{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T04:23:38Z","timestamp":1775103818603,"version":"3.50.1"},"reference-count":50,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2018YFB1800200"],"award-info":[{"award-number":["2018YFB1800200"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"NSFC","doi-asserted-by":"publisher","award":["62002009"],"award-info":[{"award-number":["62002009"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2022]]},"DOI":"10.1109\/tifs.2022.3208815","type":"journal-article","created":{"date-parts":[[2022,9,22]],"date-time":"2022-09-22T22:55:48Z","timestamp":1663887348000},"page":"3972-3987","source":"Crossref","is-referenced-by-count":163,"title":["THREATRACE: Detecting and Tracing Host-Based Threats in Node Level Through Provenance Graph Learning"],"prefix":"10.1109","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7094-8890","authenticated-orcid":false,"given":"Su","family":"Wang","sequence":"first","affiliation":[{"name":"Department of Computer Science and Technology, BNRist, Tsinghua University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6587-820X","authenticated-orcid":false,"given":"Zhiliang","family":"Wang","sequence":"additional","affiliation":[{"name":"Institute for Network Sciences and Cyberspace, BNRist, Tsinghua University, Beijing, China"}]},{"given":"Tao","family":"Zhou","sequence":"additional","affiliation":[{"name":"Alibaba Group, Hangzhou, China"}]},{"given":"Hongbin","family":"Sun","sequence":"additional","affiliation":[{"name":"Institute for Network Sciences and Cyberspace, BNRist, Tsinghua University, Beijing, China"}]},{"given":"Xia","family":"Yin","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Technology, BNRist, Tsinghua University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0807-5934","authenticated-orcid":false,"given":"Dongqi","family":"Han","sequence":"additional","affiliation":[{"name":"Institute for Network Sciences and Cyberspace, BNRist, Tsinghua University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4429-9959","authenticated-orcid":false,"given":"Han","family":"Zhang","sequence":"additional","affiliation":[{"name":"Institute for Network Sciences and Cyberspace, BNRist, Tsinghua University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6487-9526","authenticated-orcid":false,"given":"Xingang","family":"Shi","sequence":"additional","affiliation":[{"name":"Institute for Network Sciences and Cyberspace, BNRist, Tsinghua University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6109-6737","authenticated-orcid":false,"given":"Jiahai","family":"Yang","sequence":"additional","affiliation":[{"name":"Institute for Network Sciences and Cyberspace, BNRist, Tsinghua University, Beijing, China"}]}],"member":"263","reference":[{"key":"ref39","year":"2016","journal-title":"Data Streams"},{"key":"ref38","year":"2020","journal-title":"Logdeep"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3127479.3129249"},{"key":"ref32","year":"2020","journal-title":"How Many Alerts is Too Many to Handle?"},{"key":"ref31","author":"keromytis","year":"2018","journal-title":"Transparent computing engagement 3 data release"},{"key":"ref30","first-page":"3005","article-title":"Atlas: A sequence-based learning approach for attack investigation","author":"alsaheel","year":"2021","journal-title":"Proc 30th USENIX Secur Symp (USENIX Security)"},{"key":"ref37","year":"2020","journal-title":"DeepLogin"},{"key":"ref36","author":"xia","year":"2020","journal-title":"ISF"},{"key":"ref35","author":"emaad","year":"2020","journal-title":"Sbustreamspot-Core"},{"key":"ref34","author":"han","year":"2021","journal-title":"Unicorn"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23254"},{"key":"ref27","first-page":"487","article-title":"Sleuth: Real-time attack scenario reconstruction from COTS audit data","author":"hossain","year":"2017","journal-title":"Proc 26th USENIX Secur Symp (USENIX Security)"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00064"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363217"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2018.03.001"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2867595"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338931"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134015"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813654"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-34637-9_5"},{"key":"ref26","first-page":"257","article-title":"Detecting lateral movement in enterprise computer networks with unsupervised graph ai","author":"bowman","year":"2020","journal-title":"Proc 23rd Int Symp Res Attacks Intrusions Defenses (RAID)"},{"key":"ref25","first-page":"144","article-title":"A fast automaton-based method for detecting anomalous program behaviors","author":"sekar","year":"2000","journal-title":"Proc IEEE Symp Secur Privacy"},{"key":"ref50","article-title":"Power up! Robust graph convolutional network via graph powering","author":"jin","year":"2019","journal-title":"arXiv 1905 10029"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23349"},{"key":"ref11","first-page":"1024","article-title":"Inductive representation learning on large graphs","author":"hamilton","year":"2017","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref40","article-title":"Systemtap: Instrumenting the Linux kernel for analyzing performance and functional problems","volume":"116","author":"jacob","year":"2008"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33018303"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/P18-1187"},{"key":"ref14","first-page":"8870","article-title":"Retrosynthesis prediction with conditional graph logic network","author":"dai","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1007\/s11227-016-1850-4"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363224"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1155\/2021\/9961342"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833669"},{"key":"ref19","year":"2019","journal-title":"Novelty Detection with Local Outlier Factor"},{"key":"ref4","first-page":"1","article-title":"Mining data provenance to detect advanced persistent threats","author":"barre","year":"2019","journal-title":"Proc 11th Int Workshop Theory Pract Provenance (TAPP)"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00026"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939783"},{"key":"ref5","first-page":"1","article-title":"Aggregating unsupervised provenance anomaly detectors","author":"berrada","year":"2019","journal-title":"Proc 11th Int Workshop Theory Pract Provenance (TAPP)"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24167"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24046"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3292500.3330851"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/507338.507355"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"ref48","first-page":"1523","article-title":"Graph backdoor","author":"xi","year":"2021","journal-title":"Proc 30th USENIX Secur Symp (USENIX Security)"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1145\/3336191.3371851"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/872"},{"key":"ref41","author":"han","year":"2019","journal-title":"Shellshock-Apt"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2022.3201243"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354206"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10206\/9652463\/09899459.pdf?arnumber=9899459","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,19]],"date-time":"2022-12-19T19:44:52Z","timestamp":1671479092000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9899459\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"references-count":50,"URL":"https:\/\/doi.org\/10.1109\/tifs.2022.3208815","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"value":"1556-6013","type":"print"},{"value":"1556-6021","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022]]}}}