{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,23]],"date-time":"2026-03-23T10:15:04Z","timestamp":1774260904806,"version":"3.50.1"},"reference-count":115,"publisher":"Association for Computing Machinery (ACM)","issue":"7","license":[{"start":{"date-parts":[[2022,12,15]],"date-time":"2022-12-15T00:00:00Z","timestamp":1671062400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Cyber Security Research Centre Limited"},{"name":"Australian Government\u2019s Cooperative Research Centres Programme"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2023,7,31]]},"abstract":"<jats:p>\n            Traditional\n            <jats:bold>Intrusion Detection Systems (IDS)<\/jats:bold>\n            cannot cope with the increasing number and sophistication of cyberattacks such as\n            <jats:bold>Advanced Persistent Threats (APT)<\/jats:bold>\n            . Due to their high false-positive rate and the required effort of security experts to validate them, incidents can remain undetected for up to several months. As a result, enterprises suffer from data loss and severe financial damage. Recent research explored data provenance for\n            <jats:bold>Host-based Intrusion Detection Systems (HIDS)<\/jats:bold>\n            as one promising data source to tackle this issue. Data provenance represents information flows between system entities as\n            <jats:bold>Direct Acyclic Graph (DAG)<\/jats:bold>\n            .\n            <jats:bold>Provenance-based Intrusion Detection Systems (PIDS)<\/jats:bold>\n            utilize data provenance to enhance the detection performance of intrusions and reduce false-alarm rates compared to traditional IDS. This survey demonstrates the potential of PIDS by providing a detailed evaluation of recent research in the field, proposing a novel taxonomy for PIDS, discussing current issues, and potential future research directions. This survey aims to help and motivate researchers to get started in the field of PIDS by tackling issues of data collection, graph summarization, intrusion detection, and developing real-world benchmark datasets.\n          <\/jats:p>","DOI":"10.1145\/3539605","type":"journal-article","created":{"date-parts":[[2022,6,11]],"date-time":"2022-06-11T22:40:05Z","timestamp":1654987205000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":115,"title":["Provenance-based Intrusion Detection Systems: A Survey"],"prefix":"10.1145","volume":"55","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3957-9331","authenticated-orcid":false,"given":"Michael","family":"Zipperle","sequence":"first","affiliation":[{"name":"University of New South Wales, Canberra, Australia and Cyber Security Cooperative Research Centre, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7173-4226","authenticated-orcid":false,"given":"Florian","family":"Gottwalt","sequence":"additional","affiliation":[{"name":"University of New South Wales, Canberra, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4439-1854","authenticated-orcid":false,"given":"Elizabeth","family":"Chang","sequence":"additional","affiliation":[{"name":"Griffith University, Gold Coast, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7527-129X","authenticated-orcid":false,"given":"Tharam","family":"Dillon","sequence":"additional","affiliation":[{"name":"La Trobe University, Melbourne, Australia"}]}],"member":"320","published-online":{"date-parts":[[2022,12,15]]},"reference":[{"key":"e_1_3_1_2_2","unstructured":"ACM. 2021. ACM Computing Surveys.https:\/\/dl.acm.org\/journal\/csur."},{"key":"e_1_3_1_3_2","unstructured":"Md. Monowar Anjum Shahrear Iqbal and Benoit Hamelin. 2021. Analyzing the Usefulness of the DARPA OpTC Dataset in Cyber Threat Detection Research. arxiv:2103.03080 [cs.CR]"},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1.1.1.6603"},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/CNS48642.2020.9162264"},{"key":"e_1_3_1_6_2","volume-title":"11th International Workshop on Theory and Practice of Provenance (TaPP\u201919)","author":"Barre Mathieu","year":"2019","unstructured":"Mathieu Barre, Ashish Gehani, and Vinod Yegneswaran. 2019. Mining data provenance to detect advanced persistent threats. In 11th International Workshop on Theory and Practice of Provenance (TaPP\u201919). USENIX Association. https:\/\/www.usenix.org\/conference\/tapp2019\/presentation\/barre."},{"key":"e_1_3_1_7_2","first-page":"319","volume-title":"24th USENIX Security Symposium (USENIX Security\u201915)","author":"Bates Adam","year":"2015","unstructured":"Adam Bates, Dave (Jing) Tian, Kevin R. B. Butler, and Thomas Moyer. 2015. Trustworthy whole-system provenance for the Linux kernel. In 24th USENIX Security Symposium (USENIX Security\u201915). USENIX Association, Washington, D.C., 319\u2013334. https:\/\/www.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/bates."},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/3062180"},{"key":"e_1_3_1_9_2","volume-title":"11th International Workshop on Theory and Practice of Provenance (TaPP\u201919)","author":"Berrada Ghita","year":"2019","unstructured":"Ghita Berrada and James Cheney. 2019. Aggregating unsupervised provenance anomaly detectors. In 11th International Workshop on Theory and Practice of Provenance (TaPP\u201919). USENIX Association, Philadelphia, PA. https:\/\/www.usenix.org\/conference\/tapp2019\/presentation\/berrada."},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2020.02.015"},{"key":"e_1_3_1_11_2","unstructured":"Bibliometrix. 2021. Bibliometrix R Package. https:\/\/www.bibliometrix.org\/index.html."},{"key":"e_1_3_1_12_2","unstructured":"BITSIGHT. 2021. The Financial Impact of SolarWinds Breach. https:\/\/www.bitsight.com\/blog\/the-financial-impact-of-solarwinds-a-cyber-catastrophe-but-insurance-disaster-avoided."},{"key":"e_1_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/3344382"},{"key":"e_1_3_1_14_2","unstructured":"Business Insider. 2020. Here\u2019s a Simple Explanation of How the Massive SolarWinds Hack Happened and why it\u2019s Such a Big Deal. https:\/\/www.businessinsider.com.au\/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T."},{"key":"e_1_3_1_15_2","doi-asserted-by":"publisher","DOI":"10.22364\/bjmc.2018.6.3.01"},{"key":"e_1_3_1_16_2","unstructured":"Clarivate. 2021. Web of Science Core Collection Basic Search. https:\/\/apps.webofknowledge.com\/WOS_GeneralSearch_input.do?product=WOS&search_mode=GeneralSearch&SID=F4RZJg74Nnxe9ZS23ay&preferencesSaved=."},{"key":"e_1_3_1_17_2","unstructured":"Connected Papers. 2021. Explore Connected Papers in a Visual Graph. https:\/\/www.connectedpapers.com\/."},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2015.7346912"},{"key":"e_1_3_1_19_2","volume-title":"Developing a High-Accuracy Cross Platform Host-Based Intrusion Detection System Capable of Reliably Detecting Zero-day Attacks.","author":"Creech Gideon","year":"2014","unstructured":"Gideon Creech. 2014. Developing a High-Accuracy Cross Platform Host-Based Intrusion Detection System Capable of Reliably Detecting Zero-day Attacks.Ph. D. Dissertation. University of New South Wales, Canberra, Australia."},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/WCNC.2013.6555301"},{"key":"e_1_3_1_21_2","unstructured":"CrowdStrike. 2021. What Causes IT Alert Fatigue and How to Avoid It. https:\/\/www.crowdstrike.com\/blog\/causes-alert-fatigue-avoid\/."},{"key":"e_1_3_1_22_2","unstructured":"DARPA. 2021. Operationally Transparent Cyber (OpTC) Data Release. https:\/\/github.com\/FiveDirections\/OpTC-data."},{"key":"e_1_3_1_23_2","unstructured":"DARPA. 2021. Transparent Computing Engagement 5. https:\/\/github.com\/darpa-i2o\/Transparent-Computing."},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/2843859.2843867"},{"key":"e_1_3_1_25_2","unstructured":"DTrace. 2020. About DTrace. http:\/\/dtrace.org\/blogs\/about\/."},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134015"},{"key":"e_1_3_1_27_2","unstructured":"Elsevier. 2021. Science Health and Medical Journals Full Text Articles and Books.https:\/\/www.sciencedirect.com\/."},{"key":"e_1_3_1_28_2","unstructured":"Elsevier. 2021. Scopus. https:\/\/www.scopus.com\/search\/form.uri?display=basic#basic."},{"key":"e_1_3_1_29_2","unstructured":"FireEye. 2020. The Numbers Game: How Many Alerts are too Many to Handle?https:\/\/www.fireeye.com\/offers\/rpt-idc-the-numbers-game.html."},{"key":"e_1_3_1_30_2","first-page":"639","volume-title":"27th USENIX Security Symposium (USENIX Security\u201918)","author":"Gao Peng","year":"2018","unstructured":"Peng Gao, Xusheng Xiao, Ding Li, Zhichun Li, Kangkook Jee, Zhenyu Wu, Chung Hwan Kim, Sanjeev R. Kulkarni, and Prateek Mittal. 2018. SAQL: A stream-based query system for real-time abnormal system behavior detection. In 27th USENIX Security Symposium (USENIX Security\u201918). USENIX Association, Baltimore, MD, 639\u2013656. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/gao-peng."},{"key":"e_1_3_1_31_2","first-page":"113","volume-title":"2018 USENIX Annual Technical Conference (USENIX ATC\u201918)","author":"Gao Peng","year":"2018","unstructured":"Peng Gao, Xusheng Xiao, Zhichun Li, Fengyuan Xu, Sanjeev R. Kulkarni, and Prateek Mittal. 2018. AIQL: Enabling efficient attack investigation from system monitoring data. In 2018 USENIX Annual Technical Conference (USENIX ATC\u201918). 113\u2013126."},{"key":"e_1_3_1_32_2","article-title":"ADSAGE: Anomaly detection in sequences of attributed graph edges applied to insider threat detection at fine-grained level","author":"Garchery Mathieu","year":"2020","unstructured":"Mathieu Garchery and Michael Granitzer. 2020. ADSAGE: Anomaly detection in sequences of attributed graph edges applied to insider threat detection at fine-grained level. arXiv preprint arXiv:2007.06985 (2020).","journal-title":"arXiv preprint arXiv:2007.06985"},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-35170-9_6"},{"key":"e_1_3_1_34_2","unstructured":"GitHub. 2021. CyberBattleSim. https:\/\/github.com\/microsoft\/CyberBattleSim."},{"key":"e_1_3_1_35_2","unstructured":"GitHub. 2021. FiveDirections\/OpTC-data. https:\/\/github.com\/FiveDirections\/OpTC-data\/blob\/master\/ecar.md."},{"key":"e_1_3_1_36_2","unstructured":"GitHub. 2021. PurpleSharp. https:\/\/github.com\/mvelazc0\/PurpleSharp."},{"key":"e_1_3_1_37_2","unstructured":"GitHub. 2021. redcanaryco\/atomic-red-team: Small and Highly Portable Detection Tests Based on MITRE\u2019s ATT&CK.https:\/\/github.com\/redcanaryco\/atomic-red-team."},{"key":"e_1_3_1_38_2","unstructured":"GitHub. 2021. SimuLand. https:\/\/github.com\/Azure\/SimuLand."},{"key":"e_1_3_1_39_2","unstructured":"GitHub. 2021. Splunk Attack Range. https:\/\/github.com\/splunk\/attack_range."},{"key":"e_1_3_1_40_2","unstructured":"John Griffith Derrick Kong Armando Caro Brett Benyo Joud Khoury Timothy Upthegrove Timothy Christovich Stanislav Ponomorov Ali Sydney Arjun Saini Vladimir Shurbanov Christopher Willig David Levin and Jack Dietz. 2020. Scalable Transparency Architecture for Research Collaboration (STARC)-DARPA Transparent Computing (TC) Program. https:\/\/apps.dtic.mil\/sti\/citations\/AD1092961."},{"key":"e_1_3_1_41_2","doi-asserted-by":"crossref","unstructured":"Aditya Grover and Jure Leskovec. 2016. node2vec: Scalable Feature Learning for Networks. arxiv:1607.00653 [cs.SI]","DOI":"10.1145\/2939672.2939754"},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.3390\/FI8030029"},{"key":"e_1_3_1_43_2","unstructured":"Xueyuan Han James Mickens Ashish Gehani Margo Seltzer and Thomas Pasquier. 2020. Xanthus: Push-button Orchestration of Host Provenance Data Collection. arxiv:2005.04717 [cs.CR]"},{"key":"e_1_3_1_44_2","volume-title":"9th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 17)","author":"Han Xueyuan","year":"2017","unstructured":"Xueyuan Han, Thomas Pasquier, Tanvi Ranjan, Mark Goldstein, and Margo Seltzer. 2017. FRAPpuccino: Fault-detection through runtime analysis of provenance. In 9th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 17). USENIX Association, Santa Clara, CA. https:\/\/www.usenix.org\/conference\/hotcloud17\/program\/presentation\/han."},{"key":"e_1_3_1_45_2","volume-title":"10th USENIX Workshop on the Theory and Practice of Provenance (TaPP\u201918)","author":"Han Xueyuan","year":"2018","unstructured":"Xueyuan Han, Thomas Pasquier, and Margo Seltzer. 2018. Provenance-based intrusion detection: Opportunities and challenges. In 10th USENIX Workshop on the Theory and Practice of Provenance (TaPP\u201918). arXiv:1806.00934 http:\/\/arxiv.org\/abs\/1806.00934."},{"key":"e_1_3_1_46_2","unstructured":"Xueyuan Han Xiao Yu Thomas Pasquier Ding Li Junghwan Rhee James Mickens Margo Seltzer and Haifeng Chen. 2020. SIGL: Securing Software Installations Through Deep Graph Learning. arxiv:2008.11533 [cs.CR]"},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23349"},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23141"},{"key":"e_1_3_1_50_2","first-page":"487","volume-title":"26th USENIX Security Symposium (USENIX Security\u201917)","author":"Hossain Md Nahid","year":"2017","unstructured":"Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar, Scott Stoller, and V. N. Venkatakrishnan. 2017. SLEUTH: Real-time attack scenario reconstruction from COTS audit data. In 26th USENIX Security Symposium (USENIX Security\u201917). USENIX Association, Vancouver, BC, 487\u2013504. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/hossain."},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00064"},{"key":"e_1_3_1_52_2","first-page":"1723","volume-title":"27th USENIX Security Symposium (USENIX Security\u201918)","author":"Hossain Md Nahid","year":"2018","unstructured":"Md Nahid Hossain, Junao Wang, R. Sekar, and Scott D. Stoller. 2018. Dependence-preserving data compaction for scalable forensic analysis. In 27th USENIX Security Symposium (USENIX Security\u201918). USENIX Association, Baltimore, MD, 1723\u20131740. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/hossain."},{"key":"e_1_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10618-017-0549-3"},{"key":"e_1_3_1_54_2","unstructured":"IEEE. 2011. IEEE Symposium on Security and Privacy. https:\/\/www.ieee-security.org\/TC\/SP2021\/cfpapers.html."},{"key":"e_1_3_1_55_2","unstructured":"IEEE. 2021. Xplore. https:\/\/ieeexplore.ieee.org\/Xplore\/home.jsp."},{"key":"e_1_3_1_56_2","unstructured":"Internet Society. 2021. The Network and Distributed System Security Symposium (NDSS). https:\/\/www.ndss-symposium.org\/."},{"key":"e_1_3_1_57_2","unstructured":"ITnews. 2021. SolarWinds Hack was \u2019Largest and Most Sophisticated Attack\u2019 Ever. https:\/\/www.itnews.com.au\/news\/solarwinds-hack-was-largest-and-most-sophisticated-attack-ever-microsoft-561065."},{"key":"e_1_3_1_58_2","volume-title":"9th USENIX Workshop on the Theory and Practice of Provenance (TaPP\u201917)","author":"Jenkinson Graeme","year":"2017","unstructured":"Graeme Jenkinson, Lucian Carata, Thomas Bytheway, Ripduman Sohan, Robert N. M. Watson, Jonathan Anderson, Brian Kidney, Amanda Strnad, Arun Thomas, and George Neville-Neil. 2017. Applying provenance in APT monitoring and analysis: Practical challenges for scalable, efficient and trustworthy distributed provenance. In 9th USENIX Workshop on the Theory and Practice of Provenance (TaPP\u201917)."},{"key":"e_1_3_1_59_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134045"},{"key":"e_1_3_1_60_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40593-3_1"},{"key":"e_1_3_1_61_2","doi-asserted-by":"publisher","DOI":"10.3390\/JCP1030021"},{"key":"e_1_3_1_62_2","doi-asserted-by":"publisher","DOI":"10.17021\/1179829"},{"key":"e_1_3_1_63_2","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945467"},{"key":"e_1_3_1_64_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA.2019.00187"},{"key":"e_1_3_1_65_2","volume-title":"20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013","author":"Lee Kyu Hyung","year":"2013","unstructured":"Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. High accuracy attack provenance via binary-based execution partition. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss2013\/high-accuracy-attack-provenance-binary-based-execution-partition."},{"key":"e_1_3_1_66_2","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516731"},{"key":"e_1_3_1_67_2","volume-title":"9th USENIX Workshop on the Theory and Practice of Provenance (TaPP\u201917)","author":"Lemay Mark","year":"2017","unstructured":"Mark Lemay, Wajih Ul Hassan, Thomas Moyer, Nabil Schear, and Warren Smith. 2017. Automated provenance analytics: A regular grammar based approach with applications in security. In 9th USENIX Workshop on the Theory and Practice of Provenance (TaPP\u201917)."},{"key":"e_1_3_1_68_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102282"},{"key":"e_1_3_1_69_2","doi-asserted-by":"publisher","DOI":"10.1184\/R1\/12841247.v1"},{"key":"e_1_3_1_70_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363224"},{"key":"e_1_3_1_71_2","doi-asserted-by":"publisher","DOI":"10.1145\/3214304"},{"key":"e_1_3_1_72_2","doi-asserted-by":"publisher","DOI":"10.1145\/3186727"},{"key":"e_1_3_1_73_2","doi-asserted-by":"publisher","DOI":"10.1016\/S1389-1286(00)00134-1"},{"key":"e_1_3_1_74_2","first-page":"241","volume-title":"2018 USENIX Annual Technical Conference (USENIX ATC\u201918)","author":"Ma Shiqing","year":"2018","unstructured":"Shiqing Ma, Juan Zhai, Yonghwi Kwon, Kyu Hyung Lee, Xiangyu Zhang, Gabriela Ciocarlie, Ashish Gehani, Vinod Yegneswaran, Dongyan Xu, and Somesh Jha. 2018. Kernel-supported cost-effective audit logging for causality tracking. In 2018 USENIX Annual Technical Conference (USENIX ATC\u201918). USENIX Association, Boston, MA, 241\u2013254. https:\/\/www.usenix.org\/conference\/atc18\/presentation\/ma-shiqing."},{"key":"e_1_3_1_75_2","first-page":"1111","volume-title":"26th USENIX Security Symposium (USENIX Security\u201917)","author":"Ma Shiqing","year":"2017","unstructured":"Shiqing Ma, Juan Zhai, Fei Wang, Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2017. MPI: Multiple perspective attack investigation with semantic aware execution partitioning. In 26th USENIX Security Symposium (USENIX Security\u201917). USENIX Association, Vancouver, BC, 1111\u20131128. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/ma."},{"key":"e_1_3_1_76_2","volume-title":"23rd Annual Network and Distributed System Security Symposium (NDSS\u201916)","author":"Ma Shiqing","year":"2016","unstructured":"Shiqing Ma, Xiangyu Zhang, and Dongyan Xu. 2016. ProTracer: Towards practical provenance tracing by alternating between logging and tainting. In 23rd Annual Network and Distributed System Security Symposium (NDSS\u201916), San Diego, California, USA, February 21\u201324, 2016. The Internet Society. http:\/\/wp.internetsociety.org\/ndss\/wp-content\/uploads\/sites\/25\/2017\/09\/protracer-towards-practical-provenance-tracing-alternating-logging-tainting.pdf."},{"key":"e_1_3_1_77_2","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427272"},{"key":"e_1_3_1_78_2","unstructured":"Microsoft. 2020. Event Tracing. https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/etw\/event-tracing-portal."},{"key":"e_1_3_1_79_2","unstructured":"Microsoft. 2020. Sysmon - Windows Sysinternals. https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/sysmon."},{"key":"e_1_3_1_80_2","article-title":"Distributed representations of words and phrases and their compositionality","author":"Mikolov Tomas","year":"2013","unstructured":"Tomas Mikolov, Ilya Sutskever, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Distributed representations of words and phrases and their compositionality. arXiv preprint arXiv:1310.4546 (2013).","journal-title":"arXiv preprint arXiv:1310.4546"},{"key":"e_1_3_1_81_2","unstructured":"MITR. 2021. Analytics | MITRE Cyber Analytics Repository. https:\/\/car.mitre.org\/analytics\/."},{"key":"e_1_3_1_82_2","unstructured":"MITRE. 2021. Caldera: Scalable Automated Adversary Emulation Platform. https:\/\/github.com\/mitre\/caldera."},{"key":"e_1_3_1_83_2","unstructured":"MITRE ATT&CK. 2021. Matrix - Enterprise. https:\/\/attack.mitre.org\/matrices\/enterprise\/."},{"key":"e_1_3_1_84_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2012.05.003"},{"key":"e_1_3_1_85_2","volume-title":"USENIX Annual Technical Conference","author":"Muniswamy-Reddy Kiran-Kumar","year":"2009","unstructured":"Kiran-Kumar Muniswamy-Reddy, U. Braun, D. Holland, P. Macko, D. MacLean, Daniel W. Margo, Margo I. Seltzer, and Robin Smogor. 2009. Layering in provenance systems. In USENIX Annual Technical Conference."},{"key":"e_1_3_1_86_2","first-page":"43","volume-title":"Usenix Annual Technical Conference, General Track","author":"Muniswamy-Reddy Kiran-Kumar","year":"2006","unstructured":"Kiran-Kumar Muniswamy-Reddy, David A. Holland, Uri Braun, and Margo I. Seltzer. 2006. Provenance-aware storage systems. In Usenix Annual Technical Conference, General Track. 43\u201356."},{"key":"e_1_3_1_87_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-59621-7_8"},{"key":"e_1_3_1_88_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cosrev.2017.07.001"},{"key":"e_1_3_1_89_2","doi-asserted-by":"publisher","DOI":"10.1145\/3127479.3129249"},{"key":"e_1_3_1_90_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243776"},{"key":"e_1_3_1_91_2","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991122"},{"key":"e_1_3_1_92_2","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420989"},{"key":"e_1_3_1_93_2","unstructured":"Can Sar and Pei Cao. 2005. Lineage file system. Online at http:\/\/crypto.stanford.edu\/cao\/lineage.html (2005) 411\u2013414."},{"key":"e_1_3_1_94_2","article-title":"GrAALF: Supporting graphical analysis of audit logs for forensics","author":"Setayeshfar Omid","year":"2019","unstructured":"Omid Setayeshfar, Christian Adkins, Matthew Jones, Kyu Hyung Lee, and Prashant Doshi. 2019. GrAALF: Supporting graphical analysis of audit logs for forensics. arXiv preprint arXiv:1909.00902 (2019).","journal-title":"arXiv preprint arXiv:1909.00902"},{"key":"e_1_3_1_95_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243811"},{"key":"e_1_3_1_96_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.12.012"},{"key":"e_1_3_1_97_2","doi-asserted-by":"publisher","DOI":"10.5555\/2814579.2814582"},{"key":"e_1_3_1_98_2","doi-asserted-by":"crossref","first-page":"155","DOI":"10.1007\/978-3-319-16462-5_12","volume-title":"Provenance and Annotation of Data and Processes","author":"Stamatogiannakis Manolis","year":"2015","unstructured":"Manolis Stamatogiannakis, Paul Groth, and Herbert Bos. 2015. Looking inside the black-box: Capturing data provenance using dynamic instrumentation. In Provenance and Annotation of Data and Processes, Bertram Lud\u00e4scher and Beth Plale (Eds.). Springer International Publishing, Cham, 155\u2013167."},{"key":"e_1_3_1_99_2","unstructured":"SUSE. 2020. Understanding Linux Audit. https:\/\/documentation.suse.com\/sles\/15-SP1\/html\/SLES-all\/cha-audit-comp.html."},{"key":"e_1_3_1_100_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243763"},{"key":"e_1_3_1_101_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2016.86"},{"key":"e_1_3_1_102_2","unstructured":"The Zeek Project. 2021. The Zeek Network Security Monitor. https:\/\/zeek.org\/."},{"key":"e_1_3_1_103_2","unstructured":"USENIX. 2021. USENIX Security Symposium. https:\/\/www.usenix.org\/conference\/usenixsecurity21."},{"key":"e_1_3_1_104_2","doi-asserted-by":"publisher","DOI":"10.1145\/2716260"},{"key":"e_1_3_1_105_2","unstructured":"W3. 2021. PROV-O: The PROV Ontology. https:\/\/www.w3.org\/TR\/prov-o\/."},{"key":"e_1_3_1_106_2","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274751"},{"key":"e_1_3_1_107_2","volume-title":"Symposium on Network and Distributed System Security (NDSS)","author":"Wang Qi","year":"2020","unstructured":"Qi Wang, Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, C. Gunter, and others. 2020. You are what you do: Hunting stealthy malware via data provenance analysis. In Symposium on Network and Distributed System Security (NDSS)."},{"key":"e_1_3_1_108_2","unstructured":"Wikipedia. 2020. DTrace. https:\/\/en.wikipedia.org\/wiki\/DTrace."},{"key":"e_1_3_1_109_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2867595"},{"key":"e_1_3_1_110_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2016.02.005"},{"key":"e_1_3_1_111_2","article-title":"Compressing provenance graphs","author":"Xie Yulai","year":"2011","unstructured":"Yulai Xie, Kiran Kumar Muniswamy-Reddy, Darrell D. E. Long, Ahmed Amer, Dan Feng, and Zhipeng Tan. 2011. Compressing provenance graphs. 3rd Workshop on the Theory and Practice of Provenance (TaPP\u201911), (2011).","journal-title":"3rd Workshop on the Theory and Practice of Provenance (TaPP\u201911),"},{"key":"e_1_3_1_112_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2019.2960353"},{"key":"e_1_3_1_113_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978378"},{"key":"e_1_3_1_114_2","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315261"},{"key":"e_1_3_1_115_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCT46805.2019.8947201"},{"key":"e_1_3_1_116_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICC.2015.7249470"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3539605","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3539605","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:51:40Z","timestamp":1750182700000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3539605"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,12,15]]},"references-count":115,"journal-issue":{"issue":"7","published-print":{"date-parts":[[2023,7,31]]}},"alternative-id":["10.1145\/3539605"],"URL":"https:\/\/doi.org\/10.1145\/3539605","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,12,15]]},"assertion":[{"value":"2021-08-30","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-05-13","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-12-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}