{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T02:13:20Z","timestamp":1773713600670,"version":"3.50.1"},"reference-count":63,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"2","license":[{"start":{"date-parts":[[2026,3,1]],"date-time":"2026-03-01T00:00:00Z","timestamp":1772323200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2026,3,1]],"date-time":"2026-03-01T00:00:00Z","timestamp":1772323200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,3,1]],"date-time":"2026-03-01T00:00:00Z","timestamp":1772323200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U22B2028"],"award-info":[{"award-number":["U22B2028"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62372410"],"award-info":[{"award-number":["62372410"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62002324"],"award-info":[{"award-number":["62002324"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Zhejiang Provincial Natural Science Foundation of China","award":["LQ21F020016"],"award-info":[{"award-number":["LQ21F020016"]}]},{"name":"Zhejiang Provincial Natural Science Foundation of China","award":["LZ23F020011"],"award-info":[{"award-number":["LZ23F020011"]}]},{"name":"The Fundamental Research Funds for the Provincial Universities of Zhejiang","award":["RF-A2023009"],"award-info":[{"award-number":["RF-A2023009"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Dependable and Secure Comput."],"published-print":{"date-parts":[[2026,3]]},"DOI":"10.1109\/tdsc.2025.3621434","type":"journal-article","created":{"date-parts":[[2025,10,14]],"date-time":"2025-10-14T17:42:48Z","timestamp":1760463768000},"page":"1865-1878","source":"Crossref","is-referenced-by-count":0,"title":["SParse: Semantic Tracking and Path Analysis for Attack Investigation in Real-Time"],"prefix":"10.1109","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-4293-5850","authenticated-orcid":false,"given":"Jie","family":"Ying","sequence":"first","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8657-662X","authenticated-orcid":false,"given":"Tiantian","family":"Zhu","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1690-164X","authenticated-orcid":false,"given":"Wenrui","family":"Cheng","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3360-4025","authenticated-orcid":false,"given":"Qixuan","family":"Yuan","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"}]},{"given":"Mingjun","family":"Ma","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4426-3585","authenticated-orcid":false,"given":"Chunlin","family":"Xiong","sequence":"additional","affiliation":[{"name":"China Unicom (Guangdong) Industrial Internet Company, Ltd., Guangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4664-3311","authenticated-orcid":false,"given":"Tieming","family":"Chen","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4810-7491","authenticated-orcid":false,"given":"Mingqi","family":"Lv","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4103-1498","authenticated-orcid":false,"given":"Yan","family":"Chen","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA"}]}],"member":"263","reference":[{"key":"ref1","article-title":"What Twitter\u2019s 200 million-user email leak actually means","year":"2024"},{"key":"ref2","article-title":"Mitre att&ck","year":"2024"},{"key":"ref3","article-title":"System administration utilities","year":"2024"},{"key":"ref4","article-title":"About event tracing","year":"2024"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-35170-9_6"},{"key":"ref6","first-page":"241","article-title":"Kernel-supported cost-effective audit logging for causality tracking","volume-title":"Proc. USENIX Conf. Usenix Annu. Tech. Conf.","author":"Ma","year":"2018"},{"key":"ref7","first-page":"319","article-title":"Trustworthy whole-system provenance for the Linux kernel","volume-title":"Proc. 24th USENIX Conf. Secur. Symp.","author":"Bates","year":"2015"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/sp46215.2023.10179405"},{"key":"ref9","first-page":"1","article-title":"High accuracy attack provenance via binary-based execution partition","volume-title":"Proc. Netw. Distrib. Syst. Secur.","volume":"16","author":"Lee","year":"2013"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243763"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978378"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00026"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.2971484"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3243667"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623187"},{"key":"ref17","first-page":"2461","article-title":"Back-propagating system dependency impact for attack investigation","volume-title":"Proc. 31th USENIX Secur. Symp.","author":"Fang","year":"2022"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23349"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23254"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427255"},{"key":"ref21","first-page":"3005","article-title":"ATLAS: A sequence-based learning approach for attack investigation","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Alsaheel","year":"2021"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833632"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24549"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.3390\/electronics13050945"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00139"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00005"},{"key":"ref27","first-page":"6575","article-title":"$\\lbrace${DISTDET $\\rbrace$}: A $\\lbrace${ Cost-Effective$\\rbrace$} distributed cyber threat detection system","volume-title":"Proc. 32nd USENIX Secur. Symp.","volume":"23","author":"Dong","year":"2023"},{"key":"ref28","first-page":"5197","article-title":"$\\lbrace${MAGIC$\\rbrace$}: Detecting advanced persistent threats via masked graph representation learning","volume-title":"Proc. 33rd USENIX Secur. Symp.","volume":"24","author":"Jia","year":"2024"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00253"},{"key":"ref30","article-title":"Lateral movement","year":"2024"},{"key":"ref31","article-title":"Apt notes","year":"2024"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23306"},{"key":"ref33","first-page":"113","article-title":"$\\lbrace${AIQL$\\rbrace$}: Enabling efficient attack investigation from system monitoring data","volume-title":"Proc. USENIX Conf. Usenix Annu. Tech. Conf.","author":"Gao","year":"2018"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23350"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1145\/1165389.945467"},{"key":"ref36","article-title":"Darpa","year":"2024"},{"key":"ref37","article-title":"Darap3 transparent engagement 3","year":"2023"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3076288"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE51399.2021.00024"},{"key":"ref40","first-page":"639","article-title":"$\\lbrace${SAQL$\\rbrace$}: A stream-based query system for real-time abnormal system behavior detection","volume-title":"Proc. 27th USENIX Conf. Secur. Symp.","author":"Gao","year":"2018"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586145"},{"key":"ref42","volume-title":"Introduction to Computer Security","volume":"50","author":"Bishop","year":"2005"},{"key":"ref43","volume-title":"Intrusion Detection and Correlation: Challenges and Solutions","volume":"14","author":"Kruegel","year":"2004"},{"key":"ref44","article-title":"Insider threat monitoring software","year":"2023"},{"key":"ref45","article-title":"Auditd","year":"2023"},{"key":"ref46","article-title":"Lttng","year":"2023"},{"key":"ref47","article-title":"Sysdig","year":"2023"},{"key":"ref48","article-title":"Redhat","year":"2023"},{"key":"ref49","article-title":"Exploit database","year":"2024"},{"key":"ref50","article-title":"Cyber kill chain","year":"2023"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991122"},{"key":"ref52","first-page":"487","article-title":"SLEUTH: Real-time attack scenario reconstruction from cots audit data","volume-title":"Proc. 26th USENIX Conf. Secur. Symp.","author":"Hossain","year":"2017"},{"key":"ref53","first-page":"89","article-title":"Intrusion recovery using selective re-execution","volume-title":"Proc. 9th USENIX Conf. Operating Syst. Des. Implementation","author":"Kim","year":"2010"},{"key":"ref54","first-page":"1723","article-title":"Dependence-preserving data compaction for scalable forensic analysis","volume-title":"Proc. 27th USENIX Conf. Secur. Symp.","author":"Hossain","year":"2018"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427272"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427255"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/522"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24046"},{"key":"ref59","article-title":"Carbon black","year":"2018"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1088\/1742-5468\/2008\/10\/P10008"},{"key":"ref61","article-title":"New router malware with destructive capabilities","year":"2018"},{"key":"ref62","article-title":"Ebay Inc. to ask Ebay users to change pass-words","year":"2014"},{"key":"ref63","article-title":"Schneier security: Router vulnerability the vpnfilter botnet","year":"2018"}],"container-title":["IEEE Transactions on Dependable and Secure Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/8858\/11434575\/11202708.pdf?arnumber=11202708","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T01:16:29Z","timestamp":1773710189000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11202708\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3]]},"references-count":63,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.1109\/tdsc.2025.3621434","relation":{},"ISSN":["1545-5971","1941-0018","2160-9209"],"issn-type":[{"value":"1545-5971","type":"print"},{"value":"1941-0018","type":"electronic"},{"value":"2160-9209","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3]]}}}