{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T13:32:16Z","timestamp":1775136736072,"version":"3.50.1"},"reference-count":79,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2023,3,31]],"date-time":"2023-03-31T00:00:00Z","timestamp":1680220800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,3,31]]},"abstract":"<jats:p>We propose APTHunter, a system for prompt detection of Advanced and Persistent Threats (APTs) in early stages. We provide an approach for representing the indicators of compromise that appear in the cyber threat intelligence reports and the relationships among them as provenance queries that capture the attacker\u2019s malicious behavior. We use the kernel audit log as a reliable source for system activities and develop an optimized whole system provenance graph that provides the causal relationships and information flows among system entities in a compact format. Then, we model the threat hunting as a behavior match problem by applying provenance queries to the optimized provenance graph to find any hits as indicators of an APT attack. We evaluate APTHunter on adversarial engagements from DARPA over different OS platforms, as well as real-world APT campaigns. Based on our experimental results, APTHunter promptly and reliably detects attack artifacts in early stages.<\/jats:p>","DOI":"10.1145\/3559768","type":"journal-article","created":{"date-parts":[[2022,9,2]],"date-time":"2022-09-02T11:15:54Z","timestamp":1662117354000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":30,"title":["APTHunter: Detecting Advanced Persistent Threats in Early Stages"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4756-5856","authenticated-orcid":false,"given":"Moustafa","family":"Mahmoud","sequence":"first","affiliation":[{"name":"Concordia University, Montreal, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9630-5858","authenticated-orcid":false,"given":"Mohammad","family":"Mannan","sequence":"additional","affiliation":[{"name":"Concordia University, Montreal, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4284-8646","authenticated-orcid":false,"given":"Amr","family":"Youssef","sequence":"additional","affiliation":[{"name":"Concordia University, Montreal, Canada"}]}],"member":"320","published-online":{"date-parts":[[2023,3,31]]},"reference":[{"key":"e_1_3_3_2_2","unstructured":"ABUSE. n.d. Fighting Malware and Botnets. Retrieved September 10 2022 from https:\/\/abuse.ch\/."},{"key":"e_1_3_3_3_2","unstructured":"Security Affairs. 2022. China-Linked APT10 Target Taiwan\u2019s Financial Trading Industry. Retrieved September 10 2022 from https:\/\/securityaffairs.co\/wordpress\/128273\/apt\/apt10-targets-taiwan-financial-trading.html."},{"key":"e_1_3_3_4_2","first-page":"1","volume-title":"Proceedings of ARES","author":"Akinrolabu Olusola","year":"2018","unstructured":"Olusola Akinrolabu, Ioannis Agrafiotis, and Arnau Erola. 2018. The challenge of detecting sophisticated attacks: Insights from SOC analysts. In Proceedings of ARES. 1\u20139."},{"key":"e_1_3_3_5_2","unstructured":"AlienVault. n.d. AlienVault Open Threat Exchange. Retrieved September 10 2022 from https:\/\/otx.alienvault.com\/browse\/global."},{"key":"e_1_3_3_6_2","unstructured":"Apache. 2017. Kafka Streams. Retrieved September 10 2022 from https:\/\/kafka.apache.org\/documentation\/streams\/."},{"key":"e_1_3_3_7_2","unstructured":"ArcSight. 2021. ArcSight Enterprise Security Manager. Retrieved September 10 2022 from https:\/\/www.microfocus.com\/en-us\/cyberres\/secops\/arcsight-esm."},{"key":"e_1_3_3_8_2","volume-title":"Proceedings of S&P","author":"Barr-Smith Frederick","year":"2021","unstructured":"Frederick Barr-Smith, Xabier Ugarte-Pedrero, Mariano Graziano, Riccardo Spolaor, and Ivan Martinovic. 2021. Survivalism: Systematic analysis of windows malware living-off-the-land. In Proceedings of S&P."},{"key":"e_1_3_3_9_2","unstructured":"BeyondTrust. 2020. Cyber-Attack Chain. Retrieved September 10 2022 from https:\/\/www.beyondtrust.com\/resources\/glossary\/cyber-attack-chain."},{"key":"e_1_3_3_10_2","unstructured":"Bricata. 2021. Layers of Cybersecurity: Signature Detection vs. Network Behavioral Analysis. Retrieved September 10 2022 from https:\/\/bricata.com\/blog\/signature-detection-vs-network-behavior\/."},{"key":"e_1_3_3_11_2","article-title":"From Manual Cyber Attacks Forensic to Automatic Characterization of Attackers\u2019 Profiles","author":"Briffaut J.","year":"2011","unstructured":"J. Briffaut, P. Clemente, J. F. Lalande, and J. Rouzaud-Cornabas. 2011. From Manual Cyber Attacks Forensic to Automatic Characterization of Attackers\u2019 Profiles. Universit\u00e9 d\u2019Orl\u00e9ans.","journal-title":"Universit\u00e9 d\u2019Orl\u00e9ans."},{"key":"e_1_3_3_12_2","unstructured":"CISA. 2020. APT Groups Target Healthcare and Essential Services. Retrieved September 10 2022 from https:\/\/us-cert.cisa.gov\/ncas\/alerts\/AA20126A."},{"key":"e_1_3_3_13_2","unstructured":"CrowdStrike. n.d. Advanced Persistent Threat Definition. Retrieved September 10 2022 from https:\/\/www.crowdstrike.com\/cybersecurity-101\/advanced-persistent-threat-apt\/."},{"key":"e_1_3_3_14_2","unstructured":"CrowdStrike. 2018. Is There Such a Thing as a Malicious PowerShell Command? Retrieved September 10 2022 from http:\/\/www.crowdstrike.com\/blog\/is-there-such-a-thing-as-a-malicious-powershell-command\/."},{"key":"e_1_3_3_15_2","unstructured":"CYBERARC. 2017. 7 Types of Privileged Accounts. Retrieved September 10 2022 from https:\/\/www.cyberark.com\/resources\/blog\/7-types-of-privileged-accounts-service-accounts-and-more."},{"key":"e_1_3_3_16_2","unstructured":"Darktrace. 2021. APT35 \u2018Charming Kitten\u2019 Discovered in a Pre-Infected Environment. Retrieved September 10 2022 from https:\/\/www.darktrace.com\/en\/blog\/apt-35-charming-kitten-discovered-in-a-pre-infected-environment\/."},{"key":"e_1_3_3_17_2","unstructured":"DARPA. n.d. Transparent Computing. Retrieved September 10 2022 from https:\/\/www.darpa.mil\/program\/transparent-computing."},{"key":"e_1_3_3_18_2","unstructured":"DARPA. 2018. Transparent Computing TA5.1 Ground Truth Report Engagement 3. Retrieved September 10 2022 from https:\/\/drive.google.com\/file\/d\/1mrs4LWkGk-3zA7t7v8zrhm0yEDHe57QU\/view?usp=sharing."},{"key":"e_1_3_3_19_2","unstructured":"DARPA. 2019. Transparent Computing TA5.1 Final Report Engagement 5. Retrieved September 10 2022 from https:\/\/drive.google.com\/file\/d\/1cc3C5JW-Kn-VdXqeBGwvHBKSdR\\_YmSGj\/view?usp=sharing."},{"key":"e_1_3_3_20_2","unstructured":"Defence Research and Development Canada. 2020. TA-35\u2019Cyber Threat Data Model and Use Cases. Retrieved September 10 2022 from https:\/\/cradpdf.drdc-rddc.gc.ca\/PDFS\/unc290\/p805945_A1b.pdf."},{"key":"e_1_3_3_21_2","unstructured":"EclecticIQ. n.d. Intelligence at the Core. Retrieved September 10 2022 from https:\/\/www.eclecticiq.com\/."},{"key":"e_1_3_3_22_2","unstructured":"Elastic. 2021. SIEM for the modern SOC. Retrieved September 10 2022 from https:\/\/www.elastic.co\/siem."},{"key":"e_1_3_3_23_2","unstructured":"Finextra. 2021. The State of Cybersecurity in Financial Services. Retrieved September 10 2022 from https:\/\/www.finextra.com\/blogposting\/20387\/the-state-of-cybersecurity-in-financial-services."},{"key":"e_1_3_3_24_2","unstructured":"FireEye. n.d. Redline. Retrieved September 10 2022 from https:\/\/www.fireeye.com\/services\/freeware\/redline.html\/."},{"key":"e_1_3_3_25_2","unstructured":"FireEye. n.d. Threat Intelligence Reports. Retrieved September 10 2022 from https:\/\/www.fireeye.com\/current-threats\/threat-intelligence-reports.html."},{"key":"e_1_3_3_26_2","unstructured":"FireEye. 2019. Special Report: Double Dragon APT41 a Dual Espionage and Cyber Crime Operation. Retrieved September 10 2022 from https:\/\/content.fireeye.com\/apt-41\/rpt-apt41."},{"key":"e_1_3_3_27_2","unstructured":"FireEye. 2021. Cyber-Attack Chain. Retrieved September 10 2022 from https:\/\/www.fireeye.com\/current-threats\/apt-groups.html."},{"key":"e_1_3_3_28_2","unstructured":"FireEye. 2021. Threat Intelligence Reports by Industry. Retrieved September 10 2022 from https:\/\/www.fireeye.com\/current-threats\/reports-by-industry.html."},{"key":"e_1_3_3_29_2","unstructured":"FireEye-Mandiant. 2018. M-Trends 2018 Report. Retrieved September 10 2022 from https:\/\/www.fireeye.com\/content\/dam\/collateral\/en\/mtrends-2018.pdf."},{"key":"e_1_3_3_30_2","first-page":"639","volume-title":"Proceedings of USENIX","author":"Gao Peng","year":"2018","unstructured":"Peng Gao, Xusheng Xiao, Ding Li, Zhichun Li, Kangkook Jee, Zhenyu Wu, Chung Hwan Kim, Sanjeev R. Kulkarni, and Prateek Mittal. 2018. SAQL: A stream-based query system for real-time abnormal system behavior detection. In Proceedings of USENIX. 639\u2013656."},{"key":"e_1_3_3_31_2","first-page":"113","volume-title":"Proceedings of USENIX","author":"Gao Peng","year":"2018","unstructured":"Peng Gao, Xusheng Xiao, Zhichun Li, Fengyuan Xu, Sanjeev R. Kulkarni, and Prateek Mittal. 2018. AIQL: Enabling efficient attack investigation from system monitoring data. In Proceedings of USENIX. 113\u2013126."},{"key":"e_1_3_3_32_2","first-page":"112","volume-title":"Proceedings of ICPR","volume":"2","author":"Giugno Rosalba","year":"2002","unstructured":"Rosalba Giugno and Dennis Shasha. 2002. Graphgrep: A fast and universal method for querying graphs. In Proceedings of ICPR, Vol. 2. IEEE, Los Alamitos, CA, 112\u2013115."},{"key":"e_1_3_3_33_2","first-page":"1","volume-title":"Proceedings of the USENIX Symposium","volume":"7","author":"Gu Guofei","year":"2007","unstructured":"Guofei Gu, Phillip A. Porras, Vinod Yegneswaran, Martin W. Fong, and Wenke Lee. 2007. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In Proceedings of the USENIX Symposium, Vol. 7. 1\u201316."},{"key":"e_1_3_3_34_2","volume-title":"Proceedings of NDSS","author":"Han Xueyuan","year":"2020","unstructured":"Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. 2020. Unicorn: Runtime provenance-based detector for advanced persistent threats. In Proceedings of NDSS."},{"key":"e_1_3_3_35_2","first-page":"1172","volume-title":"Proceedings of S&P","author":"Hassan Wajih Ul","year":"2020","unstructured":"Wajih Ul Hassan, Adam Bates, and Daniel Marino. 2020. Tactical provenance analysis for endpoint detection and response systems. In Proceedings of S&P. IEEE, Los Alamitos, CA, 1172\u20131189."},{"key":"e_1_3_3_36_2","first-page":"487","volume-title":"Proceedings of USENIX","author":"Hossain Nahid","year":"2017","unstructured":"Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar, Scott Stoller, and V. N. Venkatakrishnan. 2017. SLEUTH: Real-time attack scenario reconstruction from COTS audit data. In Proceedings of USENIX. 487\u2013504."},{"key":"e_1_3_3_37_2","first-page":"103","volume-title":"Proceedings of ACSAC","author":"Husari Ghaith","year":"2017","unstructured":"Ghaith Husari, Ehab Al-Shaer, Mohiuddin Ahmed, Bill Chu, and Xi Niu. 2017. TTPDrill: Automatic and accurate extraction of threat actions from unstructured text of CTI sources. In Proceedings of ACSAC. 103\u2013115."},{"key":"e_1_3_3_38_2","unstructured":"Imperva. n.d. Data Loss Prevention (DLP). Retrieved September 10 2022 from https:\/\/www.imperva.com\/learn\/data-security\/data-loss-prevention-dlp."},{"key":"e_1_3_3_39_2","unstructured":"Kaspersky. n.d. BlackEnergy APT Attacks in Ukraine. Retrieved September 10 2022 from https:\/\/www.kaspersky.com\/resource-center\/threats\/blackenergy."},{"key":"e_1_3_3_40_2","unstructured":"Kaspersky. 2022. APT Trends Report Q1 2022. Retrieved September 10 2022 from https:\/\/go.kaspersky.com\/rs\/802-IJN-240\/images\/Kaspersky\\_APT\\_trends\\_Q1\\_2022.pdf."},{"key":"e_1_3_3_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/1047915.1047918"},{"key":"e_1_3_3_42_2","volume-title":"Proceedings of NDSS","author":"King Samuel T.","year":"2005","unstructured":"Samuel T. King, Zhuoqing Morley Mao, Dominic G. Lucchetti, and Peter M. Chen. 2005. Enriching intrusion alerts through multi-host causality. In Proceedings of NDSS."},{"key":"e_1_3_3_43_2","unstructured":"KPMG. n.d. The Hidden Security Risks from Service Accounts. Retrieved September 10 2022 from https:\/\/advisory.kpmg.us\/articles\/2021\/hidden-security-risks-service-accounts.html."},{"key":"e_1_3_3_44_2","volume-title":"Proceedings of NDSS","author":"Lee Kyu Hyung","year":"2013","unstructured":"Kyu Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. High accuracy attack provenance via binary-based execution partition. In Proceedings of NDSS."},{"key":"e_1_3_3_45_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23350"},{"key":"e_1_3_3_46_2","unstructured":"MITRE Matrix. n.d. MITRE ATT&CK. Retrieved September 10 2022 from https:\/\/attack.mitre.org\/."},{"key":"e_1_3_3_47_2","unstructured":"McAfee. n.d. McAfee Advanced Threat Defense. Retrieved September 10 2022 from https:\/\/www.mcafee.com\/enterprise\/en-ca\/products\/advanced-threat-defense.html."},{"key":"e_1_3_3_48_2","unstructured":"McAfee. n.d. What Is the MITRE ATT&CK Framework? Retrieved September 10 2022 from https:\/\/www.mcafee.com\/enterprise\/en-ca\/security-awareness\/cybersecurity\/what-is-mitre-attack-framework.html."},{"key":"e_1_3_3_49_2","first-page":"1","volume-title":"Proceedings of NDSS","volume":"22","author":"McKee Derrick","year":"2022","unstructured":"Derrick McKee, Yianni Giannaris, Carolina Ortega Perez, Howard Shrobe, Mathias Payer, Hamed Okhravi, and Nathan Burow. 2022. Preventing kernel hacks with HAKC. In Proceedings of NDSS, Vol. 22. 1\u201317."},{"key":"e_1_3_3_50_2","doi-asserted-by":"crossref","unstructured":"Noor Michael Jaron Mink Jason Liu Sneha Gaur Wajih Ul Hassan and Adam Bates. 2020. On the forensic validity of approximated audit logs. In Proceedings of ACSAC . 189\u2013202.","DOI":"10.1145\/3427228.3427272"},{"key":"e_1_3_3_51_2","volume-title":"Proceedings of CCS","author":"Milajerdi Sadegh M.","year":"2019","unstructured":"Sadegh M. Milajerdi, Birhanu Eshete, Rigel Gjomemo, and V. N. Venkatakrishnan. 2019. Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. In Proceedings of CCS."},{"key":"e_1_3_3_52_2","first-page":"1137","volume-title":"Proceedings of S&P","author":"Milajerdi Sadegh M.","year":"2019","unstructured":"Sadegh M. Milajerdi, Rigel Gjomemo, Birhanu Eshete, Ramachandran Sekar, and V. N. Venkatakrishnan. 2019. HOLMES: Real-time APT detection through correlation of suspicious information flows. In Proceedings of S&P. IEEE, Los Alamitos, CA, 1137\u20131152."},{"key":"e_1_3_3_53_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10723-006-9055-3"},{"key":"e_1_3_3_54_2","unstructured":"MITRE. n.d. MITRE Matrix Brute Force: Password Spraying. Retrieved September 10 2022 from https:\/\/attack.mitre.org\/techniques\/T1110\/003\/."},{"key":"e_1_3_3_55_2","unstructured":"MITRE. n.d. MITRE Matrix Exploit Public-Facing Application. Retrieved September 10 2022 from https:\/\/attack.mitre.org\/techniques\/T1190\/."},{"key":"e_1_3_3_56_2","unstructured":"MITRE. n.d. MITRE Matrix OS Credential Dumping: LSASS Memory. Retrieved September 10 2022 from https:\/\/attack.mitre.org\/techniques\/T1003\/001."},{"key":"e_1_3_3_57_2","unstructured":"N-ABLE. 2021. Intrusion Detection System (IDS): Signature vs. Anomaly-Based. Retrieved September 10 2022 from https:\/\/www.n-able.com\/blog\/intrusion-detection-system\/."},{"key":"e_1_3_3_58_2","unstructured":"Neo4j. n.d. The Native Graph Database for Today\u2019s Connected Applications. Retrieved September 10 2022 from https:\/\/neo4j.com\/product\/neo4j-graph-database\/."},{"key":"e_1_3_3_59_2","unstructured":"Nextron Systems. 2021. LOKI Open-Source IOC Scanner. Retrieved September 10 2022 from https:\/\/www.nextron-systems.com\/loki\/."},{"key":"e_1_3_3_60_2","volume-title":"Proceedings of CCS","author":"Ning Peng","year":"2003","unstructured":"Peng Ning and Dingbang Xu. 2003. Learning attack strategies from intrusion alerts. In Proceedings of CCS."},{"key":"e_1_3_3_61_2","unstructured":"U.S. Department of Health and Human Services (HHS). 2022. Health Sector Cybersecurity: 2021 Retrospective and 2022 Look Ahead. Retrieved September 10 2022 from https:\/\/www.hhs.gov\/sites\/default\/files\/2021-retrospective-and-2022-look-ahead-tlpwhite.pdf."},{"key":"e_1_3_3_62_2","unstructured":"OWASP. 2018. Kerberoasting. Retrieved September 10 2022 from https:\/\/owasp.org\/www-pdf-archive\/OWASP\\_Frankfurt\\_-44\\_Kerberoasting.pdf."},{"key":"e_1_3_3_63_2","volume-title":"Proceedings of CCS","author":"Pasquier Thomas","year":"2018","unstructured":"Thomas Pasquier, Xueyuan Han, Thomas Moyer, Adam Bates, Olivier Hermant, David Eyers, Jean Bacon, and Margo Seltzer. 2018. Runtime analysis of whole-system provenance. In Proceedings of CCS."},{"key":"e_1_3_3_64_2","first-page":"583","volume-title":"Proceedings of ACSAC","author":"Pei Kexin","year":"2016","unstructured":"Kexin Pei, Zhongshu Gu, Brendan Saltaformaggio, Shiqing Ma, Fei Wang, Zhiwei Zhang, Luo Si, Xiangyu Zhang, and Dongyan Xu. 2016. Hercule: Attack story reconstruction via community discovery on correlated log graph. In Proceedings of ACSAC. 583\u2013595."},{"key":"e_1_3_3_65_2","unstructured":"Red Canary. n.d. Red Canary 2021 Threat Detection Report. Retrieved September 10 2022 from https:\/\/redcanary.com\/threat-detection-report\/."},{"key":"e_1_3_3_66_2","unstructured":"Secureworks. n.d. Advanced Persistent Threats: Learn the ABCs of APTs. Retrieved September 10 2022 from https:\/\/www.secureworks.com\/blog\/advanced-persistent-threats-apt-a."},{"key":"e_1_3_3_67_2","unstructured":"Panda Security. 2019. How Endpoint Detection and Response Gave Rise to Threat Hunting. Retrieved September 10 2022 from https:\/\/www.pandasecurity.com\/en\/mediacenter\/security\/edr-threat-hunting."},{"key":"e_1_3_3_68_2","unstructured":"Financial Services Information Sharing and Analysis Center (FS-ISAC). 2022. Navigating Cyber. Retrieved September 10 2022 from https:\/\/www.fsisac.com\/hubfs\/NavigatingCyber-2022\/NavigatingCyber2022-TLPWHITE-FIN.pdf."},{"key":"e_1_3_3_69_2","first-page":"905","volume-title":"Proceedings of USENIX","author":"Shen Yun","year":"2019","unstructured":"Yun Shen and Gianluca Stringhini. 2019. ATTACK2VEC: Leveraging temporal word embeddings to understand the evolution of cyberattacks. In Proceedings of USENIX. 905\u2013921."},{"key":"e_1_3_3_70_2","volume-title":"Proceedings of VLDB","author":"Sun Zhao","year":"2012","unstructured":"Zhao Sun, Hongzhi Wang, Haixun Wang, Bin Shao, and Jianzhong Li. 2012. Efficient subgraph matching on billion node graphs. In Proceedings of VLDB."},{"key":"e_1_3_3_71_2","unstructured":"Symantec. 2019. Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak. Retrieved September 10 2022 from https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/buckeye-windows-zero-day-exploit."},{"key":"e_1_3_3_72_2","unstructured":"The New York Times. 2019. How Chinese Spies Got the N.S.A.\u2019s Hacking Tools and Used Them for Attacks. Retrieved September 10 2022 from https:\/\/www.nytimes.com\/2019\/05\/06\/us\/politics\/china-hacking-cyber.html."},{"key":"e_1_3_3_73_2","unstructured":"The U.S. Department of Health and Human Services. 2020. APT and Cybercriminal Targeting of HCS. Retrieved September 10 2022 from https:\/\/www.hhs.gov\/sites\/default\/files\/apt-and-cybercriminal-targeting-of-hcs.pdf."},{"key":"e_1_3_3_74_2","unstructured":"Jacob Torrey. 2020. Transparent Computing Engagement 5 Data Release. Retrieved September 10 2022 from https:\/\/github.com\/darpa-i2o\/Transparent-Computing."},{"key":"e_1_3_3_75_2","unstructured":"Varonis. n.d. Threat Detection & Response. Retrieved September 10 2022 from https:\/\/www.varonis.com\/solutions\/threat-detection-response\/."},{"key":"e_1_3_3_76_2","unstructured":"Varonis. 2020. What Is an Advanced Persistent Threat? Retrieved September 10 2022 from https:\/\/www.varonis.com\/blog\/advanced-persistent-threat\/."},{"key":"e_1_3_3_77_2","unstructured":"Vectra. n.d. Network Detection and Response Built on Artificial Intelligence. Retrieved September 10 2022 from https:\/\/www.vectra.ai\/products\/cognito-platform."},{"key":"e_1_3_3_78_2","volume-title":"Proceedings of NDSS","author":"Wang Qi","year":"2020","unstructured":"Qi Wang, Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, et\u00a0al. 2020. You are what you do: Hunting stealthy malware via data provenance analysis. In Proceedings of NDSS."},{"key":"e_1_3_3_79_2","first-page":"210","volume-title":"Proceedings of ICDE","author":"Wang Xiaoli","year":"2012","unstructured":"Xiaoli Wang, Xiaofeng Ding, Anthony K. H. Tung, Shanshan Ying, and Hai Jin. 2012. An efficient graph indexing method. In Proceedings of ICDE. IEEE, Los Alamitos, CA, 210\u2013221."},{"key":"e_1_3_3_80_2","volume-title":"Proceedings of CCS","author":"Xu Zhang","year":"2016","unstructured":"Zhang Xu, Zhenyu Wu, Zhichun Li, Kangkook Jee, Junghwan Rhee, Xusheng Xiao, Fengyuan Xu, Haining Wang, and Guofei Jiang. 2016. High fidelity data reduction for big data security dependency analyses. In Proceedings of CCS."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3559768","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3559768","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T18:07:57Z","timestamp":1750183677000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3559768"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,31]]},"references-count":79,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,3,31]]}},"alternative-id":["10.1145\/3559768"],"URL":"https:\/\/doi.org\/10.1145\/3559768","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,3,31]]},"assertion":[{"value":"2022-01-03","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-08-11","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-03-31","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}