{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T18:40:54Z","timestamp":1766515254370,"version":"3.48.0"},"reference-count":43,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100012245","name":"Science and Technology Planning Project of Guangdong Province","doi-asserted-by":"publisher","award":["2024B0101030002"],"award-info":[{"award-number":["2024B0101030002"]}],"id":[{"id":"10.13039\/501100012245","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["6212780016"],"award-info":[{"award-number":["6212780016"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Ministry of Industry and Information Technology of China"},{"name":"National Key Research and Development Program of China","award":["2023YFB3307500"],"award-info":[{"award-number":["2023YFB3307500"]}]},{"DOI":"10.13039\/501100001809","name":"Science and Technology Innovation Project of Hunan Province","doi-asserted-by":"publisher","award":["2023RC4014"],"award-info":[{"award-number":["2023RC4014"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2025]]},"DOI":"10.1109\/tifs.2025.3601381","type":"journal-article","created":{"date-parts":[[2025,8,21]],"date-time":"2025-08-21T18:29:25Z","timestamp":1755800965000},"page":"9463-9476","source":"Crossref","is-referenced-by-count":0,"title":["TeRed: Normal Behavior-Based Efficient Provenance Graph Reduction for Large-Scale Attack Forensics"],"prefix":"10.1109","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-3362-6660","authenticated-orcid":false,"given":"Xiaoxiang","family":"Li","sequence":"first","affiliation":[{"name":"Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China"}]},{"given":"Xinyu","family":"Jiang","sequence":"additional","affiliation":[{"name":"Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9608-5808","authenticated-orcid":false,"given":"Hai","family":"Wan","sequence":"additional","affiliation":[{"name":"Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6168-7016","authenticated-orcid":false,"given":"Xibin","family":"Zhao","sequence":"additional","affiliation":[{"name":"Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China"}]}],"member":"263","reference":[{"doi-asserted-by":"publisher","key":"ref1","DOI":"10.1109\/SP46214.2022.9833632"},{"doi-asserted-by":"publisher","key":"ref2","DOI":"10.14722\/ndss.2020.24046"},{"key":"ref3","first-page":"241","article-title":"Kernel-supported cost-effective audit logging for causality tracking","volume-title":"Proc. USENIX Annu. Tech. Conf.","author":"Ma"},{"doi-asserted-by":"publisher","key":"ref4","DOI":"10.1109\/SP46215.2023.10179405"},{"key":"ref5","first-page":"1723","article-title":"Dependence-preserving data compaction for scalable forensic analysis","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Hossain"},{"doi-asserted-by":"publisher","key":"ref6","DOI":"10.1145\/3133956.3134015"},{"doi-asserted-by":"publisher","key":"ref7","DOI":"10.14722\/ndss.2020.24167"},{"doi-asserted-by":"publisher","key":"ref8","DOI":"10.1145\/2939672.2939783"},{"key":"ref9","first-page":"4355","article-title":"PROGRAPHER: An anomaly detection system based on provenance graph embedding","volume-title":"Proc. 32nd USENIX Secur. Symp.","author":"Yang"},{"key":"ref10","first-page":"2345","article-title":"SIGL: Securing software installations through deep graph learning","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Han"},{"doi-asserted-by":"publisher","key":"ref11","DOI":"10.1145\/3460120.3484589"},{"doi-asserted-by":"publisher","key":"ref12","DOI":"10.14722\/ndss.2021.24445"},{"doi-asserted-by":"publisher","key":"ref13","DOI":"10.1109\/SP46215.2023.10179402"},{"doi-asserted-by":"publisher","key":"ref14","DOI":"10.14722\/ndss.2020.24270"},{"key":"ref15","first-page":"1111","article-title":"MPI: Multiple perspective attack investigation with semantic aware execution partitioning","volume-title":"Proc. 26th USENIX Secur. Symp.","author":"Ma"},{"doi-asserted-by":"publisher","key":"ref16","DOI":"10.14722\/ndss.2018.23306"},{"doi-asserted-by":"publisher","key":"ref17","DOI":"10.1145\/3319535.3363217"},{"doi-asserted-by":"publisher","key":"ref18","DOI":"10.1145\/2508859.2516731"},{"doi-asserted-by":"publisher","key":"ref19","DOI":"10.1145\/3243734.3243763"},{"doi-asserted-by":"publisher","key":"ref20","DOI":"10.1145\/2976749.2978378"},{"doi-asserted-by":"publisher","key":"ref21","DOI":"10.1145\/3427228.3427272"},{"doi-asserted-by":"publisher","key":"ref22","DOI":"10.1145\/3127479.3129249"},{"key":"ref23","first-page":"319","article-title":"Trustworthy whole-system provenance for the Linux kernel","volume-title":"Proc. USENIX Conf. Secur. Symp. (SEC)","author":"Bates"},{"doi-asserted-by":"publisher","key":"ref24","DOI":"10.14722\/ndss.2020.24065"},{"doi-asserted-by":"publisher","key":"ref25","DOI":"10.1145\/3372297.3417862"},{"doi-asserted-by":"publisher","key":"ref26","DOI":"10.1109\/ICDM.2002.1184038"},{"doi-asserted-by":"publisher","key":"ref27","DOI":"10.1109\/TPAMI.2004.75"},{"doi-asserted-by":"publisher","key":"ref28","DOI":"10.1145\/3564625.3567990"},{"key":"ref29","first-page":"2987","article-title":"SEAL: Storage-efficient causality analysis on enterprise logs with query-friendly compression","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Peng"},{"doi-asserted-by":"publisher","key":"ref30","DOI":"10.1145\/3588684"},{"doi-asserted-by":"publisher","key":"ref31","DOI":"10.3390\/a2031031"},{"doi-asserted-by":"publisher","key":"ref32","DOI":"10.1145\/1963405.1963488"},{"doi-asserted-by":"publisher","key":"ref33","DOI":"10.1145\/1557019.1557049"},{"doi-asserted-by":"publisher","key":"ref34","DOI":"10.1007\/978-3-642-03784-9_3"},{"doi-asserted-by":"publisher","key":"ref35","DOI":"10.1145\/1841909.1841913"},{"doi-asserted-by":"publisher","key":"ref36","DOI":"10.1145\/2442516.2442530"},{"doi-asserted-by":"publisher","key":"ref37","DOI":"10.1088\/1742-5468\/2008\/06\/P06001"},{"doi-asserted-by":"publisher","key":"ref38","DOI":"10.1145\/2396761.2398630"},{"doi-asserted-by":"publisher","key":"ref39","DOI":"10.1109\/ICDE.2016.7498233"},{"doi-asserted-by":"publisher","key":"ref40","DOI":"10.1109\/ASE.2019.00085"},{"key":"ref41","first-page":"3023","article-title":"ELISE: A storage efficient logging system powered by redundancy reduction and representation learning","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Ding"},{"key":"ref42","first-page":"183","article-title":"CLP: Efficient and scalable search on compressed text logs","volume-title":"Proc. 15th USENIX Symp. Operating Syst. Design Implement. (OSDI 21)","author":"Rodrigues"},{"doi-asserted-by":"publisher","key":"ref43","DOI":"10.1109\/TSE.2021.3069958"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/10206\/10810755\/11133429.pdf?arnumber=11133429","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T18:30:26Z","timestamp":1766514626000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11133429\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":43,"URL":"https:\/\/doi.org\/10.1109\/tifs.2025.3601381","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"type":"print","value":"1556-6013"},{"type":"electronic","value":"1556-6021"}],"subject":[],"published":{"date-parts":[[2025]]}}}