{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T05:42:07Z","timestamp":1777614127209,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":41,"publisher":"ACM","license":[{"start":{"date-parts":[[2017,3,22]],"date-time":"2017-03-22T00:00:00Z","timestamp":1490140800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2017,3,22]]},"DOI":"10.1145\/3029806.3029811","type":"proceedings-article","created":{"date-parts":[[2017,3,20]],"date-time":"2017-03-20T12:34:59Z","timestamp":1490013299000},"page":"15-22","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":21,"title":["Mining Attributed Graphs for Threat Intelligence"],"prefix":"10.1145","author":[{"given":"Hugo","family":"Gascon","sequence":"first","affiliation":[{"name":"Technische Universit\u00e4t Braunschweig, Braunschweig, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bernd","family":"Grobauer","sequence":"additional","affiliation":[{"name":"Siemens AG, Munich, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thomas","family":"Schreck","sequence":"additional","affiliation":[{"name":"Siemens AG, Munich, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lukas","family":"Rist","sequence":"additional","affiliation":[{"name":"Symantec Corporation, Oslo, Norway"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Daniel","family":"Arp","sequence":"additional","affiliation":[{"name":"Technische Universit\u00e4t Braunschweig, Braunschweig, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Konrad","family":"Rieck","sequence":"additional","affiliation":[{"name":"Technische Universit\u00e4t Braunschweig, Braunschweig, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2017,3,22]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Standardizing cyber threat intelligence information with the structured threat information expression (STIX). Technical report","author":"Barnum S.","year":"2014","unstructured":"S. Barnum . Standardizing cyber threat intelligence information with the structured threat information expression (STIX). Technical report , MITRE Corporation , 2014 . S. Barnum. Standardizing cyber threat intelligence information with the structured threat information expression (STIX). Technical report, MITRE Corporation, 2014."},{"key":"e_1_3_2_1_2_1","volume-title":"Proc. of Network and Distributed System Security Symposium (NDSS)","author":"Bayer U.","year":"2009","unstructured":"U. Bayer , P. M. Comparetti , C. Hlauschek , C. Kruegel , and E. Kirda . Scalable, behavior-based malware clustering . In Proc. of Network and Distributed System Security Symposium (NDSS) , 2009 . U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proc. of Network and Distributed System Security Symposium (NDSS), 2009."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663876.2663883"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2462096.2462100"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/509907.509965"},{"key":"e_1_3_2_1_6_1","volume-title":"http:\/\/csirtgadgets.org\/collective-intelligence-framework, visited","author":"CIF.","year":"2016","unstructured":"CIF. Collective intelligence framework. http:\/\/csirtgadgets.org\/collective-intelligence-framework, visited August , 2016 . CIF. Collective intelligence framework. http:\/\/csirtgadgets.org\/collective-intelligence-framework, visited August, 2016."},{"key":"e_1_3_2_1_7_1","unstructured":"CRITS. Collaborative research into threats. http:\/\/crits.github.io visited July 2016.  CRITS. Collaborative research into threats. http:\/\/crits.github.io visited July 2016."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1126\/science.267.5199.843"},{"key":"e_1_3_2_1_9_1","first-page":"5070","article-title":"The incident object description exchange format (IODEF). Technical report","author":"Danyliw R.","year":"2007","unstructured":"R. Danyliw , J. Meijer , and Y. Demchenko . The incident object description exchange format (IODEF). Technical report , IETF RFC 5070 , 2007 . R. Danyliw, J. Meijer, and Y. Demchenko. The incident object description exchange format (IODEF). Technical report, IETF RFC 5070, 2007.","journal-title":"IETF RFC"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2015.23"},{"key":"e_1_3_2_1_11_1","unstructured":"P. Fonash. Using automated cyber threat exchange to turn the tide against ddos. http:\/\/rsaconference.com 2014.  P. Fonash. Using automated cyber threat exchange to turn the tide against ddos. http:\/\/rsaconference.com 2014."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2517312.2517315"},{"key":"e_1_3_2_1_13_1","volume-title":"A framework for cybersecurity information sharing and risk reduction. Technical report","author":"Goodwin C.","year":"2015","unstructured":"C. Goodwin , J. P. Nicholas , J. Bryant , K. Ciglic , A. Kleiner , C. Kutterer , A. Massagli , A. Mckay , P. Mckitrick , J. Neutze , T. Storch , and K. Sullivan . A framework for cybersecurity information sharing and risk reduction. Technical report , Microsoft Corporation , 2015 . C. Goodwin, J. P. Nicholas, J. Bryant, K. Ciglic, A. Kleiner, C. Kutterer, A. Massagli, A. Mckay, P. Mckitrick, J. Neutze, T. Storch, and K. Sullivan. A framework for cybersecurity information sharing and risk reduction. Technical report, Microsoft Corporation, 2015."},{"key":"e_1_3_2_1_14_1","volume-title":"USENIX","author":"Graziano M.","year":"2015","unstructured":"M. Graziano , D. Canali , L. Bilge , A. Lanzi , and D. Balzarotti . Needles in a haystack: Mining information from public dynamic analysis sandboxes for malware intelligence . In USENIX , 2015 . M. Graziano, D. Canali, L. Bilge, A. Lanzi, and D. Balzarotti. Needles in a haystack: Mining information from public dynamic analysis sandboxes for malware intelligence. In USENIX, 2015."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1002\/j.1538-7305.1950.tb00463.x"},{"key":"e_1_3_2_1_16_1","first-page":"1","volume-title":"Cyber Conflict (CyCon), 2013 5th International Conference on","author":"Hernandez-Ardieta J. L.","year":"2013","unstructured":"J. L. Hernandez-Ardieta , J. E. Tapiador , and G. Suarez-Tangil . Information sharing models for cooperative cyber defence . In Cyber Conflict (CyCon), 2013 5th International Conference on , pages 1 -- 28 . IEEE, 2013 . J. L. Hernandez-Ardieta, J. E. Tapiador, and G. Suarez-Tangil. Information sharing models for cooperative cyber defence. In Cyber Conflict (CyCon), 2013 5th International Conference on, pages 1--28. IEEE, 2013."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046742"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2014.99"},{"key":"e_1_3_2_1_19_1","volume-title":"Kaspersky Lab","year":"2014","unstructured":"Kaspersky. The Regin Platform: Nation-State Ownage of GSM Networks . Kaspersky Lab , November 2014 . Kaspersky. The Regin Platform: Nation-State Ownage of GSM Networks. Kaspersky Lab, November 2014."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCN.2015.7288396"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.5555\/832308.837142"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2011.67"},{"key":"e_1_3_2_1_23_1","volume-title":"Mandiant Whitepaper","year":"2013","unstructured":"Mandiant. Sophisticated indicators for the modern threat landscape: An introduction to OpenIOC. Technical report , Mandiant Whitepaper , 2013 . Mandiant. Sophisticated indicators for the modern threat landscape: An introduction to OpenIOC. Technical report, Mandiant Whitepaper, 2013."},{"key":"e_1_3_2_1_24_1","volume-title":"APT1: Exposing one of China's cyber espionage units. Technical report","year":"2013","unstructured":"Mandiant. APT1: Exposing one of China's cyber espionage units. Technical report , Mandiant Intelligence Center , 2013 . Mandiant. APT1: Exposing one of China's cyber espionage units. Technical report, Mandiant Intelligence Center, 2013."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242592"},{"key":"e_1_3_2_1_26_1","volume-title":"P. Raghavan, H. Sch\u00fctze, et al. Introduction to information retrieval","year":"2008","unstructured":"e, }manning2008C. D. Manning , P. Raghavan, H. Sch\u00fctze, et al. Introduction to information retrieval , volume 1 . Cambridge university press Cambridge , 2008 . e, et al.}manning2008C. D. Manning, P. Raghavan, H. Sch\u00fctze, et al. Introduction to information retrieval, volume 1. Cambridge university press Cambridge, 2008."},{"key":"e_1_3_2_1_27_1","volume-title":"long live threat intelligence! http:\/\/rsaconference.com","author":"Orlando M.","year":"2015","unstructured":"M. Orlando . Threat intelligence is dead. long live threat intelligence! http:\/\/rsaconference.com , 2015 . M. Orlando. Threat intelligence is dead. long live threat intelligence! http:\/\/rsaconference.com, 2015."},{"key":"e_1_3_2_1_28_1","volume-title":"https:\/\/www.alienvault.com\/open-threat-exchange, visited","author":"OTX.","year":"2016","unstructured":"OTX. Open threat exchange. https:\/\/www.alienvault.com\/open-threat-exchange, visited August , 2016 . OTX. Open threat exchange. https:\/\/www.alienvault.com\/open-threat-exchange, visited August, 2016."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/1572272.1572287"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/361219.361220"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663876.2663882"},{"key":"e_1_3_2_1_32_1","unstructured":"Spamfighter\/Der Spiegel. Top german official infected by regin malware. http:\/\/www.spamfighter.com\/News-19917-Top-German-Official-Infected-by-Regin-Malware.htm visited August 2016.  Spamfighter\/Der Spiegel. Top german official infected by regin malware. http:\/\/www.spamfighter.com\/News-19917-Top-German-Official-Infected-by-Regin-Malware.htm visited August 2016."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/INM.2015.7140300"},{"key":"e_1_3_2_1_34_1","volume-title":"Symantec Security Response","author":"Stuxnet","year":"2013","unstructured":"Symantec. Stuxnet 0.5 : The Missing Link . Symantec Security Response , February 2013 . Symantec. Stuxnet 0.5: The Missing Link. Symantec Security Response, February 2013."},{"key":"e_1_3_2_1_35_1","volume-title":"Symantec Security Response","year":"2015","unstructured":"Symantec. Regin : Top-tier espionage tool enables stealthy surveillance . Symantec Security Response , August 2015 . Symantec. Regin: Top-tier espionage tool enables stealthy surveillance. Symantec Security Response, August 2015."},{"key":"e_1_3_2_1_36_1","volume-title":"Uk company's spyware used against bahrain activist. https:\/\/www.theguardian.com\/world\/2013\/may\/12\/uk-company-spyware-bahrain-claim, visited","author":"Guardian The","year":"2016","unstructured":"The Guardian . Uk company's spyware used against bahrain activist. https:\/\/www.theguardian.com\/world\/2013\/may\/12\/uk-company-spyware-bahrain-claim, visited August , 2016 . The Guardian. Uk company's spyware used against bahrain activist. https:\/\/www.theguardian.com\/world\/2013\/may\/12\/uk-company-spyware-bahrain-claim, visited August, 2016."},{"key":"e_1_3_2_1_37_1","unstructured":"The New York Times. Computer systems used by clinton campaign are said to be hacked apparently by russians. http:\/\/www.nytimes.com\/2016\/07\/30\/us\/politics\/clinton-campaign-hacked-russians.html visited August 2016.  The New York Times. Computer systems used by clinton campaign are said to be hacked apparently by russians. http:\/\/www.nytimes.com\/2016\/07\/30\/us\/politics\/clinton-campaign-hacked-russians.html visited August 2016."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/WCRE.2011.12"},{"key":"e_1_3_2_1_39_1","unstructured":"VirusTotal. https:\/\/www.virustotal.com\/.  VirusTotal. https:\/\/www.virustotal.com\/."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1007\/11856214_12"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/2808128.2808130"}],"event":{"name":"CODASPY '17: Seventh ACM Conference on Data and Application Security and Privacy","location":"Scottsdale Arizona USA","acronym":"CODASPY '17","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3029806.3029811","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3029806.3029811","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:23:14Z","timestamp":1750220594000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3029806.3029811"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,3,22]]},"references-count":41,"alternative-id":["10.1145\/3029806.3029811","10.1145\/3029806"],"URL":"https:\/\/doi.org\/10.1145\/3029806.3029811","relation":{},"subject":[],"published":{"date-parts":[[2017,3,22]]},"assertion":[{"value":"2017-03-22","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}