/3387940.3392233"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/ICTS58770.2023.10330833"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3251842"},{"key":"ref34","volume-title":"Who needs MLOPS: What data scientists seek to accomplish and how can MLOPS help?","author":"M\u00e4kinen","year":"2021"},{"key":"ref35","volume-title":"Securing the AI Software Supply Chain","author":"Hepworth","year":"2024"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2022.3229593"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1016\/j.tre.2020.102217"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.6028\/nist.ir.8183"},{"key":"ref39","volume-title":"Adversarial tactics, techniques, & common knowledge (ATLAS)","year":"2024"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/TEM.2022.3197240"},{"key":"ref41","volume-title":"Tampering with arbitrary packages in @types scope of NPM","year":"2021"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3420015"},{"key":"ref43","volume-title":"Backstabber\u2019s knife collection: A review of open source software supply chain attacks","author":"Ohm","year":"2020"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564547"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1080\/00207543.2020.1721591"},{"issue":"4","key":"ref46","first-page":"1","article-title":"Crowdstrike cyber incident vs. Past major cyber incidents: Analysis and solutions","volume":"6","author":"Banerjee","year":"2024","journal-title":"Int. J. Multidiscipl. Res."},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1016\/j.iot.2024.101215"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2023.3302066"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179364"},{"key":"ref50","first-page":"413","article-title":"Dark firmware: A systematic approach to exploring application security risks in the presence of untrusted firmware","volume-title":"Proc. 23rd Int. Symp. Res. Attacks Intrusions Defenses (RAID)","author":"Ibdah"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3253572"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/ICSCEE.2018.8538431"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCNT51525.2021.9579611"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1007\/s10669-013-9465-2"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-020-00513-8"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2021.3093492"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.3390\/su16156688"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1080\/10466690902932551"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2021.3073045"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1016\/j.measen.2022.100445"},{"key":"ref61","volume-title":"Bait and switch: Online training data poisoning of autonomous driving systems","author":"Patel","year":"2020"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2864727"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/3624010"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2023.3252594"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1016\/j.jii.2024.100623"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2024.107504"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2024.112031"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2021.3108811"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2023.3240288"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1145\/3627106.3627138"},{"key":"ref71","first-page":"187","article-title":"A source code vulnerability detection method based on adaptive graph neural networks","volume-title":"Proc. 39th IEEE\/ACM Int. Conf. Autom. Softw. Eng. Workshops (ASEW)","author":"Liang"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3467180"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2024.112214"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3030745"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.2478\/amns-2024-0040"},{"key":"ref76","volume-title":"Eset discovers a rare apt that stayed undetected for nine years","author":"Cimpanu","year":"2020"},{"key":"ref77","volume-title":"Modifiedelephant apt and a decade of fabricating evidence","author":"Hegel","year":"2022"},{"key":"ref78","volume-title":"Emulating recent activity from the Russian adversary nobelium\u2014APT29","author":"Guibernau","year":"2023"},{"key":"ref79","volume-title":"Sophisticated \u2018Tajmahal APT framework\u2019 remained undetected for 5 years","author":"Khandelwal","year":"2019"},{"key":"ref80","volume-title":"APT28: A window into Russia\u2019s cyber espionage operations?","author":"MCWHORTER","year":"2014"},{"key":"ref81","volume-title":"Advanced persistent threat actor lazarus attacks defense industry, develops supply chain attack capabilities","year":"2021"},{"key":"ref82","volume-title":"Equation group: The crown creator of cyber-espionage","year":"2021"},{"key":"ref83","volume-title":"Hidden LYNX\u2014Professional hackers for hire","author":"Doherty","year":"2013"},{"key":"ref84","volume-title":"Kaspersky, lab analyzes active cyberespionage campaign targeting online gaming companies worldwide","year":"2013"},{"key":"ref85","volume-title":"Suspected darkhotel apt activity update","author":"Fokker","year":"2022"},{"key":"ref86","volume-title":"New Macos backdoor connected to oceanlotus surfaces","author":"Magisa","year":"2020"},{"key":"ref87","volume-title":"Russian-speaking cyber spies exploit satellites","author":"Drozhzhin","year":"2015"},{"key":"ref88","volume-title":"Potential remote code execution in PYPI","year":"2021"},{"key":"ref89","volume-title":"What you need to know about the solarwinds supply-chain attack\u2014SANS Institute","author":"Williams","year":"2020"},{"key":"ref90","volume-title":"Recent findings from ccleaner apt investigation reveal that attackers entered the piriform network via Teamviewer","author":"Vlcek","year":"2018"},{"key":"ref91","volume-title":"Operation shadowhammer: New supply chain attack threatens hundreds of thousands of users worldwide","author":"Lab","year":"2019"},{"key":"ref92","volume-title":"Notpetya technical analysis\u2014A triple threat: File encryption, MFT encryption, credential theft","author":"Sood","year":"2017"},{"key":"ref93","volume-title":"Kaseya VSA ransomware attack explained","author":"Allen","year":"2023"},{"key":"ref94","volume-title":"Exploitation of accellion file transfer appliance","year":"2021"},{"key":"ref95","volume-title":"Codecov supply chain attack remained undetected for months and potentially affected major companies including Google, IBM, HP, and others","author":"HOPE","year":"2021"},{"key":"ref96","volume-title":"Tactics, techniques, and procedures (TTPS) used by hafnium to target Microsoft exchange servers","year":"2021"},{"key":"ref97","volume-title":"Ccleaner command and control causes concern","author":"Brumaghin","year":"2017"},{"key":"ref98","volume-title":"Highly evasive attacker leverages solarwinds supply chain to compromise multiple global victims with sunburst backdoor","year":"2020"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1145\/3315574"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24222"},{"key":"ref101","volume-title":"Tajmahal advanced persistent threat","author":"White","year":"2019"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2022.3175719"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE51399.2021.00024"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1016\/j.compeleceng.2022.108261"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.18280\/ijsse.110505"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1080\/00396338.2011.555586"},{"key":"ref107","volume-title":"W32.stuxnet dossier","author":"Nicolas","year":"2011"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2022.100521"},{"key":"ref109","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-29608-7","volume-title":"Information Systems: Research, Development, Applications, Education","volume":"359","author":"Wrycza","year":"2019"},{"key":"ref110","article-title":"Hopper: Modeling and detecting lateral movement (extended report)","author":"Ho","year":"2021"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3101649"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.2971484"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.24107"},{"key":"ref114","volume-title":"VUL-RAG: Enhancing LLM-based vulnerability detection via knowledge-level RAG","author":"Du","year":"2024"},{"key":"ref115","first-page":"5913","article-title":"ChainReactor: Automated privilege escalation chain discovery via AI planning","volume-title":"Proc. 33rd USENIX Security Symp. (USENIX Security)","author":"Pasquale"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.23156"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24944"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1145\/3605770.3625211"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1016\/j.inffus.2024.102748"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.3390\/fi13040086"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1016\/j.iot.2022.100505"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2022.3192027"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-32001-4_58-1"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1080\/1206212X.2018.1501937"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1080\/00949655.2018.1505197"},{"key":"ref126","doi-asserted-by":"publisher","DOI":"10.1002\/widm.1449"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423355"},{"key":"ref128","volume-title":"Association analysis: Basic concepts and algorithms","author":"Xiong","year":"2005"},{"key":"ref129","doi-asserted-by":"publisher","DOI":"10.1145\/3488932.3517398"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3021499"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00026"},{"key":"ref132","doi-asserted-by":"publisher","DOI":"10.3390\/app11219899"},{"key":"ref133","doi-asserted-by":"publisher","DOI":"10.3390\/s20030731"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1109\/GLOBECOM46510.2021.9685643"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1109\/GLOBECOM48099.2022.10000811"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560580"},{"key":"ref137","volume-title":"Explainable AI: Current status and future directions","author":"Gohel","year":"2021"},{"key":"ref138","volume-title":"Protecting the software supply chain: Deep insights into the ccleaner backdoor","author":"Sood","year":"2017"},{"key":"ref139","volume-title":"Oilrig attack graphs: Emulating the iranian threat actor\u2019s global campaigns","author":"Guibernau","year":"2022"},{"key":"ref140","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIP52600.2021.00020"},{"key":"ref141","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2023.111902"},{"key":"ref142","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00034"},{"key":"ref143","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2858786"},{"key":"ref144","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2023.122398"},{"key":"ref145","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2022.3194319"},{"key":"ref146","doi-asserted-by":"publisher","DOI":"10.1109\/MILCOM52596.2021.9653024"},{"key":"ref147","doi-asserted-by":"publisher","DOI":"10.1198\/tech.2007.s509"},{"key":"ref148","doi-asserted-by":"publisher","DOI":"10.1146\/annurev.publhealth.20.1.145"},{"key":"ref149","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46263-9_9"},{"key":"ref150","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2930200"},{"key":"ref151","doi-asserted-by":"publisher","DOI":"10.1007\/BF02089230"},{"key":"ref152","doi-asserted-by":"publisher","DOI":"10.1016\/S0025-5564(02)00096-2"},{"key":"ref153","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24046"},{"key":"ref154","volume-title":"Operationally transparent cyber (OPTC)","author":"Arantes","year":"2021"},{"key":"ref155","first-page":"1","article-title":"Anomaly detection in continuous-time temporal provenance graphs","volume-title":"Proc. Temporal Graph Learn. Workshop @ NeurIPS","author":"Reha"},{"key":"ref156","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.23064"},{"key":"ref157","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2023.3300300"},{"key":"ref158","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2023.119838"},{"key":"ref159","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2021.3057446"},{"key":"ref160","doi-asserted-by":"publisher","DOI":"10.1016\/j.tics.2020.09.004"},{"key":"ref161","doi-asserted-by":"publisher","DOI":"10.1186\/s40537-024-00928-3"},{"key":"ref162","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2023.3263676"}],"container-title":["IEEE Internet of Things Journal"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6488907\/10918322\/10838587.pdf?arnumber=10838587","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,14]],"date-time":"2025-03-14T02:39:36Z","timestamp":1741919976000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10838587\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,3,15]]},"references-count":162,"journal-issue":{"issue":"6"},"URL":"https:\/\/doi.org\/10.1109\/jiot.2025.3528744","relation":{"has-preprint":[{"id-type":"doi","id":"10.36227\/techrxiv.170594149.97651781\/v1","asserted-by":"object"}]},"ISSN":["2327-4662","2372-2541"],"issn-type":[{"value":"2327-4662","type":"electronic"},{"value":"2372-2541","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,3,15]]}}}