{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T10:26:06Z","timestamp":1775039166387,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":77,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,12,7]],"date-time":"2020-12-07T00:00:00Z","timestamp":1607299200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100004801","name":"National Science Foundation","doi-asserted-by":"publisher","award":["17-50024"],"award-info":[{"award-number":["17-50024"]}],"id":[{"id":"10.13039\/501100004801","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,12,7]]},"DOI":"10.1145\/3427228.3427272","type":"proceedings-article","created":{"date-parts":[[2020,12,9]],"date-time":"2020-12-09T22:20:18Z","timestamp":1607552418000},"page":"189-202","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":39,"title":["On the Forensic Validity of Approximated Audit Logs"],"prefix":"10.1145","author":[{"given":"Noor","family":"Michael","sequence":"first","affiliation":[{"name":"University of Illinois Urbana-Champaign"}]},{"given":"Jaron","family":"Mink","sequence":"additional","affiliation":[{"name":"University of Illinois Urbana-Champaign, United States of America"}]},{"given":"Jason","family":"Liu","sequence":"additional","affiliation":[{"name":"University of Illinois Urbana-Champaign"}]},{"given":"Sneha","family":"Gaur","sequence":"additional","affiliation":[{"name":"University of Illinois Urbana-Champaign"}]},{"given":"Wajih Ul","family":"Hassan","sequence":"additional","affiliation":[{"name":"University of Illinois Urbana-Champaign, United States of America"}]},{"given":"Adam","family":"Bates","sequence":"additional","affiliation":[{"name":"University of Illinois Urbana-Champaign, United States of America"}]}],"member":"320","published-online":{"date-parts":[[2020,12,8]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Provenance and Annotation of Data and Processes","author":"Ahmad Raza","unstructured":"Raza Ahmad , Melanie Bru , and Ashish Gehani . 2018. Streaming Provenance Compression . In Provenance and Annotation of Data and Processes , Khalid Belhajjame, Ashish Gehani, and Pinar Alper (Eds.). Springer International Publishing , Cham , 236\u2013240. Raza Ahmad, Melanie Bru, and Ashish Gehani. 2018. Streaming Provenance Compression. In Provenance and Annotation of Data and Processes, Khalid Belhajjame, Ashish Gehani, and Pinar Alper (Eds.). Springer International Publishing, Cham, 236\u2013240."},{"key":"e_1_3_2_1_2_1","unstructured":"AlDanial. 2019. cloc: Count Lines of Code.  AlDanial. 2019. cloc: Count Lines of Code."},{"key":"e_1_3_2_1_4_1","volume-title":"7th Workshop on the Theory and Practice of Provenance","author":"Bates Adam","year":"2015","unstructured":"Adam Bates , Kevin R.\u00a0B. Butler , and Thomas Moyer . 2015 . Take Only What You Need: Leveraging Mandatory Access Control Policy to Reduce Provenance Storage Costs . In 7th Workshop on the Theory and Practice of Provenance ( Edinburgh, Scotland) (TaPP\u201915). Adam Bates, Kevin R.\u00a0B. Butler, and Thomas Moyer. 2015. Take Only What You Need: Leveraging Mandatory Access Control Policy to Reduce Provenance Storage Costs. In 7th Workshop on the Theory and Practice of Provenance (Edinburgh, Scotland) (TaPP\u201915)."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831164"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3062180"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/PADSW.2018.8645035"},{"key":"e_1_3_2_1_9_1","volume-title":"Equifax Says Cyberattack May Have Affected 143 Million in the U.S.https:\/\/www.nytimes.com\/2017\/09\/07\/business\/equifax-cyberattack.html. Last accessed","author":"Bernard Tara\u00a0Siegel","year":"2020","unstructured":"Tara\u00a0Siegel Bernard , Tiffany Hsu , Nicole Perlroth , and Ron Lieber . 2019. Equifax Says Cyberattack May Have Affected 143 Million in the U.S.https:\/\/www.nytimes.com\/2017\/09\/07\/business\/equifax-cyberattack.html. Last accessed October 16, 2020 . Tara\u00a0Siegel Bernard, Tiffany Hsu, Nicole Perlroth, and Ron Lieber. 2019. Equifax Says Cyberattack May Have Affected 143 Million in the U.S.https:\/\/www.nytimes.com\/2017\/09\/07\/business\/equifax-cyberattack.html. Last accessed October 16, 2020."},{"key":"e_1_3_2_1_10_1","unstructured":"Carbon Black. 2018. Global Incident Response Threat Report. https:\/\/www.carbonblack.com\/global-incident-response-threat-report\/november-2018\/. Last accessed 04-20-2019.  Carbon Black. 2018. Global Incident Response Threat Report. https:\/\/www.carbonblack.com\/global-incident-response-threat-report\/november-2018\/. Last accessed 04-20-2019."},{"key":"e_1_3_2_1_11_1","volume-title":"Windows\u00a0Dev Center","author":"Microsoft","year":"2018","unstructured":"Microsoft : Windows\u00a0Dev Center . 2018 . About Event Tracing . Microsoft: Windows\u00a0Dev Center. 2018. About Event Tracing."},{"key":"e_1_3_2_1_12_1","volume-title":"Windows\u00a0Dev Center","author":"Microsoft","year":"2018","unstructured":"Microsoft : Windows\u00a0Dev Center . 2018 . Event Logging . Microsoft: Windows\u00a0Dev Center. 2018. Event Logging."},{"key":"e_1_3_2_1_13_1","volume-title":"Detecting Covert Timing Channels with Time-Deterministic Replay. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14)","author":"Chen Ang","year":"2014","unstructured":"Ang Chen , W.\u00a0 Brad Moore , Hanjun Xiao , Andreas Haeberlen , Linh Thi\u00a0Xuan Phan , Micah Sherr , and Wenchao Zhou . 2014 . Detecting Covert Timing Channels with Time-Deterministic Replay. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14) . USENIX Association, Broomfield, CO, 541\u2013554. https:\/\/www.usenix.org\/conference\/osdi14\/technical-sessions\/presentation\/chen_ang Ang Chen, W.\u00a0Brad Moore, Hanjun Xiao, Andreas Haeberlen, Linh Thi\u00a0Xuan Phan, Micah Sherr, and Wenchao Zhou. 2014. Detecting Covert Timing Channels with Time-Deterministic Replay. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 541\u2013554. https:\/\/www.usenix.org\/conference\/osdi14\/technical-sessions\/presentation\/chen_ang"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3035918.3035926"},{"key":"e_1_3_2_1_15_1","unstructured":"DARPA\u00a0Transparent Computing. 2020. Transparent Computing Engagement 3 Data Release.  DARPA\u00a0Transparent Computing. 2020. Transparent Computing Engagement 3 Data Release."},{"key":"e_1_3_2_1_16_1","volume-title":"In Proceedings of the 18th USENIX Security Symposium.","author":"A.","unstructured":"Scott\u00a0 A. Crosby and Dan\u00a0S. Wallach. 2009. Efficient data structures for tamper-evident logging . In In Proceedings of the 18th USENIX Security Symposium. Scott\u00a0A. Crosby and Dan\u00a0S. Wallach. 2009. Efficient data structures for tamper-evident logging. In In Proceedings of the 18th USENIX Security Symposium."},{"key":"e_1_3_2_1_17_1","unstructured":"Birhanu Eshete Rigel Gjomemo Md\u00a0Nahid Hossain Sadegh Momeni R. Sekar Scott\u00a0D. Stoller V.\u00a0N. Venkatakrishnan and Junao Wang. 2016. Attack Analysis Results for Adversarial Engagement 1 of the DARPA Transparent Computing Program. ArXiv abs\/1610.06936(2016).  Birhanu Eshete Rigel Gjomemo Md\u00a0Nahid Hossain Sadegh Momeni R. Sekar Scott\u00a0D. Stoller V.\u00a0N. Venkatakrishnan and Junao Wang. 2016. Attack Analysis Results for Adversarial Engagement 1 of the DARPA Transparent Computing Program. ArXiv abs\/1610.06936(2016)."},{"key":"e_1_3_2_1_18_1","unstructured":"Exploit-DB. 2010. UnrealIRCd 3.2.8.1 - Backdoor Command Execution.  Exploit-DB. 2010. UnrealIRCd 3.2.8.1 - Backdoor Command Execution."},{"key":"e_1_3_2_1_19_1","unstructured":"Exploit-DB. 2011. vsftpd 2.3.4 - Backdoor Command Execution.  Exploit-DB. 2011. vsftpd 2.3.4 - Backdoor Command Execution."},{"key":"e_1_3_2_1_20_1","unstructured":"Exploit-DB. 2019. Webmin 1.920 - Unauthenticated Remote Code Execution.  Exploit-DB. 2019. Webmin 1.920 - Unauthenticated Remote Code Execution."},{"key":"e_1_3_2_1_21_1","volume-title":"DTrace on FreeBSD. https:\/\/wiki.freebsd.org\/DTrace. Last accessed","author":"BSD.","year":"2020","unstructured":"Free BSD. 2019. DTrace on FreeBSD. https:\/\/wiki.freebsd.org\/DTrace. Last accessed October 16, 2020 . FreeBSD. 2019. DTrace on FreeBSD. https:\/\/wiki.freebsd.org\/DTrace. Last accessed October 16, 2020."},{"key":"e_1_3_2_1_22_1","volume-title":"SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection. In 27th USENIX Security Symposium (USENIX Security 18)","author":"Gao Peng","year":"2018","unstructured":"Peng Gao , Xusheng Xiao , Ding Li , Zhichun Li , Kangkook Jee , Zhenyu Wu , Chung\u00a0Hwan Kim , Sanjeev\u00a0 R. Kulkarni , and Prateek Mittal . 2018 . SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection. In 27th USENIX Security Symposium (USENIX Security 18) . USENIX Association, Baltimore, MD, 639\u2013656. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/gao-peng Peng Gao, Xusheng Xiao, Ding Li, Zhichun Li, Kangkook Jee, Zhenyu Wu, Chung\u00a0Hwan Kim, Sanjeev\u00a0R. Kulkarni, and Prateek Mittal. 2018. SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 639\u2013656. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/gao-peng"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/s13389-016-0141-6"},{"key":"e_1_3_2_1_24_1","volume-title":"Steps Toward Managing Lineage Metadata in Grid Clusters. In 1st Workshop on the Theory and Practice of Provenance","author":"Gehani Ashish","year":"2009","unstructured":"Ashish Gehani , Minyoung Kim , and Jian Zhang . 2009 . Steps Toward Managing Lineage Metadata in Grid Clusters. In 1st Workshop on the Theory and Practice of Provenance ( San Francisco, CA) (TaPP\u201909). Ashish Gehani, Minyoung Kim, and Jian Zhang. 2009. Steps Toward Managing Lineage Metadata in Grid Clusters. In 1st Workshop on the Theory and Practice of Provenance (San Francisco, CA) (TaPP\u201909)."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-35170-9_6"},{"key":"e_1_3_2_1_26_1","volume-title":"Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats. In 27th ISOC Network and Distributed System Security Symposium(NDSS\u201920)","author":"Han Xueyan","year":"2020","unstructured":"Xueyan Han , Thomas Pasqueir , Adam Bates , James Mickens , and Margo Seltzer . 2020 . Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats. In 27th ISOC Network and Distributed System Security Symposium(NDSS\u201920) . Xueyan Han, Thomas Pasqueir, Adam Bates, James Mickens, and Margo Seltzer. 2020. Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats. In 27th ISOC Network and Distributed System Security Symposium(NDSS\u201920)."},{"key":"e_1_3_2_1_27_1","volume-title":"Proceedings of the 7th USENIX Conference on File and Storage Technologies(FAST\u201909)","author":"Hasan Ragib","year":"2009","unstructured":"Ragib Hasan , Radu Sion , and Marianne Winslett . 2009 . The Case of the Fake Picasso: Preventing History Forgery with Secure Provenance . In Proceedings of the 7th USENIX Conference on File and Storage Technologies(FAST\u201909) . San Francisco, CA, USA. Ragib Hasan, Radu Sion, and Marianne Winslett. 2009. The Case of the Fake Picasso: Preventing History Forgery with Secure Provenance. In Proceedings of the 7th USENIX Conference on File and Storage Technologies(FAST\u201909). San Francisco, CA, USA."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23141"},{"key":"e_1_3_2_1_29_1","volume-title":"Tactical Provenance Analysis for Endpoint Detection and Response Systems. In 41st IEEE Symposium on Security and Privacy (SP)(Oakland\u201920)","author":"Hassan Wajih\u00a0Ul","year":"2020","unstructured":"Wajih\u00a0Ul Hassan , Adam Bates , and Daniel Marino . 2020 . Tactical Provenance Analysis for Endpoint Detection and Response Systems. In 41st IEEE Symposium on Security and Privacy (SP)(Oakland\u201920) . Wajih\u00a0Ul Hassan, Adam Bates, and Daniel Marino. 2020. Tactical Provenance Analysis for Endpoint Detection and Response Systems. In 41st IEEE Symposium on Security and Privacy (SP)(Oakland\u201920)."},{"key":"e_1_3_2_1_30_1","volume-title":"NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage. In 26th ISOC Network and Distributed System Security Symposium(NDSS\u201919)","author":"Hassan Wajih\u00a0Ul","year":"2019","unstructured":"Wajih\u00a0Ul Hassan , Shengjian Guo , Ding Li , Zhengzhang Chen , Kangkook Jee , Zhichun Li , and Adam Bates . 2019 . NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage. In 26th ISOC Network and Distributed System Security Symposium(NDSS\u201919) . Wajih\u00a0Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. 2019. NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage. In 26th ISOC Network and Distributed System Security Symposium(NDSS\u201919)."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23141"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24270"},{"key":"e_1_3_2_1_33_1","volume-title":"Proc. of the Australasian Information Security Workshop (AISW-NetSec).","author":"Holt E.","year":"2006","unstructured":"Jason\u00a0 E. Holt . 2006 . Logcrypt: Forward Security and Public Verification for Secure Audit Logs . In Proc. of the Australasian Information Security Workshop (AISW-NetSec). Jason\u00a0E. Holt. 2006. Logcrypt: Forward Security and Public Verification for Secure Audit Logs. In Proc. of the Australasian Information Security Workshop (AISW-NetSec)."},{"key":"e_1_3_2_1_34_1","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Hossain Md\u00a0Nahid","unstructured":"Md\u00a0Nahid Hossain , Sadegh\u00a0 M. Milajerdi , Junao Wang , Birhanu Eshete , Rigel Gjomemo , R. Sekar , Scott Stoller , and V.N. Venkatakrishnan . 2017. SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data . In 26th USENIX Security Symposium (USENIX Security 17) . USENIX Association, Vancouver, BC, 487\u2013504. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/hossain Md\u00a0Nahid Hossain, Sadegh\u00a0M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar, Scott Stoller, and V.N. Venkatakrishnan. 2017. SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 487\u2013504. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/hossain"},{"key":"e_1_3_2_1_35_1","volume-title":"Proceedings of the 2020 IEEE Symposium on Security and Privacy (S&P).","author":"Hossain Md\u00a0Nahid","unstructured":"Md\u00a0Nahid Hossain , Sanaz Sheikhi , and R. Sekar . 2020. Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics . In Proceedings of the 2020 IEEE Symposium on Security and Privacy (S&P). Md\u00a0Nahid Hossain, Sanaz Sheikhi, and R. Sekar. 2020. Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (S&P)."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.5555\/3277203.3277331"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053034"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1165389.945467"},{"key":"e_1_3_2_1_39_1","volume-title":"Inside the Cyberattack That Shocked the US Government. https:\/\/www.wired.com\/2016\/10\/inside-cyberattack-shocked-us-government\/. Last accessed","author":"Koerner I.","year":"2020","unstructured":"Brendan\u00a0 I. Koerner . 2019. Inside the Cyberattack That Shocked the US Government. https:\/\/www.wired.com\/2016\/10\/inside-cyberattack-shocked-us-government\/. Last accessed October 16, 2020 . Brendan\u00a0I. Koerner. 2019. Inside the Cyberattack That Shocked the US Government. https:\/\/www.wired.com\/2016\/10\/inside-cyberattack-shocked-us-government\/. Last accessed October 16, 2020."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2872362.2872395"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23306"},{"key":"e_1_3_2_1_42_1","volume-title":"Proceedings of NDSS \u201913","author":"Lee Kyu\u00a0Hyung","year":"2013","unstructured":"Kyu\u00a0Hyung Lee , Xiangyu Zhang , and Dongyan Xu . 2013 . High Accuracy Attack Provenance via Binary-based Execution Partition . In Proceedings of NDSS \u201913 ( San Diego, CA). Kyu\u00a0Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. High Accuracy Attack Provenance via Binary-based Execution Partition. In Proceedings of NDSS \u201913(San Diego, CA)."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516731"},{"key":"e_1_3_2_1_44_1","volume-title":"SNAP: Stanford Network Analysis Project.","author":"Leskovec Jure","year":"2009","unstructured":"Jure Leskovec . 2009 . SNAP: Stanford Network Analysis Project. Jure Leskovec. 2009. SNAP: Stanford Network Analysis Project."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23254"},{"key":"e_1_3_2_1_46_1","volume-title":"Information Systems Security","author":"Milajerdi Sadegh","unstructured":"Sadegh M.\u00a0 Milajerdi , Birhanu Eshete , Rigel Gjomemo , and Venkat\u00a0 N. Venkatakrishnan . 2018. ProPatrol: Attack Investigation via Extracted High-Level Tasks . In Information Systems Security , Vinod Ganapathy, Trent Jaeger, and R.K. Shyamasundar(Eds.). Springer International Publishing , Cham , 107\u2013126. Sadegh M.\u00a0Milajerdi, Birhanu Eshete, Rigel Gjomemo, and Venkat\u00a0N. Venkatakrishnan. 2018. ProPatrol: Attack Investigation via Extracted High-Level Tasks. In Information Systems Security, Vinod Ganapathy, Trent Jaeger, and R.K. Shyamasundar(Eds.). Springer International Publishing, Cham, 107\u2013126."},{"key":"e_1_3_2_1_47_1","article-title":"A new approach to secure logging","volume":"5","author":"Ma Di","year":"2009","unstructured":"Di Ma and Gene Tsudik . 2009 . A new approach to secure logging . ACM Transactions on Storage (TOS) 5 , 1 (2009). Di Ma and Gene Tsudik. 2009. A new approach to secure logging. ACM Transactions on Storage (TOS) 5, 1 (2009).","journal-title":"ACM Transactions on Storage (TOS)"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818039"},{"key":"e_1_3_2_1_49_1","volume-title":"Kernel-Supported Cost-Effective Audit Logging for Causality Tracking. In 2018 USENIX Annual Technical Conference (USENIX ATC 18)","author":"Ma Shiqing","year":"2018","unstructured":"Shiqing Ma , Juan Zhai , Yonghwi Kwon , Kyu\u00a0Hyung Lee , Xiangyu Zhang , Gabriela Ciocarlie , Ashish Gehani , Vinod Yegneswaran , Dongyan Xu , and Somesh Jha . 2018 . Kernel-Supported Cost-Effective Audit Logging for Causality Tracking. In 2018 USENIX Annual Technical Conference (USENIX ATC 18) . USENIX Association, Boston, MA, 241\u2013254. https:\/\/www.usenix.org\/conference\/atc18\/presentation\/ma-shiqing Shiqing Ma, Juan Zhai, Yonghwi Kwon, Kyu\u00a0Hyung Lee, Xiangyu Zhang, Gabriela Ciocarlie, Ashish Gehani, Vinod Yegneswaran, Dongyan Xu, and Somesh Jha. 2018. Kernel-Supported Cost-Effective Audit Logging for Causality Tracking. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). USENIX Association, Boston, MA, 241\u2013254. https:\/\/www.usenix.org\/conference\/atc18\/presentation\/ma-shiqing"},{"key":"e_1_3_2_1_50_1","volume-title":"MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning. In 26th USENIX Security Symposium.","author":"Ma Shiqing","year":"2017","unstructured":"Shiqing Ma , Juan Zhai , Fei Wang , Kyu\u00a0Hyung Lee , Xiangyu Zhang , and Dongyan Xu . 2017 . MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning. In 26th USENIX Security Symposium. Shiqing Ma, Juan Zhai, Fei Wang, Kyu\u00a0Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2017. MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning. In 26th USENIX Security Symposium."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23350"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939783"},{"key":"e_1_3_2_1_53_1","volume-title":"Proceedings of the 2nd conference on Theory and practice of provenance. USENIX Association","author":"McDaniel P.","unstructured":"P. McDaniel , K. Butler , S. McLaughlin , R. Sion , E. Zadok , and M. Winslett . 2010. Towards a Secure and Efficient System for End-to-End Provenance . In Proceedings of the 2nd conference on Theory and practice of provenance. USENIX Association , San Jose, CA, USA. P. McDaniel, K. Butler, S. McLaughlin, R. Sion, E. Zadok, and M. Winslett. 2010. Towards a Secure and Efficient System for End-to-End Provenance. In Proceedings of the 2nd conference on Theory and practice of provenance. USENIX Association, San Jose, CA, USA."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00026"},{"key":"e_1_3_2_1_55_1","volume-title":"https:\/\/attack.mitre.org. Last accessed","author":"MITRE.","year":"2020","unstructured":"MITRE. 2019. MITRE ATT&CK. https:\/\/attack.mitre.org. Last accessed October 16, 2020 . MITRE. 2019. MITRE ATT&CK. https:\/\/attack.mitre.org. Last accessed October 16, 2020."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.5555\/1855807.1855817"},{"key":"e_1_3_2_1_57_1","volume-title":"Information on the Capital One Cyber Incident. https:\/\/www.capitalone.com\/facts2019\/. Last accessed","author":"One Capital","year":"2020","unstructured":"Capital One . 2019. Information on the Capital One Cyber Incident. https:\/\/www.capitalone.com\/facts2019\/. Last accessed October 16, 2020 . Capital One. 2019. Information on the Capital One Cyber Incident. https:\/\/www.capitalone.com\/facts2019\/. Last accessed October 16, 2020."},{"key":"e_1_3_2_1_58_1","volume-title":"Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution. In 27th ISOC Network and Distributed System Security Symposium(NDSS\u201920)","author":"Paccagnella Riccardo","year":"2020","unstructured":"Riccardo Paccagnella , Pubali Datta , Wajih\u00a0Ul Hassan , Adam Bates , Christopher\u00a0 W. Fletcher , Andrew Miller , and Dave Tian . 2020 . Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution. In 27th ISOC Network and Distributed System Security Symposium(NDSS\u201920) . Riccardo Paccagnella, Pubali Datta, Wajih\u00a0Ul Hassan, Adam Bates, Christopher\u00a0W. Fletcher, Andrew Miller, and Dave Tian. 2020. Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution. In 27th ISOC Network and Distributed System Security Symposium(NDSS\u201920)."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417862"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/3127479.3129249"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991122"},{"key":"e_1_3_2_1_62_1","volume-title":"Proceedings of the 2012 Annual Computer Security Applications Conference(ACSAC \u201912)","author":"Pohly D.J.","unstructured":"D.J. Pohly , S. McLaughlin , P. McDaniel , and K. Butler . 2012. Hi-Fi: Collecting High-Fidelity Whole-System Provenance . In Proceedings of the 2012 Annual Computer Security Applications Conference(ACSAC \u201912) . Orlando, FL, USA. D.J. Pohly, S. McLaughlin, P. McDaniel, and K. Butler. 2012. Hi-Fi: Collecting High-Fidelity Whole-System Provenance. In Proceedings of the 2012 Annual Computer Security Applications Conference(ACSAC \u201912). Orlando, FL, USA."},{"key":"e_1_3_2_1_63_1","unstructured":"Rapid7. 2018. WordPress Admin Shell Upload.  Rapid7. 2018. WordPress Admin Shell Upload."},{"key":"e_1_3_2_1_64_1","unstructured":"rebootuser. 2019. LinEnum.  rebootuser. 2019. LinEnum."},{"key":"e_1_3_2_1_65_1","unstructured":"RedHat. 2019. Linux Audit.  RedHat. 2019. Linux Audit."},{"key":"e_1_3_2_1_66_1","volume-title":"Target Missed Warnings in Epic Hack of Credit Card Data. https:\/\/bloom.bg\/2KjElxM. Last accessed","author":"Riley Michael","year":"2020","unstructured":"Michael Riley , Ben Elgin , Dune Lawrence , and Carol Matlack . 2019. Target Missed Warnings in Epic Hack of Credit Card Data. https:\/\/bloom.bg\/2KjElxM. Last accessed October 16, 2020 . Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack. 2019. Target Missed Warnings in Epic Hack of Credit Card Data. https:\/\/bloom.bg\/2KjElxM. Last accessed October 16, 2020."},{"key":"e_1_3_2_1_67_1","volume-title":"Proc. of the USENIX Security Symposium (USENIX).","author":"Schneier Bruce","year":"1998","unstructured":"Bruce Schneier and John Kelsey . 1998 . Cryptographic Support for Secure Logs on Untrusted Machines .. In Proc. of the USENIX Security Symposium (USENIX). Bruce Schneier and John Kelsey. 1998. Cryptographic Support for Secure Logs on Untrusted Machines.. In Proc. of the USENIX Security Symposium (USENIX)."},{"key":"e_1_3_2_1_68_1","volume-title":"Secure audit logs to support computer forensics. ACM Transactions on Information and System Security (TISSEC)","author":"Schneier Bruce","year":"1999","unstructured":"Bruce Schneier and John Kelsey . 1999. Secure audit logs to support computer forensics. ACM Transactions on Information and System Security (TISSEC) ( 1999 ). Bruce Schneier and John Kelsey. 1999. Secure audit logs to support computer forensics. ACM Transactions on Information and System Security (TISSEC) (1999)."},{"key":"e_1_3_2_1_69_1","volume-title":"Proceedings of the 15th Conference on USENIX Security Symposium -","volume":"15","author":"Shah Gaurav","year":"2006","unstructured":"Gaurav Shah , Andres Molina , and Matt Blaze . 2006 . Keyboards and Covert Channels . In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15 (Vancouver, B.C., Canada) (USENIX-SS\u201906). USENIX Association, USA, Article 5, 17\u00a0pages. Gaurav Shah, Andres Molina, and Matt Blaze. 2006. Keyboards and Covert Channels. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15 (Vancouver, B.C., Canada) (USENIX-SS\u201906). USENIX Association, USA, Article 5, 17\u00a0pages."},{"key":"e_1_3_2_1_70_1","unstructured":"Symantec. 2019. About purging reports. https:\/\/help.symantec.com\/cs\/SYMANTECEDR_4.0\/EDR\/v118097546_v128933990\/About-purging-reports?locale=EN_US.  Symantec. 2019. About purging reports. https:\/\/help.symantec.com\/cs\/SYMANTECEDR_4.0\/EDR\/v118097546_v128933990\/About-purging-reports?locale=EN_US."},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243763"},{"key":"e_1_3_2_1_72_1","volume-title":"Clearview AI has billions of our photos. Its entire client list was just stolen. https:\/\/www.cnn.com\/2020\/02\/26\/tech\/clearview-ai-hack\/index.html. Last accessed","author":"Valinsky Jordan","year":"2020","unstructured":"Jordan Valinsky . 2020. Clearview AI has billions of our photos. Its entire client list was just stolen. https:\/\/www.cnn.com\/2020\/02\/26\/tech\/clearview-ai-hack\/index.html. Last accessed October 16, 2020 . Jordan Valinsky. 2020. Clearview AI has billions of our photos. Its entire client list was just stolen. https:\/\/www.cnn.com\/2020\/02\/26\/tech\/clearview-ai-hack\/index.html. Last accessed October 16, 2020."},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274751"},{"key":"e_1_3_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24167"},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/2396761.2398511"},{"key":"e_1_3_2_1_76_1","article-title":"Evaluation of a Hybrid Approach for Efficient Provenance","volume":"9","author":"Xie Yulai","year":"2013","unstructured":"Yulai Xie , Kiran-Kumar Muniswamy-Reddy , Dan Feng , Yan Li , and Darrell D.\u00a0E. Long . 2013 . Evaluation of a Hybrid Approach for Efficient Provenance Storage. Trans. Storage 9 , 4, Article 14 (Nov. 2013), 29\u00a0pages. https:\/\/doi.org\/10.1145\/2501986 10.1145\/2501986 Yulai Xie, Kiran-Kumar Muniswamy-Reddy, Dan Feng, Yan Li, and Darrell D.\u00a0E. Long. 2013. Evaluation of a Hybrid Approach for Efficient Provenance Storage. Trans. Storage 9, 4, Article 14 (Nov. 2013), 29\u00a0pages. https:\/\/doi.org\/10.1145\/2501986","journal-title":"Storage. Trans. Storage"},{"key":"e_1_3_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978378"},{"key":"e_1_3_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.28"},{"key":"e_1_3_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-32946-3_12"}],"event":{"name":"ACSAC '20: Annual Computer Security Applications Conference","location":"Austin USA","acronym":"ACSAC '20"},"container-title":["Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427228.3427272","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3427228.3427272","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:24Z","timestamp":1750197744000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427228.3427272"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,7]]},"references-count":77,"alternative-id":["10.1145\/3427228.3427272","10.1145\/3427228"],"URL":"https:\/\/doi.org\/10.1145\/3427228.3427272","relation":{},"subject":[],"published":{"date-parts":[[2020,12,7]]},"assertion":[{"value":"2020-12-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}