{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,9]],"date-time":"2026-06-09T06:24:49Z","timestamp":1780986289928,"version":"3.54.1"},"reference-count":75,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"1","license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Dependable and Secure Comput."],"published-print":{"date-parts":[[2022,1,1]]},"DOI":"10.1109\/tdsc.2020.2971484","type":"journal-article","created":{"date-parts":[[2020,2,3]],"date-time":"2020-02-03T20:43:16Z","timestamp":1580762596000},"page":"551-565","source":"Crossref","is-referenced-by-count":123,"title":["Conan: A Practical Real-Time APT Detection System With High Accuracy and Efficiency"],"prefix":"10.1109","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4426-3585","authenticated-orcid":false,"given":"Chunlin","family":"Xiong","sequence":"first","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8657-662X","authenticated-orcid":false,"given":"Tiantian","family":"Zhu","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, Zhejiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9172-8053","authenticated-orcid":false,"given":"Weihao","family":"Dong","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1934-3057","authenticated-orcid":false,"given":"Linqi","family":"Ruan","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4183-4568","authenticated-orcid":false,"given":"Runqing","family":"Yang","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6277-340X","authenticated-orcid":false,"given":"Yueqiang","family":"Cheng","sequence":"additional","affiliation":[{"name":"Baidu Security, Sunnyvale, CA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yan","family":"Chen","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Shuai","family":"Cheng","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9201-3893","authenticated-orcid":false,"given":"Xutong","family":"Chen","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","article-title":"2019 fireeye annual report"},{"key":"ref2","article-title":"Cuckoo sandbox"},{"key":"ref3","first-page":"1","article-title":"Enriching intrusion alerts through multi-host causality","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"King"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/1165389.945467"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818039"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-35170-9_6"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1145\/1095809.1095826"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCSW.2005.62"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1007\/11890850_18"},{"key":"ref10","first-page":"319","article-title":"Trustworthy whole-system provenance for the linux kernel","volume-title":"Proc. USENIX Secur. Symp.","author":"Bates"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420989"},{"key":"ref12","first-page":"367","article-title":"Marionette: A programmable network traffic obfuscation system","volume-title":"Proc. 24th USENIX Secur. Symp.","author":"Dyer"},{"key":"ref13","first-page":"1","article-title":"EXPOSURE: Finding malicious domains using passive DNS analysis","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"Bilge"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2001.924294"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2001.924296"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23262"},{"key":"ref17","first-page":"255","article-title":"K-tracer: A system for extracting kernel malware behavior","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"Lanzi"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-59608-2_1"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2015.01.039"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939783"},{"key":"ref21","first-page":"487","article-title":"Sleuth: Real-time attack scenario reconstruction from cots audit data","volume-title":"Proc. USENIX Secur.","author":"Hossain"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00026"},{"key":"ref23","article-title":"MITRE ATT&CK"},{"key":"ref24","article-title":"M-trends reports"},{"issue":"1","key":"ref25","article-title":"Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains","volume":"1","author":"Hutchins","year":"2011","journal-title":"Leading Issues Inf. Warfare Secur. Res."},{"key":"ref26","first-page":"1723","article-title":"Dependence-preserving data compaction for scalable forensic analysis","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Hossain"},{"key":"ref27","article-title":"Frappuccino: Fault-detection through runtime analysis of provenance","volume-title":"Proc. 9th USENIX Workshop Hot Topics Cloud Comput.","author":"Han"},{"key":"ref28","first-page":"1","article-title":"Provenance-based intrusion detection: Opportunities and challenges","volume-title":"Proc. 10th USENIX Workshop Theory Practice Provenance","author":"Han"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/3229329.3229332"},{"key":"ref30","article-title":"2016-enterprise-phishing-susceptibility-report"},{"key":"ref31","article-title":"Return-oriented programming: Exploits without code injection","author":"Shacham","year":"2008"},{"key":"ref32","article-title":"Control flow enforcement technology preview"},{"key":"ref33","first-page":"63","article-title":"Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks","volume-title":"Proc. USENIX Secur. Symp.","author":"Cowan"},{"key":"ref34","article-title":"Transparent runtime shadow stack: Protection against malicious return address modifications","author":"Sinnadurai","year":"2008"},{"key":"ref35","article-title":"A stack smashing technique protection tool for linux","author":"Vendicator","year":"2000"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920269"},{"key":"ref37","article-title":"Tactics, techniques, and procedures"},{"key":"ref38","article-title":"APT notes"},{"key":"ref39","article-title":"APT1"},{"key":"ref40","article-title":"APT38"},{"key":"ref41","article-title":"Permissions overview"},{"key":"ref42","article-title":"Memory-based attacks are on the rise: How to stop them"},{"key":"ref43","article-title":"What is a fileless attack"},{"key":"ref44","article-title":"Ten process injection techniques"},{"key":"ref45","article-title":"Detecting reflective DLL loading with Windows Defender ATP"},{"key":"ref46","article-title":"Process injection in MITRE ATT&CK"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23350"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516731"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978378"},{"key":"ref50","doi-asserted-by":"crossref","article-title":"Ratscope: Recording and reconstructing missing rat semantic behaviors for forensic analysis on windows","author":"Yang","DOI":"10.1109\/TDSC.2020.3032570"},{"key":"ref51","first-page":"351","article-title":"Effective and efficient malware detection at the end host","volume-title":"Proc. USENIX Secur. Symp.","author":"Kolbitsch"},{"key":"ref52","article-title":"VirusTotal"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/514191.514229"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.23919\/DATE.2018.8342089"},{"key":"ref55","article-title":"Various methods for capturing the screen"},{"key":"ref56","article-title":"A pattern matching model for misuse intrusion detection","author":"Kumar","year":"1994"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2005.05.002"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1201\/b16390"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1016\/j.aei.2005.05.004"},{"key":"ref60","first-page":"1","article-title":"Artificial neural networks for misuse detection","volume-title":"Proc. National Inf. Syst. Secur. Conf.","author":"Cannady"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/IAW.2005.1495942"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1996.502675"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1999.766909"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2001.924295"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030126"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948144"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1145\/3105761"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23254"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40203-6_30"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.52"},{"key":"ref72","first-page":"43","article-title":"Provenance-aware storage systems","volume-title":"Proc. USENIX Annu. Tech. Conf. General Track","author":"Muniswamy-Reddy"},{"key":"ref73","first-page":"1","article-title":"High accuracy attack provenance via binary-based execution partition","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"Lee"},{"key":"ref74","first-page":"1111","article-title":"MPI: Multiple perspective attack investigation with semantics aware execution partitioning","volume-title":"Proc. 26th USENIX Conf. Secur. Symp.","author":"Ma"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1145\/2666356.2594299"}],"container-title":["IEEE Transactions on Dependable and Secure Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/8858\/9625881\/08979384.pdf?arnumber=8979384","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,4,24]],"date-time":"2024-04-24T17:36:04Z","timestamp":1713980164000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/8979384\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,1,1]]},"references-count":75,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.1109\/tdsc.2020.2971484","relation":{},"ISSN":["1545-5971","1941-0018","2160-9209"],"issn-type":[{"value":"1545-5971","type":"print"},{"value":"1941-0018","type":"electronic"},{"value":"2160-9209","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,1,1]]}}}