{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,17]],"date-time":"2026-04-17T06:07:47Z","timestamp":1776406067158,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":74,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,12,7]],"date-time":"2020-12-07T00:00:00Z","timestamp":1607299200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100004801","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-16-57534,CNS-17-50024"],"award-info":[{"award-number":["CNS-16-57534,CNS-17-50024"]}],"id":[{"id":"10.13039\/501100004801","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,12,7]]},"DOI":"10.1145\/3427228.3427255","type":"proceedings-article","created":{"date-parts":[[2020,12,9]],"date-time":"2020-12-09T22:20:18Z","timestamp":1607552418000},"page":"165-178","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":28,"title":["This is Why We Can\u2019t Cache Nice Things: Lightning-Fast Threat Hunting using Suspicion-Based Hierarchical Storage"],"prefix":"10.1145","author":[{"given":"Wajih Ul","family":"Hassan","sequence":"first","affiliation":[{"name":"University of Illinois at Urbana-Champaign, United States of America"}]},{"given":"Ding","family":"Li","sequence":"additional","affiliation":[{"name":"Peking University, China"}]},{"given":"Kangkook","family":"Jee","sequence":"additional","affiliation":[{"name":"University of Texas at Dallas"}]},{"given":"Xiao","family":"Yu","sequence":"additional","affiliation":[{"name":"NEC Laboratories America Inc., United States of America"}]},{"given":"Kexuan","family":"Zou","sequence":"additional","affiliation":[{"name":"University of Illinois at Urbana-Champaign"}]},{"given":"Dawei","family":"Wang","sequence":"additional","affiliation":[{"name":"University of Illinois at Urbana-Champaign"}]},{"given":"Zhengzhang","family":"Chen","sequence":"additional","affiliation":[{"name":"NEC Laboratories America Inc., United States of America"}]},{"given":"Zhichun","family":"Li","sequence":"additional","affiliation":[{"name":"NEC Laboratories America Inc., United States of America"}]},{"given":"Junghwan","family":"Rhee","sequence":"additional","affiliation":[{"name":"University of Central Oklahoma"}]},{"given":"Jiaping","family":"Gui","sequence":"additional","affiliation":[{"name":"NEC Laboratories America Inc., United States of America"}]},{"given":"Adam","family":"Bates","sequence":"additional","affiliation":[{"name":"University of Illinois at Urbana-Champaign, United States of America"}]}],"member":"320","published-online":{"date-parts":[[2020,12,8]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n.d.]. Cortex XDR. https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xdr.  [n.d.]. Cortex XDR. https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xdr."},{"key":"e_1_3_2_1_2_1","unstructured":"[n.d.]. CrowdStrike. https:\/\/www.crowdstrike.com\/.  [n.d.]. CrowdStrike. https:\/\/www.crowdstrike.com\/."},{"key":"e_1_3_2_1_3_1","unstructured":"[n.d.]. Event tracing. https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ETW\/event-tracing-portal.  [n.d.]. Event tracing. https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ETW\/event-tracing-portal."},{"key":"e_1_3_2_1_4_1","unstructured":"[n.d.]. The Linux audit daemon. https:\/\/linux.die.net\/man\/8\/auditd.  [n.d.]. The Linux audit daemon. https:\/\/linux.die.net\/man\/8\/auditd."},{"key":"e_1_3_2_1_5_1","unstructured":"[n.d.]. MTTD vs MTTK. https:\/\/www.threatstack.com\/blog\/how-to-use-automation-to-decrease-mean-time-to-know.  [n.d.]. MTTD vs MTTK. https:\/\/www.threatstack.com\/blog\/how-to-use-automation-to-decrease-mean-time-to-know."},{"key":"e_1_3_2_1_6_1","unstructured":"[n.d.]. Netwrix Auditor. https:\/\/www.netwrix.com\/network_auditing_software_features.html.  [n.d.]. Netwrix Auditor. https:\/\/www.netwrix.com\/network_auditing_software_features.html."},{"key":"e_1_3_2_1_7_1","unstructured":"2014. CVE-2014-6271. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2014-6271.  2014. CVE-2014-6271. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2014-6271."},{"key":"e_1_3_2_1_8_1","unstructured":"2018. Persistent netcat backdoor. https:\/\/www.offensive-security.com\/metasploit-unleashed\/persistent-netcat-backdoor\/.  2018. Persistent netcat backdoor. https:\/\/www.offensive-security.com\/metasploit-unleashed\/persistent-netcat-backdoor\/."},{"key":"e_1_3_2_1_9_1","unstructured":"2018. Ransom.Wannacry. https:\/\/symc.ly\/2NSK5Rg.  2018. Ransom.Wannacry. https:\/\/symc.ly\/2NSK5Rg."},{"key":"e_1_3_2_1_10_1","unstructured":"2018. VPNFilter: New Router Malware with Destructive Capabilities. https:\/\/symc.ly\/2IPGGVE.  2018. VPNFilter: New Router Malware with Destructive Capabilities. https:\/\/symc.ly\/2IPGGVE."},{"key":"e_1_3_2_1_11_1","unstructured":"2019. Apache Kafka. https:\/\/kafka.apache.org\/.  2019. Apache Kafka. https:\/\/kafka.apache.org\/."},{"key":"e_1_3_2_1_12_1","unstructured":"2019. Automated Incident Response: Respond to Every Alert. https:\/\/swimlane.com\/blog\/automated-incident-response-respond-every-alert\/.  2019. Automated Incident Response: Respond to Every Alert. https:\/\/swimlane.com\/blog\/automated-incident-response-respond-every-alert\/."},{"key":"e_1_3_2_1_13_1","unstructured":"2019. Automated Security Intelligence (ASI). https:\/\/www.nec.com\/en\/global\/techrep\/journal\/g16\/n01\/160110.html.  2019. Automated Security Intelligence (ASI). https:\/\/www.nec.com\/en\/global\/techrep\/journal\/g16\/n01\/160110.html."},{"key":"e_1_3_2_1_14_1","unstructured":"2019. Breach Detection. https:\/\/link.medium.com\/6HpgbLgZuW.  2019. Breach Detection. https:\/\/link.medium.com\/6HpgbLgZuW."},{"key":"e_1_3_2_1_15_1","unstructured":"2019. Cyber Threat Hunting Review. https:\/\/blog.usejournal.com\/cyber-threat-hunting-basics-52fca11a4e1d.  2019. Cyber Threat Hunting Review. https:\/\/blog.usejournal.com\/cyber-threat-hunting-basics-52fca11a4e1d."},{"key":"e_1_3_2_1_16_1","unstructured":"2019. Endpoint Monitoring & Security. https:\/\/logrhythm.com\/solutions\/security\/endpoint-threat-detection\/.  2019. Endpoint Monitoring & Security. https:\/\/logrhythm.com\/solutions\/security\/endpoint-threat-detection\/."},{"key":"e_1_3_2_1_17_1","unstructured":"2019. Google core libraries for Java. https:\/\/github.com\/google\/guava.  2019. Google core libraries for Java. https:\/\/github.com\/google\/guava."},{"key":"e_1_3_2_1_18_1","unstructured":"2019. How Many Alerts is Too Many to Handle?https:\/\/www2.fireeye.com\/StopTheNoise-IDC-Numbers-Game-Special-Report.html.  2019. How Many Alerts is Too Many to Handle?https:\/\/www2.fireeye.com\/StopTheNoise-IDC-Numbers-Game-Special-Report.html."},{"key":"e_1_3_2_1_19_1","unstructured":"2019. How WannaCrypt attacks. https:\/\/www.zdnet.com\/article\/how-wannacrypt-attacks\/.  2019. How WannaCrypt attacks. https:\/\/www.zdnet.com\/article\/how-wannacrypt-attacks\/."},{"key":"e_1_3_2_1_20_1","unstructured":"2019. MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption. https:\/\/www.rapid7.com\/db\/modules\/exploit\/windows\/smb\/ms17_010_eternalblue.  2019. MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption. https:\/\/www.rapid7.com\/db\/modules\/exploit\/windows\/smb\/ms17_010_eternalblue."},{"key":"e_1_3_2_1_21_1","unstructured":"2019. Neo4j. https:\/\/neo4j.com\/.  2019. Neo4j. https:\/\/neo4j.com\/."},{"key":"e_1_3_2_1_22_1","unstructured":"2019. New Research from Advanced Threat Analytics. https:\/\/prn.to\/2uTiaK6.  2019. New Research from Advanced Threat Analytics. https:\/\/prn.to\/2uTiaK6."},{"key":"e_1_3_2_1_23_1","unstructured":"2019. Over 18 000 Redis Instances Targetted. https:\/\/duo.com\/decipher\/over-18000-redis-instances-targeted-by-fake-ransomware.  2019. Over 18 000 Redis Instances Targetted. https:\/\/duo.com\/decipher\/over-18000-redis-instances-targeted-by-fake-ransomware."},{"key":"e_1_3_2_1_24_1","unstructured":"2019. Petya ransomware outbreak. https:\/\/www.symantec.com\/blogs\/threat-intelligence\/petya-ransomware-wiper.  2019. Petya ransomware outbreak. https:\/\/www.symantec.com\/blogs\/threat-intelligence\/petya-ransomware-wiper."},{"key":"e_1_3_2_1_25_1","unstructured":"2019. Redis in-memory data structure store. https:\/\/redis.io\/.  2019. Redis in-memory data structure store. https:\/\/redis.io\/."},{"key":"e_1_3_2_1_26_1","unstructured":"2019. RedisGraph - a graph database module for Redis. https:\/\/oss.redislabs.com\/redisgraph\/.  2019. RedisGraph - a graph database module for Redis. https:\/\/oss.redislabs.com\/redisgraph\/."},{"key":"e_1_3_2_1_27_1","unstructured":"2019. RocksDB | A persistent key-value store. https:\/\/rocksdb.org\/.  2019. RocksDB | A persistent key-value store. https:\/\/rocksdb.org\/."},{"key":"e_1_3_2_1_28_1","unstructured":"2019. What is SIEM?https:\/\/logz.io\/blog\/what-is-siem\/.  2019. What is SIEM?https:\/\/logz.io\/blog\/what-is-siem\/."},{"key":"e_1_3_2_1_29_1","unstructured":"2\n    [n.d.]. Equifax says cyberattack may have affected 143 million in the U.S.https:\/\/www.nytimes.com\/2017\/09\/07\/business\/equifax-cyberattack.html.  2 [n.d.]. Equifax says cyberattack may have affected 143 million in the U.S.https:\/\/www.nytimes.com\/2017\/09\/07\/business\/equifax-cyberattack.html."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"crossref","unstructured":"Adam Bates Wajih\u00a0Ul Hassan Kevin Butler Alin Dobra Bradley Reaves Patrick Cable Thomas Moyer and Nabil Schear. 2017. Transparent web service auditing via network provenance functions. In WWW.  Adam Bates Wajih\u00a0Ul Hassan Kevin Butler Alin Dobra Bradley Reaves Patrick Cable Thomas Moyer and Nabil Schear. 2017. Transparent web service auditing via network provenance functions. In WWW.","DOI":"10.1145\/3038912.3052640"},{"key":"e_1_3_2_1_31_1","unstructured":"Adam Bates Dave Tian Kevin R.\u00a0B. Butler and Thomas Moyer. 2015. Trustworthy whole-system provenance for the Linux kernel. In USENIX Security.  Adam Bates Dave Tian Kevin R.\u00a0B. Butler and Thomas Moyer. 2015. Trustworthy whole-system provenance for the Linux kernel. In USENIX Security."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"crossref","unstructured":"Chen Chen Harshal\u00a0Tushar Lehri Lay Kuan\u00a0Loh Anupam Alur Limin Jia Boon\u00a0Thau Loo and Wenchao Zhou. 2017. Distributed Provenance Compression. In SIGMOD.  Chen Chen Harshal\u00a0Tushar Lehri Lay Kuan\u00a0Loh Anupam Alur Limin Jia Boon\u00a0Thau Loo and Wenchao Zhou. 2017. Distributed Provenance Compression. In SIGMOD.","DOI":"10.1145\/3035918.3035926"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-74320-0_4"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45474-8_6"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/HPEC.2012.6408680"},{"key":"e_1_3_2_1_36_1","unstructured":"FireEye. 2019. Incident Investigation. https:\/\/www.fireeye.com\/solutions\/incident-investigation.html.  FireEye. 2019. Incident Investigation. https:\/\/www.fireeye.com\/solutions\/incident-investigation.html."},{"key":"e_1_3_2_1_37_1","volume-title":"SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection. In USENIX Security Symposium.","author":"Gao Peng","year":"2018","unstructured":"Peng Gao , Xusheng Xiao , Ding Li , Zhichun Li , Kangkook Jee , Zhenyu Wu , Chung\u00a0Hwan Kim , Sanjeev\u00a0 R. Kulkarni , and Prateek Mittal . 2018 . SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection. In USENIX Security Symposium. Peng Gao, Xusheng Xiao, Ding Li, Zhichun Li, Kangkook Jee, Zhenyu Wu, Chung\u00a0Hwan Kim, Sanjeev\u00a0R. Kulkarni, and Prateek Mittal. 2018. SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection. In USENIX Security Symposium."},{"key":"e_1_3_2_1_38_1","volume-title":"SPADE: Support for provenance auditing in distributed environments. In Middleware(Montreal, Quebec, Canada).","author":"Gehani Ashish","year":"2012","unstructured":"Ashish Gehani and Dawood Tariq . 2012 . SPADE: Support for provenance auditing in distributed environments. In Middleware(Montreal, Quebec, Canada). Ashish Gehani and Dawood Tariq. 2012. SPADE: Support for provenance auditing in distributed environments. In Middleware(Montreal, Quebec, Canada)."},{"key":"e_1_3_2_1_39_1","volume-title":"Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats. In NDSS.","author":"Han Xueyan","year":"2020","unstructured":"Xueyan Han , Thomas Pasqueir , Adam Bates , James Mickens , and Margo Seltzer . 2020 . Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats. In NDSS. Xueyan Han, Thomas Pasqueir, Adam Bates, James Mickens, and Margo Seltzer. 2020. Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats. In NDSS."},{"key":"e_1_3_2_1_40_1","volume-title":"Tactical Provenance Analysis for Endpoint Detection and Response Systems","author":"Hassan Wajih\u00a0Ul","unstructured":"Wajih\u00a0Ul Hassan , Adam Bates , and Daniel Marino . 2020. Tactical Provenance Analysis for Endpoint Detection and Response Systems . In IEEE S &P. Wajih\u00a0Ul Hassan, Adam Bates, and Daniel Marino. 2020. Tactical Provenance Analysis for Endpoint Detection and Response Systems. In IEEE S&P."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"crossref","unstructured":"Wajih\u00a0Ul Hassan Shengjian Guo Ding Li Zhengzhang Chen Kangkook Jee Zhichun Li and Adam Bates. 2019. NoDoze: Combatting threat alert fatigue with automated provenance triage. In NDSS (San Diego CA).  Wajih\u00a0Ul Hassan Shengjian Guo Ding Li Zhengzhang Chen Kangkook Jee Zhichun Li and Adam Bates. 2019. NoDoze: Combatting threat alert fatigue with automated provenance triage. In NDSS (San Diego CA).","DOI":"10.14722\/ndss.2019.23349"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"crossref","unstructured":"Wajih\u00a0Ul Hassan Mark Lemay Nuraini Aguse Adam Bates and Thomas Moyer. 2018. Towards scalable cluster auditing through grammatical inference over provenance graphs. In NDSS (San Diego CA).  Wajih\u00a0Ul Hassan Mark Lemay Nuraini Aguse Adam Bates and Thomas Moyer. 2018. Towards scalable cluster auditing through grammatical inference over provenance graphs. In NDSS (San Diego CA).","DOI":"10.14722\/ndss.2018.23141"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"crossref","unstructured":"Wajih\u00a0Ul Hassan Mohammad\u00a0A Noureddine Pubali Datta and Adam Bates. 2020. OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis. In NDSS.  Wajih\u00a0Ul Hassan Mohammad\u00a0A Noureddine Pubali Datta and Adam Bates. 2020. OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis. In NDSS.","DOI":"10.14722\/ndss.2020.24270"},{"key":"e_1_3_2_1_44_1","volume-title":"SLEUTH: Real-time attack scenario reconstruction from COTS audit data. In USENIX Security.","author":"Hossain Md\u00a0Nahid","year":"2017","unstructured":"Md\u00a0Nahid Hossain , Sadegh\u00a0 M Milajerdi , Junao Wang , Birhanu Eshete , Rigel Gjomemo , R Sekar , Scott\u00a0 D Stoller , and VN Venkatakrishnan . 2017 . SLEUTH: Real-time attack scenario reconstruction from COTS audit data. In USENIX Security. Md\u00a0Nahid Hossain, Sadegh\u00a0M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott\u00a0D Stoller, and VN Venkatakrishnan. 2017. SLEUTH: Real-time attack scenario reconstruction from COTS audit data. In USENIX Security."},{"key":"e_1_3_2_1_45_1","volume-title":"Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics","author":"Hossain Md\u00a0Nahid","unstructured":"Md\u00a0Nahid Hossain , Sanaz Sheikhi , and R Sekar . 2020. Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics . In IEEE S &P. Md\u00a0Nahid Hossain, Sanaz Sheikhi, and R Sekar. 2020. Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics. In IEEE S&P."},{"key":"e_1_3_2_1_46_1","volume-title":"USENIX Security Symposium.","author":"Hossain Md\u00a0Nahid","year":"2018","unstructured":"Md\u00a0Nahid Hossain , Junao Wang , R. Sekar , and Scott\u00a0 D. Stoller . 2018 . Dependence-Preserving data compaction for scalable forensic analysis . In USENIX Security Symposium. Md\u00a0Nahid Hossain, Junao Wang, R. Sekar, and Scott\u00a0D. Stoller. 2018. Dependence-Preserving data compaction for scalable forensic analysis. In USENIX Security Symposium."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134045"},{"key":"e_1_3_2_1_48_1","unstructured":"Samuel\u00a0T. King and Peter\u00a0M. Chen. 2003. Backtracking Intrusions. In SOSP. ACM.  Samuel\u00a0T. King and Peter\u00a0M. Chen. 2003. Backtracking Intrusions. In SOSP. ACM."},{"key":"e_1_3_2_1_49_1","unstructured":"Samuel\u00a0T King Zhuoqing\u00a0Morley Mao Dominic\u00a0G Lucchetti and Peter\u00a0M Chen. 2005. Enriching Intrusion Alerts Through Multi-Host Causality.. In NDSS.  Samuel\u00a0T King Zhuoqing\u00a0Morley Mao Dominic\u00a0G Lucchetti and Peter\u00a0M Chen. 2005. Enriching Intrusion Alerts Through Multi-Host Causality.. In NDSS."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2003.1254306"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948144"},{"key":"e_1_3_2_1_52_1","unstructured":"Pradeep Kumar and H.\u00a0Howie Huang. 2019. GraphOne: A Data Store for Real-time Analytics on Evolving Graphs. In USENIX FAST.  Pradeep Kumar and H.\u00a0Howie Huang. 2019. GraphOne: A Data Store for Real-time Analytics on Evolving Graphs. In USENIX FAST."},{"key":"e_1_3_2_1_53_1","volume-title":"MCI: Modeling-based Causality Inference in Audit Logging for Attack Investigation. In NDSS.","author":"Kwon Yonghwi","year":"2018","unstructured":"Yonghwi Kwon , Fei Wang , Weihang Wang , Kyu\u00a0Hyung Lee , Wen-Chuan Lee , Shiqing Ma , Xiangyu Zhang , Dongyan Xu , Somesh Jha , Gabriela Ciocarlie , 2018 . MCI: Modeling-based Causality Inference in Audit Logging for Attack Investigation. In NDSS. Yonghwi Kwon, Fei Wang, Weihang Wang, Kyu\u00a0Hyung Lee, Wen-Chuan Lee, Shiqing Ma, Xiangyu Zhang, Dongyan Xu, Somesh Jha, Gabriela Ciocarlie, 2018. MCI: Modeling-based Causality Inference in Audit Logging for Attack Investigation. In NDSS."},{"key":"e_1_3_2_1_54_1","unstructured":"Kyu\u00a0Hyung Lee Xiangyu Zhang and Dongyan Xu. 2013. High accuracy attack provenance via binary-based execution partition. In NDSS (San Diego CA).  Kyu\u00a0Hyung Lee Xiangyu Zhang and Dongyan Xu. 2013. High accuracy attack provenance via binary-based execution partition. In NDSS (San Diego CA)."},{"key":"e_1_3_2_1_55_1","unstructured":"Kyu\u00a0Hyung Lee Xiangyu Zhang and Dongyan Xu. 2013. LogGC: Garbage collecting audit log. In CCS.  Kyu\u00a0Hyung Lee Xiangyu Zhang and Dongyan Xu. 2013. LogGC: Garbage collecting audit log. In CCS."},{"key":"e_1_3_2_1_56_1","volume-title":"MICA: A holistic approach to fast in-memory key-value storage. USENIX.","author":"Lim Hyeontaek","year":"2014","unstructured":"Hyeontaek Lim , Donsu Han , David\u00a0 G Andersen , and Michael Kaminsky . 2014 . MICA: A holistic approach to fast in-memory key-value storage. USENIX. Hyeontaek Lim, Donsu Han, David\u00a0G Andersen, and Michael Kaminsky. 2014. MICA: A holistic approach to fast in-memory key-value storage. USENIX."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"crossref","unstructured":"Yushan Liu Mu Zhang Ding Li Kangkook Jee Zhichun Li Zhenyu Wu Junghwan Rhee and Prateek Mittal. 2018. Towards a Timely Causality Analysis for Enterprise Security. In NDSS.  Yushan Liu Mu Zhang Ding Li Kangkook Jee Zhichun Li Zhenyu Wu Junghwan Rhee and Prateek Mittal. 2018. Towards a Timely Causality Analysis for Enterprise Security. In NDSS.","DOI":"10.14722\/ndss.2018.23254"},{"key":"e_1_3_2_1_58_1","unstructured":"Shiqing Ma Kyu\u00a0Hyung Lee Chung\u00a0Hwan Kim Junghwan Rhee Xiangyu Zhang and Dongyan Xu. 2015. Accurate low cost and instrumentation-free security audit logging for Windows. In ACSAC. ACM.  Shiqing Ma Kyu\u00a0Hyung Lee Chung\u00a0Hwan Kim Junghwan Rhee Xiangyu Zhang and Dongyan Xu. 2015. Accurate low cost and instrumentation-free security audit logging for Windows. In ACSAC. ACM."},{"key":"e_1_3_2_1_59_1","unstructured":"Shiqing Ma Juan Zhai Yonghwi Kwon Kyu\u00a0Hyung Lee Xiangyu Zhang Gabriela Ciocarlie Ashish Gehani Vinod Yegneswaran Dongyan Xu and Somesh Jha. 2018. Kernel-supported cost-effective audit logging for causality tracking. In USENIX ATC.  Shiqing Ma Juan Zhai Yonghwi Kwon Kyu\u00a0Hyung Lee Xiangyu Zhang Gabriela Ciocarlie Ashish Gehani Vinod Yegneswaran Dongyan Xu and Somesh Jha. 2018. Kernel-supported cost-effective audit logging for causality tracking. In USENIX ATC."},{"key":"e_1_3_2_1_60_1","volume-title":"MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning. In USENIX Security.","author":"Ma Shiqing","year":"2017","unstructured":"Shiqing Ma , Juan Zhai , Fei Wang , Kyu\u00a0Hyung Lee , Xiangyu Zhang , and Dongyan Xu . 2017 . MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning. In USENIX Security. Shiqing Ma, Juan Zhai, Fei Wang, Kyu\u00a0Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2017. MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning. In USENIX Security."},{"key":"e_1_3_2_1_61_1","unstructured":"Shiqing Ma Xiangyu Zhang and Dongyan Xu. 2016. ProTracer: Towards practical provenance tracing by alternating between logging and tainting. In NDSS (San Diego CA).  Shiqing Ma Xiangyu Zhang and Dongyan Xu. 2016. ProTracer: Towards practical provenance tracing by alternating between logging and tainting. In NDSS (San Diego CA)."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363217"},{"key":"e_1_3_2_1_63_1","volume-title":"HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows","author":"Milajerdi M.","year":"2019","unstructured":"S.\u00a0 M. Milajerdi , R. Gjomemo , B. Eshete , R. Sekar , and V.\u00a0 N. Venkatakrishnan . 2019 . HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows . In IEEE S &P. S.\u00a0M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V.\u00a0N. Venkatakrishnan. 2019. HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows. In IEEE S&P."},{"key":"e_1_3_2_1_64_1","unstructured":"Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. (2015).  Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. (2015)."},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2003.1219056"},{"key":"e_1_3_2_1_66_1","unstructured":"Rajesh Nishtala Hans Fugal Steven Grimm Marc Kwiatkowski Herman Lee Harry\u00a0C Li Ryan McElroy Mike Paleczny Daniel Peek Paul Saab [n.d.]. Scaling Memcache at Facebook.  Rajesh Nishtala Hans Fugal Steven Grimm Marc Kwiatkowski Herman Lee Harry\u00a0C Li Ryan McElroy Mike Paleczny Daniel Peek Paul Saab [n.d.]. Scaling Memcache at Facebook."},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.11"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"crossref","unstructured":"Thomas Pasquier Xueyuan Han Thomas Moyer Adam Bates Olivier Hermant David Eyers Jean Bacon and Margo Seltzer. 2018. Runtime analysis of whole-system provenance. In CCS. ACM.  Thomas Pasquier Xueyuan Han Thomas Moyer Adam Bates Olivier Hermant David Eyers Jean Bacon and Margo Seltzer. 2018. Runtime analysis of whole-system provenance. In CCS. ACM.","DOI":"10.1145\/3243734.3243776"},{"key":"e_1_3_2_1_69_1","unstructured":"Xiaokui Shu Frederico Araujo Douglas\u00a0L Schales Marc\u00a0Ph Stoecklin Jiyong Jang Heqing Huang and Josyula\u00a0R Rao. 2018. Threat intelligence computing. In ACM CCS.  Xiaokui Shu Frederico Araujo Douglas\u00a0L Schales Marc\u00a0Ph Stoecklin Jiyong Jang Heqing Huang and Josyula\u00a0R Rao. 2018. Threat intelligence computing. In ACM CCS."},{"key":"e_1_3_2_1_70_1","unstructured":"Splunk Inc.[n.d.]. splunk. https:\/\/www.splunk.com.  Splunk Inc.[n.d.]. splunk. https:\/\/www.splunk.com."},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243763"},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45474-8_4"},{"key":"e_1_3_2_1_73_1","unstructured":"Yulai Xie Kiran-Kumar Muniswamy-Reddy Darrell D.\u00a0E. Long Ahmed Amer Dan Feng and Zhipeng Tan. 2011. Compressing Provenance Graphs.  Yulai Xie Kiran-Kumar Muniswamy-Reddy Darrell D.\u00a0E. Long Ahmed Amer Dan Feng and Zhipeng Tan. 2011. Compressing Provenance Graphs."},{"key":"e_1_3_2_1_74_1","unstructured":"Zhang Xu Zhenyu Wu Zhichun Li Kangkook Jee Junghwan Rhee Xusheng Xiao Fengyuan Xu Haining Wang and Guofei Jiang. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In CCS.  Zhang Xu Zhenyu Wu Zhichun Li Kangkook Jee Junghwan Rhee Xusheng Xiao Fengyuan Xu Haining Wang and Guofei Jiang. 2016. High Fidelity Data Reduction for Big Data Security Dependency Analyses. In CCS."}],"event":{"name":"ACSAC '20: Annual Computer Security Applications Conference","location":"Austin USA","acronym":"ACSAC '20"},"container-title":["Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427228.3427255","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3427228.3427255","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:24Z","timestamp":1750197744000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427228.3427255"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,7]]},"references-count":74,"alternative-id":["10.1145\/3427228.3427255","10.1145\/3427228"],"URL":"https:\/\/doi.org\/10.1145\/3427228.3427255","relation":{},"subject":[],"published":{"date-parts":[[2020,12,7]]},"assertion":[{"value":"2020-12-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}