{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T10:02:05Z","timestamp":1775815325608,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":58,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,9,30]],"date-time":"2024-09-30T00:00:00Z","timestamp":1727654400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Key R&D Program of China","award":["2023YFB3106900"],"award-info":[{"award-number":["2023YFB3106900"]}]},{"name":"National Natural Science Foundation of China","award":["62072359, 62302362, 62072352"],"award-info":[{"award-number":["62072359, 62302362, 62072352"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,9,30]]},"DOI":"10.1145\/3678890.3678916","type":"proceedings-article","created":{"date-parts":[[2024,9,29]],"date-time":"2024-09-29T22:23:36Z","timestamp":1727648616000},"page":"248-262","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Obfuscating Provenance-Based Forensic Investigations with Mapping System Meta-Behavior"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-3265-4078","authenticated-orcid":false,"given":"Anyuan","family":"Sang","sequence":"first","affiliation":[{"name":"School of Computer Science and Technology, Xidian University, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9685-6107","authenticated-orcid":false,"given":"Yuchen","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Computer Science and Technology, Xidian University, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2750-7031","authenticated-orcid":false,"given":"Li","family":"Yang","sequence":"additional","affiliation":[{"name":"School of Computer Science and Technology, Xidian University, China and Shaanxi Key Laboratory of Network and System Security, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-4286-4003","authenticated-orcid":false,"given":"Junbo","family":"Jia","sequence":"additional","affiliation":[{"name":"School of Computer Science and Technology, Xidian University, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5201-5074","authenticated-orcid":false,"given":"Lu","family":"Zhou","sequence":"additional","affiliation":[{"name":"School of Computer Science and Technology, Xidian University, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,9,30]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2023. APT Notes. https:\/\/github.com\/kbandla\/APTnotes Last accessed on 2023-12-25."},{"key":"e_1_3_2_1_2_1","unstructured":"2023. Common Vulnerability Scoring System v3.0: Specification Document. https:\/\/www.first.org\/cvss\/specification-document Last accessed on 2023-11-21."},{"key":"e_1_3_2_1_3_1","unstructured":"2023. Linux Kernel Audit Subsystem. https:\/\/github.com\/linux-audit\/audit Last accessed on 2023-11-21."},{"key":"e_1_3_2_1_4_1","unstructured":"2023. MANDIANT: Exposing One of China\u2019s Cyber Espionage Units. https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/services\/pdfs\/mandiant-apt1-report.pdf Last accessed on 2023-11-21."},{"key":"e_1_3_2_1_5_1","unstructured":"2023. Transparent Computing Engagement 3 DataRelease. https:\/\/github.com\/darpa-i2o\/Transparent Computing\/blob\/master\/README-E3.md Last accessed on 2023-12-25."},{"key":"e_1_3_2_1_6_1","unstructured":"2023. Windows ETW. https:\/\/learn.microsoft.com\/zh-cn\/windowshardware\/drivers\/devtest\/event-tracing-for-windows\u2013etw- Last accessed on 2023-11-21."},{"key":"e_1_3_2_1_7_1","volume-title":"Proceedings of the USENIX Security Symposium. 3005\u20133022","author":"Alsaheel Abdulellah","year":"2021","unstructured":"Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, Gregory Walkup, Z\u00a0Berkay Celik, Xiangyu Zhang, and Dongyan Xu. 2021. ATLAS: A Sequence-Based Learning Approach for Attack Investigation. In Proceedings of the USENIX Security Symposium. 3005\u20133022."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831164"},{"key":"e_1_3_2_1_9_1","volume-title":"Kairos: Practical Intrusion Detection and Investigation Using Whole-System Provenance. arXiv preprint arXiv:2308.05034","author":"Cheng Zijun","year":"2023","unstructured":"Zijun Cheng, Qiujian Lv, Jinyuan Liang, Yan Wang, Degang Sun, Thomas Pasquier, and Xueyuan Han. 2023. Kairos: Practical Intrusion Detection and Investigation Using Whole-System Provenance. arXiv preprint arXiv:2308.05034 (2023)."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616580"},{"key":"e_1_3_2_1_11_1","volume-title":"Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23)","author":"Dong Feng","year":"2023","unstructured":"Feng Dong, Liu Wang, Xu Nie, Fei Shao, Haoyu Wang, Ding Li, Xiapu Luo, and Xusheng Xiao. 2023. DISTDET: A Cost-Effective Distributed Cyber Threat Detection System. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23)."},{"key":"e_1_3_2_1_12_1","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security 22)","author":"Fang Pengcheng","year":"2022","unstructured":"Pengcheng Fang, Peng Gao, Changlin Liu, Erman Ayday, Kangkook Jee, Ting Wang, Yanfang\u00a0Fanny Ye, Zhuotao Liu, and Xusheng Xiao. 2022. Back-Propagating System Dependency Impact for Attack Investigation. In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22). 2461\u20132478."},{"key":"e_1_3_2_1_13_1","volume-title":"Proceedings of the 30th Network and Distributed System Security Symposium (NDSS).","author":"Goyal Akul","year":"2023","unstructured":"Akul Goyal, Xueyuan Han, Gang Wang, and Adam Bates. 2023. Sometimes, You Aren\u2019t What You Do: Mimicry Attacks Against Provenance Graph Host Intrusion Detection Systems. In Proceedings of the 30th Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24046"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23349"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24270"},{"key":"e_1_3_2_1_18_1","volume-title":"Proceedings of the USENIX Security Symposium. 487\u2013504","author":"Hossain Md\u00a0Nahid","unstructured":"Md\u00a0Nahid Hossain, Sadegh\u00a0M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott\u00a0D Stoller, and V.N. Venkatakrishnan. 2017. SLEUTH: Real-Time Attack Scenario Reconstruction from COTS Audit Data. In Proceedings of the USENIX Security Symposium. 487\u2013504."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00064"},{"key":"e_1_3_2_1_20_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security 18)","author":"Hossain Md\u00a0Nahid","year":"2018","unstructured":"Md\u00a0Nahid Hossain, Junao Wang, R Sekar, and Scott\u00a0D Stoller. 2018. Dependence-Preserving Data Compaction for Scalable Forensic Analysis. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18). 1723\u20131740."},{"key":"e_1_3_2_1_21_1","volume-title":"Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 307\u2013325","author":"Inam Muhammad\u00a0Adil","year":"2022","unstructured":"Muhammad\u00a0Adil Inam, Yinfang Chen, Akul Goyal, Jason Liu, Jaron Mink, Noor Michael, Sneha Gaur, Adam Bates, and Wajih\u00a0Ul Hassan. 2022. SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 307\u2013325."},{"key":"e_1_3_2_1_22_1","volume-title":"Detecting Malicious Websites from the Perspective of System Provenance Analysis","author":"Jiang Peng","year":"2023","unstructured":"Peng Jiang, Jifan Xiao, Ding Li, Hongyi Yu, Yu Bai, Yao Guo, and Xiangqun Chen. 2023. Detecting Malicious Websites from the Perspective of System Provenance Analysis. IEEE Transactions on Dependable and Secure Computing (2023)."},{"key":"e_1_3_2_1_23_1","volume-title":"Backtracking Intrusions. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (SOSP). 223\u2013236","author":"King T","year":"2003","unstructured":"Samuel\u00a0T King and Peter\u00a0M Chen. 2003. Backtracking Intrusions. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (SOSP). 223\u2013236."},{"key":"e_1_3_2_1_24_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS). Citeseer.","author":"King T","year":"2005","unstructured":"Samuel\u00a0T King, Zhuoqing\u00a0Morley Mao, Dominic\u00a0G Lucchetti, and Peter\u00a0M Chen. 2005. Enriching Intrusion Alerts Through Multi-Host Causality. In Proceedings of the Network and Distributed System Security Symposium (NDSS). Citeseer."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2872362.2872395"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23306"},{"key":"e_1_3_2_1_27_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS), Vol.\u00a016","author":"Lee Kyu\u00a0Hyung","year":"2013","unstructured":"Kyu\u00a0Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2013. High Accuracy Attack Provenance via Binary-based Execution Partition. In Proceedings of the Network and Distributed System Security Symposium (NDSS), Vol.\u00a016."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516731"},{"key":"e_1_3_2_1_29_1","volume-title":"NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation. arXiv preprint arXiv:2311.02331","author":"Li Shaofei","year":"2023","unstructured":"Shaofei Li, Feng Dong, Xusheng Xiao, Haoyu Wang, Fei Shao, Jiedong Chen, Yao Guo, Xiangqun Chen, and Ding Li. 2023. NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation. arXiv preprint arXiv:2311.02331 (2023)."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102282"},{"key":"e_1_3_2_1_31_1","volume-title":"Annual Computer Security Applications Conference (ACSAC).","author":"Li Zhenyuan","year":"2020","unstructured":"Zhenyuan Li, Runqing Yang, Qi\u00a0Alfred Chen, and Yan Chen. 2020. Mimic the Whole Attack Chain: A First Look at Evasion Against Provenance Graph Based Detection. In Annual Computer Security Applications Conference (ACSAC)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103134"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3326285.3329073"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3567997"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23254"},{"key":"e_1_3_2_1_36_1","volume-title":"Proceedings of the USENIX Security Symposium. 1111\u20131128","author":"Ma Shiqing","year":"2017","unstructured":"Shiqing Ma, Juan Zhai, Fei Wang, Kyu\u00a0Hyung Lee, Xiangyu Zhang, and Dongyan Xu. 2017. MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning. In Proceedings of the USENIX Security Symposium. 1111\u20131128."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23350"},{"key":"e_1_3_2_1_38_1","volume-title":"Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS). 1795\u20131812","author":"Milajerdi M","unstructured":"Sadegh\u00a0M Milajerdi, Birhanu Eshete, Rigel Gjomemo, and V.N. Venkatakrishnan. 2019. Poirot: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS). 1795\u20131812."},{"key":"e_1_3_2_1_39_1","volume-title":"Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1137\u20131152","author":"Milajerdi M","unstructured":"Sadegh\u00a0M Milajerdi, Rigel Gjomemo, Birhanu Eshete, Ramachandran Sekar, and V.N. Venkatakrishnan. 2019. Holmes: Real-Time APT Detection through Correlation of Suspicious Information Flows. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1137\u20131152."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.5555\/3620237.3620305"},{"key":"e_1_3_2_1_41_1","volume-title":"Physical Adversarial Attacks for Surveillance: A Survey","author":"Nguyen Kien","year":"2023","unstructured":"Kien Nguyen, Tharindu Fernando, Clinton Fookes, and Sridha Sridharan. 2023. Physical Adversarial Attacks for Surveillance: A Survey. IEEE Transactions on Neural Networks and Learning Systems (2023)."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24065"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417862"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3127479.3129249"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427230"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243763"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586145"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24167"},{"key":"e_1_3_2_1_49_1","first-page":"2658","article-title":"P-Gaussian: Provenance-Based Gaussian Distribution for Detecting Intrusion Behavior Variants Using High Efficient and Real-Time Memory Databases","volume":"18","author":"Xie Yulai","year":"2019","unstructured":"Yulai Xie, Yafeng Wu, Dan Feng, and Darrell Long. 2019. P-Gaussian: Provenance-Based Gaussian Distribution for Detecting Intrusion Behavior Variants Using High Efficient and Real-Time Memory Databases. IEEE Transactions on Dependable and Secure Computing 18, 6 (2019), 2658\u20132674.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833632"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978378"},{"key":"e_1_3_2_1_52_1","volume-title":"Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23)","author":"Yang Fan","year":"2023","unstructured":"Fan Yang, Jiacen Xu, Chunlin Xiong, Zhou Li, and Kehuan Zhang. 2023. PROGRAPHER: An Anomaly Detection System Based on Provenance Graph Embedding. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23). 4355\u20134372."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24329"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24549"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560570"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833669"},{"key":"e_1_3_2_1_57_1","volume-title":"MalFox: Camouflaged Adversarial Malware Example Generation Based on Conv-GANs Against Black-Box Detectors","author":"Zhong Fangtian","year":"2023","unstructured":"Fangtian Zhong, Xiuzhen Cheng, Dongxiao Yu, Bei Gong, Shuaiwen Song, and Jiguo Yu. 2023. MalFox: Camouflaged Adversarial Malware Example Generation Based on Conv-GANs Against Black-Box Detectors. IEEE Trans. Comput. (2023)."},{"key":"e_1_3_2_1_58_1","volume-title":"APTSHIELD: A Stable, Efficient and Real-Time APT Detection System for Linux Hosts","author":"Zhu Tiantian","year":"2023","unstructured":"Tiantian Zhu, Jinkai Yu, Chunlin Xiong, Wenrui Cheng, Qixuan Yuan, Jie Ying, Tieming Chen, Jiabo Zhang, Mingqi Lv, Yan Chen, 2023. APTSHIELD: A Stable, Efficient and Real-Time APT Detection System for Linux Hosts. IEEE Transactions on Dependable and Secure Computing (2023)."}],"event":{"name":"RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses","location":"Padua Italy","acronym":"RAID '24"},"container-title":["The 27th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678916","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3678890.3678916","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:00Z","timestamp":1750295880000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678916"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,30]]},"references-count":58,"alternative-id":["10.1145\/3678890.3678916","10.1145\/3678890"],"URL":"https:\/\/doi.org\/10.1145\/3678890.3678916","relation":{},"subject":[],"published":{"date-parts":[[2024,9,30]]},"assertion":[{"value":"2024-09-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}