{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,10]],"date-time":"2026-03-10T15:39:11Z","timestamp":1773157151630,"version":"3.50.1"},"reference-count":116,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"10","license":[{"start":{"date-parts":[[2018,10,1]],"date-time":"2018-10-01T00:00:00Z","timestamp":1538352000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"}],"funder":[{"name":"ARO","award":["W911NF-15-1-0576"],"award-info":[{"award-number":["W911NF-15-1-0576"]}]},{"name":"ARO","award":["W911NF-13-1-0421 (MURI)"],"award-info":[{"award-number":["W911NF-13-1-0421 (MURI)"]}]},{"name":"ARO","award":["CNS-1422594"],"award-info":[{"award-number":["CNS-1422594"]}]},{"DOI":"10.13039\/100000161","name":"NIST","doi-asserted-by":"crossref","award":["60NANB17D279"],"award-info":[{"award-number":["60NANB17D279"]}],"id":[{"id":"10.13039\/100000161","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2018,10]]},"DOI":"10.1109\/tifs.2018.2821095","type":"journal-article","created":{"date-parts":[[2018,3,29]],"date-time":"2018-03-29T18:04:20Z","timestamp":1522346660000},"page":"2506-2521","source":"Crossref","is-referenced-by-count":126,"title":["Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths"],"prefix":"10.1109","volume":"13","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0321-2338","authenticated-orcid":false,"given":"Xiaoyan","family":"Sun","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6890-6429","authenticated-orcid":false,"given":"Jun","family":"Dai","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5091-8464","authenticated-orcid":false,"given":"Peng","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Anoop","family":"Singhal","sequence":"additional","affiliation":[]},{"given":"John","family":"Yen","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/1165389.945454"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/ISCC.2000.860604"},{"key":"ref33","article-title":"Dapper, a large-scale distributed systems tracing infrastructure","author":"sigelman","year":"2010"},{"key":"ref32","article-title":"So, you want to trace your distributed system? Key design insights from years of practical experience","author":"sambasivan","year":"2014"},{"key":"ref31","first-page":"1111","article-title":"MPI: Multiple perspective attack investigation with semantics aware execution partitioning","author":"ma","year":"2017","journal-title":"Proc USENIX Security07"},{"key":"ref30","first-page":"1","article-title":"High accuracy attack provenance via binary-based execution partition","author":"lee","year":"2013","journal-title":"Proc NDSS"},{"key":"ref37","year":"2018","journal-title":"Zipkin A Distributed Tracing System"},{"key":"ref36","year":"2018","journal-title":"Apache HTrace"},{"key":"ref35","year":"2018","journal-title":"Compuware"},{"key":"ref34","year":"2018","journal-title":"AppNeta TraceView"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/2365864.2151042"},{"key":"ref27","first-page":"487","article-title":"SLEUTH: Real-time attack scenario reconstruction from COTS audit data","author":"hossain","year":"2017","journal-title":"Proc USENIX Security07"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/2666356.2594299"},{"key":"ref20","first-page":"43","article-title":"Provenance-aware storage systems","author":"m -reddy","year":"2006","journal-title":"Proc USENIX ATC"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-35170-9_6"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1007\/11890850_18"},{"key":"ref24","first-page":"319","article-title":"Trustworthy whole-system provenance for the linux kernel","author":"bates","year":"2015","journal-title":"Proc USENIX Security07"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420989"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1145\/1456362.1456368"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23350"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66505-4_1"},{"key":"ref25","first-page":"38","article-title":"Provenance-aware tracing ofworm break-in and contaminations: A process coloring approach","author":"kiang","year":"2006","journal-title":"Proc ICDCS"},{"key":"ref50","first-page":"1","article-title":"Path-based failure and evolution management","author":"chen","year":"2004","journal-title":"Proc NSDI"},{"key":"ref51","first-page":"9","article-title":"Pip: Detecting the unexpected in distributed systems","author":"reynolds","year":"2006","journal-title":"Proc NSDI"},{"key":"ref59","first-page":"263","article-title":"Making information flow explicit in HiStar","author":"zeldovich","year":"2006","journal-title":"Proc OSDI"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/2815400.2815415"},{"key":"ref57","first-page":"1","article-title":"Diagnosing performance changes by comparing request flows","author":"sambasivan","year":"2011","journal-title":"Proc NSDI"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/1658939.1658966"},{"key":"ref55","article-title":"Constellation: Automated discovery of service and host dependencies in networked systems","author":"barham","year":"2008"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/1272996.1273001"},{"key":"ref53","first-page":"20","article-title":"X-Trace: A pervasive network tracing framework","author":"fonseca","year":"2007","journal-title":"Proc NSDI"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/1140277.1140280"},{"key":"ref40","first-page":"1","article-title":"Discovering dependencies for network management","author":"bahl","year":"2006","journal-title":"Proc HOTNETS"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.52"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1145\/1165389.945467"},{"key":"ref6","year":"2018","journal-title":"Tripwire"},{"key":"ref5","year":"2018","journal-title":"SNORT"},{"key":"ref8","year":"2018","journal-title":"Graphviz"},{"key":"ref49","first-page":"18","article-title":"Using Magpie for request extraction and workload modelling","author":"barham","year":"2004","journal-title":"Proc OSDI"},{"key":"ref7","year":"2018","journal-title":"SAMI"},{"key":"ref9","year":"2018","journal-title":"Wireshark"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/INFCOM.2012.6195642"},{"key":"ref45","first-page":"117","article-title":"Automating network application dependency discovery: Experiences, limitations, and new solutions","author":"chen","year":"2008","journal-title":"Proc USENIX OSDI"},{"key":"ref48","first-page":"85","article-title":"Magpie: Online Modelling and Performance-aware Systems","author":"barham","year":"2003","journal-title":"Proc HotOS"},{"key":"ref47","first-page":"181","article-title":"On the accurate identification of network service dependencies in distributed systems","author":"peddycord","year":"2012","journal-title":"Proc LISA"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/1282427.1282383"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/1135777.1135830"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/1402946.1402970"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-75694-1_10"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1016\/S1389-1286(99)00112-7"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/1410234.1410238"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1007\/11760146_24"},{"key":"ref70","first-page":"1","article-title":"Enriching intrusion alerts through multi-host causality","author":"king","year":"2005","journal-title":"Proc NDSS"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-980109"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1999.766910"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1996.502675"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/52.605929"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1117\/12.371246"},{"key":"ref79","first-page":"144","article-title":"A fast automaton-based method for detecting anomalous program behaviors","author":"sekar","year":"2000","journal-title":"Proc s of the IEEE"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/1323293.1294293"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/2613087.2613110"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1145\/2043621.2043624"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818011"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315261"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45474-8_6"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45474-8_4"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-45248-5_5"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1145\/948134.948137"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2016.7860471"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.11"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40203-6_30"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1145\/1029208.1029225"},{"key":"ref95","first-page":"211","article-title":"Using Bayesian networks for cyber security analysis","author":"xie","year":"2010","journal-title":"Proc DSN"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1109\/DISCEX.2001.932182"},{"key":"ref94","first-page":"1","article-title":"An efficient approach to assessing the risk of zero-day vulnerabilities","author":"albanese","year":"2013","journal-title":"Proc SECRYPT"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1145\/310889.310919"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-15497-3_35"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1109\/CSFW.2002.1021806"},{"key":"ref92","author":"kruegel","year":"2005","journal-title":"Intrusion Detection and Correlation Challenges and Solutions"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-2002-101-209"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1145\/586143.586146"},{"key":"ref104","article-title":"Tools for generating and analyzing attack graphs","author":"sheyner","year":"2003","journal-title":"Proc Symp Formal Methods for Components and Objects"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45474-8_11"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2002.1004377"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2011.34"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1145\/586139.586140"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.39"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1007\/0-387-24230-9_9"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1109\/DepCoS-RELCOMEX.2008.52"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/ISI.2007.379535"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2003.1254306"},{"key":"ref97","first-page":"1","article-title":"Active platform security through intrusion detection using naive Bayesian network for anomaly detection","author":"sebyala","year":"2002","journal-title":"Proc London Commun Symp"},{"key":"ref10","year":"2018","journal-title":"Ntop"},{"key":"ref11","year":"2018","journal-title":"CVE-2008-0166"},{"key":"ref12","year":"2018","journal-title":"CVE-2009-2692"},{"key":"ref13","year":"2018","journal-title":"CVE-2011-4089"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1016\/j.artint.2010.05.007"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/ICPADS.2006.96"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1016\/S0004-3702(00)00069-2"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1145\/948143.948144"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382284"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2003.1199328"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/1095809.1095826"},{"key":"ref84","first-page":"1","article-title":"Learning rules from system call arguments and sequences for anomaly detection","author":"tandon","year":"2003","journal-title":"Proc ICDM DMSEC"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCSW.2005.62"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-39650-5_19"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180446"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2003.1254313"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076738"},{"key":"ref80","first-page":"156","article-title":"Intrusion detection via static analysis","author":"wagner","year":"2000","journal-title":"Proc s of the IEEE"},{"key":"ref115","first-page":"8","article-title":"MulVAL: A logic-based network security analyzer","author":"ou","year":"2005","journal-title":"Proc USENIX Security07"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1997.601332"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030126"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.12"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/2808769.2808773"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813654"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10206\/8356020\/08327913.pdf?arnumber=8327913","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,1,12]],"date-time":"2022-01-12T16:12:28Z","timestamp":1642003948000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/8327913\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,10]]},"references-count":116,"journal-issue":{"issue":"10"},"URL":"https:\/\/doi.org\/10.1109\/tifs.2018.2821095","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"value":"1556-6013","type":"print"},{"value":"1556-6021","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,10]]}}}