{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T18:00:10Z","timestamp":1772042410995,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":53,"publisher":"ACM","license":[{"start":{"date-parts":[[2019,12,9]],"date-time":"2019-12-09T00:00:00Z","timestamp":1575849600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2019,12,9]]},"DOI":"10.1145\/3359789.3359818","type":"proceedings-article","created":{"date-parts":[[2019,11,22]],"date-time":"2019-11-22T18:41:59Z","timestamp":1574448119000},"page":"378-389","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Progressive processing of system-behavioral query"],"prefix":"10.1145","author":[{"given":"Jiaping","family":"Gui","sequence":"first","affiliation":[{"name":"NEC Laboratories America, Inc."}]},{"given":"Xusheng","family":"Xiao","sequence":"additional","affiliation":[{"name":"Case Western Reserve University"}]},{"given":"Ding","family":"Li","sequence":"additional","affiliation":[{"name":"NEC Laboratories America, Inc."}]},{"given":"Chung Hwan","family":"Kim","sequence":"additional","affiliation":[{"name":"NEC Laboratories America, Inc."}]},{"given":"Haifeng","family":"Chen","sequence":"additional","affiliation":[{"name":"NEC Laboratories America, Inc."}]}],"member":"320","published-online":{"date-parts":[[2019,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n.d.]. ANTLR. http:\/\/www.antlr.org\/.  [n.d.]. ANTLR. http:\/\/www.antlr.org\/."},{"key":"e_1_3_2_1_2_1","unstructured":"[n.d.]. Apache Lucene. https:\/\/lucene.apache.org\/.  [n.d.]. Apache Lucene. https:\/\/lucene.apache.org\/."},{"key":"e_1_3_2_1_3_1","unstructured":"[n.d.]. Bugzilla. http:\/\/www.bugzilla.org\/.  [n.d.]. Bugzilla. http:\/\/www.bugzilla.org\/."},{"key":"e_1_3_2_1_4_1","unstructured":"[n.d.]. Common Vulnerabilities and Exposures (CVE). https:\/\/cve.mitre.org\/.  [n.d.]. Common Vulnerabilities and Exposures (CVE). https:\/\/cve.mitre.org\/."},{"key":"e_1_3_2_1_5_1","unstructured":"[n.d.]. DTrace. http:\/\/dtrace.org\/.  [n.d.]. DTrace. http:\/\/dtrace.org\/."},{"key":"e_1_3_2_1_6_1","unstructured":"[n.d.]. Elasticsearch. https:\/\/www.elastic.co\/.  [n.d.]. Elasticsearch. https:\/\/www.elastic.co\/."},{"key":"e_1_3_2_1_7_1","unstructured":"[n.d.]. ETW events in the common language runtime. https:\/\/msdn.microsoft.com\/en-us\/library\/ff357719(v=vs.110).aspx.  [n.d.]. ETW events in the common language runtime. https:\/\/msdn.microsoft.com\/en-us\/library\/ff357719(v=vs.110).aspx."},{"key":"e_1_3_2_1_8_1","unstructured":"[n.d.]. Exploit Database. https:\/\/www.exploit-db.com\/.  [n.d.]. Exploit Database. https:\/\/www.exploit-db.com\/."},{"key":"e_1_3_2_1_9_1","unstructured":"[n.d.]. JIRA. https:\/\/www.atlassian.com\/software\/jira.  [n.d.]. JIRA. https:\/\/www.atlassian.com\/software\/jira."},{"key":"e_1_3_2_1_10_1","unstructured":"[n.d.]. JIRA Query Language. https:\/\/confluence.atlassian.com\/display\/JIRA\/Advanced+Searching.  [n.d.]. JIRA Query Language. https:\/\/confluence.atlassian.com\/display\/JIRA\/Advanced+Searching."},{"key":"e_1_3_2_1_11_1","unstructured":"[n.d.]. Kaspersky. www.kaspersky.com\/.  [n.d.]. Kaspersky. www.kaspersky.com\/."},{"key":"e_1_3_2_1_12_1","unstructured":"[n.d.]. The Linux audit framework. https:\/\/www.suse.com\/documentation\/sles11\/book_security\/data\/part_audit.html.  [n.d.]. The Linux audit framework. https:\/\/www.suse.com\/documentation\/sles11\/book_security\/data\/part_audit.html."},{"key":"e_1_3_2_1_13_1","unstructured":"[n.d.]. McAfee. http:\/\/www.mcafee.com\/.  [n.d.]. McAfee. http:\/\/www.mcafee.com\/."},{"key":"e_1_3_2_1_14_1","unstructured":"[n.d.]. PostgreSQL . http:\/\/www.postgresql.org\/.  [n.d.]. PostgreSQL . http:\/\/www.postgresql.org\/."},{"key":"e_1_3_2_1_15_1","unstructured":"[n.d.]. Splunk. http:\/\/www.splunk.com\/.  [n.d.]. Splunk. http:\/\/www.splunk.com\/."},{"key":"e_1_3_2_1_16_1","unstructured":"[n.d.]. SQL. http:\/\/www.iso.org\/iso\/catalogue_detail.htm?csnumber=45498.  [n.d.]. SQL. http:\/\/www.iso.org\/iso\/catalogue_detail.htm?csnumber=45498."},{"key":"e_1_3_2_1_17_1","unstructured":"[n.d.]. Symantec. https:\/\/www.symantec.com\/.  [n.d.]. Symantec. https:\/\/www.symantec.com\/."},{"key":"e_1_3_2_1_18_1","volume-title":"Security Report","year":"2015","unstructured":"[n.d.]. Trustwave Global Security Report 2015 . https:\/\/www2.trustwave.com\/rs\/815-RFM-693\/images\/2015_TrustwaveGlobalSecurityReport.pdf. [n.d.]. Trustwave Global Security Report 2015. https:\/\/www2.trustwave.com\/rs\/815-RFM-693\/images\/2015_TrustwaveGlobalSecurityReport.pdf."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2006.06.016"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1595696.1595766"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1081706.1081736"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1480881.1480897"},{"key":"e_1_3_2_1_23_1","volume-title":"Hridesh Rajan, and Tien N. Nguyen.","author":"Dyer Robert","year":"2013","unstructured":"Robert Dyer , Hoan Anh Nguyen , Hridesh Rajan, and Tien N. Nguyen. 2013 . Boa : A Language and Infrastructure for Analyzing Ultra-large-scale Software Repositories. In ICSE '13. IEEE Press , Piscataway, NJ, USA, 422--431. http:\/\/dl.acm.org\/citation.cfm?id=2486788.2486844 Robert Dyer, Hoan Anh Nguyen, Hridesh Rajan, and Tien N. Nguyen. 2013. Boa: A Language and Infrastructure for Analyzing Ultra-large-scale Software Repositories. In ICSE '13. IEEE Press, Piscataway, NJ, USA, 422--431. http:\/\/dl.acm.org\/citation.cfm?id=2486788.2486844"},{"key":"e_1_3_2_1_24_1","volume-title":"Innovation and Future of Enterprise Information Systems","author":"Felderer Michael","unstructured":"Michael Felderer , Emir Tanriverdi , Sarah L\u00f6w , and Ruth Breu . 2013. A quality analysis procedure for request data of ERP systems . In Innovation and Future of Enterprise Information Systems . Springer , 235--249. Michael Felderer, Emir Tanriverdi, Sarah L\u00f6w, and Ruth Breu. 2013. A quality analysis procedure for request data of ERP systems. In Innovation and Future of Enterprise Information Systems. Springer, 235--249."},{"key":"e_1_3_2_1_25_1","volume-title":"SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection. In 27th USENIX Security Symposium, USENIX Security 2018","author":"Gao Peng","year":"2018","unstructured":"Peng Gao , Xusheng Xiao , Ding Li , Zhichun Li , Kangkook Jee , Zhenyu Wu , Chung Hwan Kim , Sanjeev R. Kulkarni , and Prateek Mittal . 2018 . SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection. In 27th USENIX Security Symposium, USENIX Security 2018 , Baltimore, MD, USA, August 15--17 , 2018. 639--656. Peng Gao, Xusheng Xiao, Ding Li, Zhichun Li, Kangkook Jee, Zhenyu Wu, Chung Hwan Kim, Sanjeev R. Kulkarni, and Prateek Mittal. 2018. SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15--17, 2018. 639--656."},{"key":"e_1_3_2_1_26_1","unstructured":"Peng Gao Xusheng Xiao Zhichun Li Fengyuan Xu Sanjeev R Kulkarni and Prateek Mittal. 2018. {AIQL}: Enabling Efficient Attack Investigation from System Monitoring Data. In 2018 {USENIX} Annual Technical Conference ({USENIX}{ATC} 18). 113--126.  Peng Gao Xusheng Xiao Zhichun Li Fengyuan Xu Sanjeev R Kulkarni and Prateek Mittal. 2018. {AIQL}: Enabling Efficient Attack Investigation from System Monitoring Data. In 2018 {USENIX} Annual Technical Conference ({USENIX}{ATC} 18). 113--126."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2896967.2896970"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/PIMRC.2012.6362507"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/1082983.1083161"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/1137983.1137990"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866353"},{"key":"e_1_3_2_1_33_1","unstructured":"Kyu Hyung Lee Xiangyu Zhang and Dongyan Xu. 2013. LogGC: garbage collecting audit log. In CCS.  Kyu Hyung Lee Xiangyu Zhang and Dongyan Xu. 2013. LogGC: garbage collecting audit log. In CCS."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2014.34"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23254"},{"key":"e_1_3_2_1_36_1","unstructured":"Jian-Guang Lou Qiang Fu Shengqi Yang Ye Xu and Jiang Li. 2010. Mining Invariants from Console Logs for System Problem Detection. In USENIX ATC.  Jian-Guang Lou Qiang Fu Shengqi Yang Ye Xu and Jiang Li. 2010. Mining Invariants from Console Logs for System Problem Detection. In USENIX ATC."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1094811.1094840"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2007.06.014"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2008.25"},{"key":"e_1_3_2_1_40_1","unstructured":"P. Ning and D. Xu. 2002. Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation. Technical Report. Raleigh NC USA.  P. Ning and D. Xu. 2002. Adapting Query Optimization Techniques for Efficient Intrusion Alert Correlation. Technical Report. Raleigh NC USA."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/SAINT.2012.30"},{"key":"e_1_3_2_1_42_1","volume-title":"ACM SIGPLAN Notices (POPL'15)","author":"Raychev Veselin","unstructured":"Veselin Raychev , Martin Vechev , and Andreas Krause . 2015. Predicting program properties from big code . In ACM SIGPLAN Notices (POPL'15) , Vol. 50 . ACM , 111--124. Veselin Raychev, Martin Vechev, and Andreas Krause. 2015. Predicting program properties from big code. In ACM SIGPLAN Notices (POPL'15), Vol. 50. ACM, 111--124."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-21690-4_23"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10009-012-0223-4"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2011.6100061"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635902"},{"key":"e_1_3_2_1_47_1","volume-title":"Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 1393--1401","author":"Ted E","year":"2013","unstructured":"E Ted , Henry G Goldberg , Alex Memory , William T Young , Brad Rees , Robert Pierce , Daniel Huang , Matthew Reardon , David A Bader , Edmond Chow , 2013 . Detecting insider threats in a real corporate database of computer usage activity . In Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 1393--1401 . E Ted, Henry G Goldberg, Alex Memory, William T Young, Brad Rees, Robert Pierce, Daniel Huang, Matthew Reardon, David A Bader, Edmond Chow, et al. 2013. Detecting insider threats in a real corporate database of computer usage activity. In Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 1393--1401."},{"key":"e_1_3_2_1_48_1","volume-title":"training a big data machine to defend. In 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity)","author":"Veeramachaneni Kalyan","unstructured":"Kalyan Veeramachaneni , Ignacio Arnaldo , Vamsi Korrapati , Constantinos Bassias , and Ke Li. 2016. AI^ 2 : training a big data machine to defend. In 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity) , IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS). IEEE , 49--54. Kalyan Veeramachaneni, Ignacio Arnaldo, Vamsi Korrapati, Constantinos Bassias, and Ke Li. 2016. AI^ 2: training a big data machine to defend. In 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS). IEEE, 49--54."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1002\/stvr.1635"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0164-1212(99)00142-9"},{"key":"e_1_3_2_1_51_1","volume-title":"Fast indexing strategies for robust image hashes. Digit. Investig. 11 (May","author":"Winter Christian","year":"2014","unstructured":"Christian Winter , Martin Steinebach , and York Yannikos . 2014. Fast indexing strategies for robust image hashes. Digit. Investig. 11 (May 2014 ). Christian Winter, Martin Steinebach, and York Yannikos. 2014. Fast indexing strategies for robust image hashes. Digit. Investig. 11 (May 2014)."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2483760.2483784"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1002\/stv.430"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"crossref","unstructured":"Ding Yuan Soyeon Park and Yuanyuan Zhou. 2012. Characterising Logging Practices in Open-Source Software. In ICSE.  Ding Yuan Soyeon Park and Yuanyuan Zhou. 2012. Characterising Logging Practices in Open-Source Software. In ICSE.","DOI":"10.1109\/ICSE.2012.6227202"}],"event":{"name":"ACSAC '19: 2019 Annual Computer Security Applications Conference","location":"San Juan Puerto Rico USA","acronym":"ACSAC '19"},"container-title":["Proceedings of the 35th Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3359789.3359818","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3359789.3359818","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:45:04Z","timestamp":1750203904000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3359789.3359818"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,12,9]]},"references-count":53,"alternative-id":["10.1145\/3359789.3359818","10.1145\/3359789"],"URL":"https:\/\/doi.org\/10.1145\/3359789.3359818","relation":{},"subject":[],"published":{"date-parts":[[2019,12,9]]},"assertion":[{"value":"2019-12-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}