{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,22]],"date-time":"2026-04-22T18:13:16Z","timestamp":1776881596270,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":50,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T00:00:00Z","timestamp":1745280000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Strategic Priority Research Program of the Chinese Academy of Sciences","award":["XDA0460100"],"award-info":[{"award-number":["XDA0460100"]}]},{"name":"Program of Key Laboratory of Network Assessment Technology, the Chinese Academy of Sciences"},{"name":"Youth Innovation Promotion Association CAS","award":["2021156"],"award-info":[{"award-number":["2021156"]}]},{"name":"Program of Beijing Key Laboratory of Network Security and Protection Technology"},{"DOI":"10.13039\/https:\/\/doi.org\/10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2023YFC2206402"],"award-info":[{"award-number":["2023YFC2206402"]}],"id":[{"id":"10.13039\/https:\/\/doi.org\/10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,4,22]]},"DOI":"10.1145\/3696410.3714563","type":"proceedings-article","created":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T23:08:29Z","timestamp":1745363309000},"page":"2172-2182","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Brewing\n            <scp>Vodka:<\/scp>\n            Distilling Pure Knowledge for Lightweight Threat Detection in Audit Logs"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-3114-7422","authenticated-orcid":false,"given":"Weiheng","family":"Wu","sequence":"first","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1561-9466","authenticated-orcid":false,"given":"Wei","family":"Qiao","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-0174-9326","authenticated-orcid":false,"given":"Wenhao","family":"Yan","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7185-990X","authenticated-orcid":false,"given":"Bo","family":"Jiang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2740-9362","authenticated-orcid":false,"given":"Yuling","family":"Liu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-9851-5548","authenticated-orcid":false,"given":"Baoxu","family":"Liu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2552-6231","authenticated-orcid":false,"given":"Zhigang","family":"Lu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-3383-2292","authenticated-orcid":false,"given":"Junrong","family":"Liu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2025,4,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2016. The streamspot dataset. https:\/\/github.com\/sbustreamspot\/sbustreamspot-data."},{"key":"e_1_3_2_1_2_1","unstructured":"2017. Equifax Information Leakage. https:\/\/en.wikipedia.org\/wiki\/Equifax."},{"key":"e_1_3_2_1_3_1","unstructured":"2020. APT42 - Crooked Charms Cons and Compromises. https:\/\/www.mandiant.com\/resources\/podcasts\/threat-trends-apt42-charms-cons-compromises."},{"key":"e_1_3_2_1_4_1","unstructured":"2020. Darpa transparent computing program engagement 3 data release. https:\/\/github.com\/darpa-i2o\/Transparent-Computing."},{"key":"e_1_3_2_1_5_1","unstructured":"2020. SolaWinds hack. https:\/\/en.wikipedia.org\/wiki\/SolarWinds."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2019.2891891"},{"key":"e_1_3_2_1_7_1","volume-title":"Fast incremental and personalized pagerank. arXiv preprint arXiv:1006.2880","author":"Bahmani Bahman","year":"2010","unstructured":"Bahman Bahmani, Abdur Chowdhury, and Ashish Goel. 2010. Fast incremental and personalized pagerank. arXiv preprint arXiv:1006.2880 (2010)."},{"key":"e_1_3_2_1_8_1","volume-title":"24th USENIX Security Symposium (USENIX Security 15)","author":"Bates Adam","year":"2015","unstructured":"Adam Bates, Dave Jing Tian, Kevin RB Butler, and Thomas Moyer. 2015. Trustworthy {Whole-System} provenance for the linux kernel. In 24th USENIX Security Symposium (USENIX Security 15). 319--334."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1049\/cit2.12028"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00005"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134015"},{"key":"e_1_3_2_1_12_1","volume-title":"Infomap bioregions: interactive mapping of biogeographical regions from species distributions. Systematic biology 66, 2","author":"Edler Daniel","year":"2017","unstructured":"Daniel Edler, Tha\u00eds Guedes, Alexander Zizka, Martin Rosvall, and Alexandre Antonelli. 2017. Infomap bioregions: interactive mapping of biogeographical regions from species distributions. Systematic biology 66, 2 (2017), 197--204."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24207"},{"key":"e_1_3_2_1_14_1","volume-title":"Inductive representation learning on large graphs. Advances in neural information processing systems 30","author":"Hamilton Will","year":"2017","unstructured":"Will Hamilton, Zhitao Ying, and Jure Leskovec. 2017. Inductive representation learning on large graphs. Advances in neural information processing systems 30 (2017)."},{"key":"e_1_3_2_1_15_1","volume-title":"UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats. In Network and Distributed System Security Symposium.","author":"Han Xueyuan","year":"2020","unstructured":"Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. 2020. UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats. In Network and Distributed System Security Symposium."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"e_1_3_2_1_17_1","volume-title":"Nodoze: Combatting threat alert fatigue with automated provenance triage. In network and distributed systems security symposium.","author":"Hassan Wajih Ul","year":"2019","unstructured":"Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. 2019. Nodoze: Combatting threat alert fatigue with automated provenance triage. In network and distributed systems security symposium."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427255"},{"key":"e_1_3_2_1_19_1","volume-title":"Distilling the Knowledge in a Neural Network. stat 1050","author":"Hinton Geoffrey","year":"2015","unstructured":"Geoffrey Hinton, Oriol Vinyals, and Jeff Dean. 2015. Distilling the Knowledge in a Neural Network. stat 1050 (2015), 9."},{"key":"e_1_3_2_1_20_1","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Hossain Md Nahid","year":"2017","unstructured":"Md Nahid Hossain, Sadegh M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott Stoller, and VN Venkatakrishnan. 2017. SLEUTH: Real-time attack scenario reconstruction from COTS audit data. In 26th USENIX Security Symposium (USENIX Security 17). 487--504."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00521"},{"key":"e_1_3_2_1_22_1","volume-title":"SystemTap: instrumenting the Linux kernel for analyzing performance and functional problems. IBM Redbook 116","author":"Jacob Bart","year":"2008","unstructured":"Bart Jacob, Paul Larson, B Leitao, and SAMM Da Silva. 2008. SystemTap: instrumenting the Linux kernel for analyzing performance and functional problems. IBM Redbook 116 (2008)."},{"key":"e_1_3_2_1_23_1","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Jia Zian","year":"2024","unstructured":"Zian Jia, Yun Xiong, Yuhong Nan, Yao Zhang, Jinjing Zhao, and Mi Wen. 2024. {MAGIC}: Detecting Advanced Persistent Threats via Masked Graph Representation Learning. In 33rd USENIX Security Symposium (USENIX Security 24). 5197--5214."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA52953.2021.00273"},{"key":"e_1_3_2_1_25_1","first-page":"4037","article-title":"Concept and difficulties of advanced persistent threats (APT): Survey","volume":"13","author":"Khaleefa Eman J","year":"2022","unstructured":"Eman J Khaleefa and Dhahair A Abdulah. 2022. Concept and difficulties of advanced persistent threats (APT): Survey. International Journal of Nonlinear Analysis and Applications 13, 1 (2022), 4037--4052.","journal-title":"International Journal of Nonlinear Analysis and Applications"},{"key":"e_1_3_2_1_26_1","volume-title":"Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907","author":"Kipf Thomas N","year":"2016","unstructured":"Thomas N Kipf and Max Welling. 2016. Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907 (2016)."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00981"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102282"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363224"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"crossref","unstructured":"Yushan Liu Mu Zhang Ding Li Kangkook Jee Zhichun Li Zhenyu Wu Junghwan Rhee and Prateek Mittal. 2018. Towards a Timely Causality Analysis for Enterprise Security. In NDSS.","DOI":"10.14722\/ndss.2018.23254"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/BigData.2015.7364114"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00026"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3471621.3471858"},{"key":"e_1_3_2_1_34_1","volume-title":"Adam Bates, Christopher Fletcher, Andrew Miller, and Dave Tian.","author":"Paccagnella Riccardo","year":"2020","unstructured":"Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan, Adam Bates, Christopher Fletcher, Andrew Miller, and Dave Tian. 2020. Custos: Practical tamper-evident auditing of operating systems using trusted execution. In Network and distributed system security symposium."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3127479.3129249"},{"key":"e_1_3_2_1_36_1","volume-title":"Pytorch: An imperative style, high-performance deep learning library. Advances in neural information processing systems 32","author":"Paszke Adam","year":"2019","unstructured":"Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, Trevor Killeen, Zeming Lin, Natalia Gimelshein, Luca Antiga, et al. 2019. Pytorch: An imperative style, high-performance deep learning library. Advances in neural information processing systems 32 (2019)."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00139"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1007\/s12652-023-04603-y"},{"key":"e_1_3_2_1_39_1","volume-title":"Extreme learning machine for multilayer perceptron","author":"Tang Jiexiong","year":"2015","unstructured":"Jiexiong Tang, Chenwei Deng, and Guang-Bin Huang. 2015. Extreme learning machine for multilayer perceptron. IEEE transactions on neural networks and learning systems 27, 4 (2015), 809--821."},{"key":"e_1_3_2_1_40_1","volume-title":"Contrastive representation distillation. arXiv preprint arXiv:1910.10699","author":"Tian Yonglong","year":"2019","unstructured":"Yonglong Tian, Dilip Krishnan, and Phillip Isola. 2019. Contrastive representation distillation. arXiv preprint arXiv:1910.10699 (2019)."},{"key":"e_1_3_2_1_41_1","volume-title":"Adversarial training and robustness for multiple perturbations. Advances in neural information processing systems 32","author":"Tramer Florian","year":"2019","unstructured":"Florian Tramer and Dan Boneh. 2019. Adversarial training and robustness for multiple perturbations. Advances in neural information processing systems 32 (2019)."},{"key":"e_1_3_2_1_42_1","volume-title":"Graph attention networks. arXiv preprint arXiv:1710.10903","author":"Velickovic Petar","year":"2017","unstructured":"Petar Velickovic, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Lio, and Yoshua Bengio. 2017. Graph attention networks. arXiv preprint arXiv:1710.10903 (2017)."},{"key":"e_1_3_2_1_43_1","volume-title":"Unifying graph convolutional neural networks and label propagation. arXiv preprint arXiv:2002.06755","author":"Wang Hongwei","year":"2020","unstructured":"Hongwei Wang and Jure Leskovec. 2020. Unifying graph convolutional neural networks and label propagation. arXiv preprint arXiv:2002.06755 (2020)."},{"key":"e_1_3_2_1_44_1","volume-title":"ICLR workshop on representation learning on graphs and manifolds.","author":"Wang Minjie Yu","year":"2019","unstructured":"Minjie Yu Wang. 2019. Deep graph library: Towards efficient and scalable deep learning on graphs. In ICLR workshop on representation learning on graphs and manifolds."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3208815"},{"key":"e_1_3_2_1_46_1","volume-title":"International conference on machine learning. PMLR, 6861--6871","author":"Wu Felix","year":"2019","unstructured":"Felix Wu, Amauri Souza, Tianyi Zhang, Christopher Fifty, Tao Yu, and Kilian Weinberger. 2019. Simplifying graph convolutional networks. In International conference on machine learning. PMLR, 6861--6871."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/TETCI.2019.2952908"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3450068"},{"key":"e_1_3_2_1_49_1","volume-title":"A review of recurrent neural networks: LSTM cells and network architectures. Neural computation 31, 7","author":"Yu Yong","year":"2019","unstructured":"Yong Yu, Xiaosheng Si, Changhua Hu, and Jianxun Zhang. 2019. A review of recurrent neural networks: LSTM cells and network architectures. Neural computation 31, 7 (2019), 1235--1270."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833669"}],"event":{"name":"WWW '25: The ACM Web Conference 2025","location":"Sydney NSW Australia","acronym":"WWW '25","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"]},"container-title":["Proceedings of the ACM on Web Conference 2025"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714563","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696410.3714563","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:33Z","timestamp":1750295913000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714563"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,22]]},"references-count":50,"alternative-id":["10.1145\/3696410.3714563","10.1145\/3696410"],"URL":"https:\/\/doi.org\/10.1145\/3696410.3714563","relation":{},"subject":[],"published":{"date-parts":[[2025,4,22]]},"assertion":[{"value":"2025-04-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}