{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,11]],"date-time":"2026-06-11T03:38:09Z","timestamp":1781149089252,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T00:00:00Z","timestamp":1745280000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Key R&D Program of China","award":["2023YFB3106900"],"award-info":[{"award-number":["2023YFB3106900"]}]},{"DOI":"10.13039\/https:\/\/doi.org\/10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62302362, 62472337"],"award-info":[{"award-number":["62302362, 62472337"]}],"id":[{"id":"10.13039\/https:\/\/doi.org\/10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,4,22]]},"DOI":"10.1145\/3696410.3714925","type":"proceedings-article","created":{"date-parts":[[2025,5,5]],"date-time":"2025-05-05T16:42:02Z","timestamp":1746463322000},"page":"1046-1057","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["STGAN: Detecting Host Threats via Fusion of Spatial-Temporal Features in Host Provenance Graphs"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-3265-4078","authenticated-orcid":false,"given":"Anyuan","family":"Sang","sequence":"first","affiliation":[{"name":"Xidian University, Xian, Shaanxi, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-1023-1902","authenticated-orcid":false,"given":"Xuezheng","family":"Fan","sequence":"additional","affiliation":[{"name":"Xidian University, Xian, Shaanxi, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2750-7031","authenticated-orcid":false,"given":"Li","family":"Yang","sequence":"additional","affiliation":[{"name":"Xidian University, Xian, Shaanxi, China and Shaanxi Key Laboratory of Network and System Security, Xian, Shaanxi, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9685-6107","authenticated-orcid":false,"given":"Yuchen","family":"Wang","sequence":"additional","affiliation":[{"name":"Xidian University, Xian, Shaanxi, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5201-5074","authenticated-orcid":false,"given":"Lu","family":"Zhou","sequence":"additional","affiliation":[{"name":"Xidian University, Xian, Shaanxi, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-4286-4003","authenticated-orcid":false,"given":"Junbo","family":"Jia","sequence":"additional","affiliation":[{"name":"Xidian University, Xian, Shaanxi, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-1975-8062","authenticated-orcid":false,"given":"Huipeng","family":"Yang","sequence":"additional","affiliation":[{"name":"Xidian University, Xian, Shaanxi, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,4,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n. d.]. Apt notes. https:\/\/github.com\/kbandla\/APTnotes Last accessed on 2024-6--25."},{"key":"e_1_3_2_1_2_1","unstructured":"[n. d.]. Transparent Computing Engagement 3 DataRelease. https:\/\/github.com\/ darpa-i2o\/TransparentComputing\/blob\/master\/README-E3.md Last accessed on 2024--5--21."},{"key":"e_1_3_2_1_3_1","unstructured":"2023. Linux Kernel Audit Subsystem. https:\/\/github.com\/linux-audit\/auditkernel Last accessed on 2024--5--25."},{"key":"e_1_3_2_1_4_1","unstructured":"2023. MANDIANT: Exposing One of China's Cyber Espionage Units. https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/services\/pdfs\/mandiantapt1-report.pdf Last accessed on 2024--5--11."},{"key":"e_1_3_2_1_5_1","unstructured":"2023. Windows ETW. https:\/\/learn.microsoft.com\/zh-cn\/windowshardware\/ drivers\/devtest\/event-tracing-for-windows\u00e2ASetw- Last accessed on 2024--5--21."},{"key":"e_1_3_2_1_6_1","volume-title":"USENIX Security Symposium. 3005--3022","author":"Alsaheel Abdulellah","year":"2021","unstructured":"Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, GregoryWalkup, Z Berkay Celik, Xiangyu Zhang, and Dongyan Xu. 2021. ATLAS: A Sequence-based Learning Approach for Attack Investigation.. In USENIX Security Symposium. 3005--3022."},{"key":"e_1_3_2_1_7_1","volume-title":"Adaptive graph convolutional recurrent network for traffic forecasting. Advances in neural information processing systems 33","author":"Bai Lei","year":"2020","unstructured":"Lei Bai, Lina Yao, Can Li, Xianzhi Wang, and Can Wang. 2020. Adaptive graph convolutional recurrent network for traffic forecasting. Advances in neural information processing systems 33 (2020), 17804--17815."},{"key":"e_1_3_2_1_8_1","volume-title":"24th USENIX Security Symposium (USENIX Security 15)","author":"Bates Adam","year":"2015","unstructured":"Adam Bates, Dave Jing Tian, Kevin RB Butler, and Thomas Moyer. 2015. Trustworthy {Whole-System} provenance for the linux kernel. In 24th USENIX Security Symposium (USENIX Security 15). 319--334."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3580305.3599504"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939785"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00005"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616580"},{"key":"e_1_3_2_1_13_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Dong Feng","year":"2023","unstructured":"Feng Dong, Liu Wang, Xu Nie, Fei Shao, Haoyu Wang, Ding Li, Xiapu Luo, and Xusheng Xiao. 2023. {DISTDET}: A {Cost-Effective} Distributed Cyber Threat Detection System. In 32nd USENIX Security Symposium (USENIX Security 23). 6575--6592."},{"key":"e_1_3_2_1_14_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Fang Pengcheng","year":"2022","unstructured":"Pengcheng Fang, Peng Gao, Changlin Liu, Erman Ayday, Kangkook Jee, Ting Wang, Yanfang Fanny Ye, Zhuotao Liu, and Xusheng Xiao. 2022. {Back-Propagating} System Dependency Impact for Attack Investigation. In 31st USENIX Security Symposium (USENIX Security 22). 2461--2478."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447548.3467430"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24207"},{"key":"e_1_3_2_1_17_1","volume-title":"Inductive representation learning on large graphs. Advances in neural information processing systems 30","author":"Hamilton Will","year":"2017","unstructured":"Will Hamilton, Zhitao Ying, and Jure Leskovec. 2017. Inductive representation learning on large graphs. Advances in neural information processing systems 30 (2017)."},{"key":"e_1_3_2_1_18_1","volume-title":"Unicorn: Runtime provenance-based detector for advanced persistent threats. NDSS","author":"Han Xueyuan","year":"2020","unstructured":"Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. 2020. Unicorn: Runtime provenance-based detector for advanced persistent threats. NDSS (2020)."},{"key":"e_1_3_2_1_19_1","volume-title":"30th USENIX Security Symposium (USENIX Security . 2345--2362","author":"Han Xueyuan","year":"2021","unstructured":"Xueyuan Han, Xiao Yu, Thomas Pasquier, Ding Li, Junghwan Rhee, James Mickens, Margo Seltzer, and Haifeng Chen. 2021. SIGL: Securing software installations through deep graph learning. In 30th USENIX Security Symposium (USENIX Security . 2345--2362."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"e_1_3_2_1_21_1","volume-title":"Nodoze: Combatting threat alert fatigue with automated provenance triage. In network and distributed systems security symposium.","author":"Hassan Wajih Ul","year":"2019","unstructured":"Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. 2019. Nodoze: Combatting threat alert fatigue with automated provenance triage. In network and distributed systems security symposium."},{"key":"e_1_3_2_1_22_1","volume-title":"USENIX Security Symposium. 487--504","author":"Hossain Md Nahid","year":"2017","unstructured":"Md Nahid Hossain, Sadegh M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott D Stoller, and VN Venkatakrishnan. 2017. SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data.. In USENIX Security Symposium. 487--504."},{"key":"e_1_3_2_1_23_1","volume-title":"2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 307--325","author":"Inam Muhammad Adil","year":"2022","unstructured":"Muhammad Adil Inam, Yinfang Chen, Akul Goyal, Jason Liu, Jaron Mink, Noor Michael, Sneha Gaur, Adam Bates, and Wajih Ul Hassan. 2022. SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 307--325."},{"key":"e_1_3_2_1_24_1","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Jia Zian","year":"2024","unstructured":"Zian Jia, Yun Xiong, Yuhong Nan, Yao Zhang, Jinjing Zhao, and Mi Wen. 2024. MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning. In 33rd USENIX Security Symposium (USENIX Security 24). 5197--5214."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v37i4.25556"},{"key":"e_1_3_2_1_26_1","volume-title":"Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907","author":"Kipf Thomas N","year":"2016","unstructured":"Thomas N Kipf and MaxWelling. 2016. Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907 (2016)."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3567997"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"crossref","unstructured":"Yushan Liu Mu Zhang Ding Li Kangkook Jee Zhichun Li Zhenyu Wu Junghwan Rhee and Prateek Mittal. 2018. Towards a Timely Causality Analysis for Enterprise Security.. In NDSS.","DOI":"10.14722\/ndss.2018.23254"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939783"},{"key":"e_1_3_2_1_30_1","volume-title":"Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781","author":"Mikolov Tomas","year":"2013","unstructured":"Tomas Mikolov. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013)."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363217"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00026"},{"key":"e_1_3_2_1_33_1","volume-title":"Evading Provenance-Based ML Detectors with Adversarial System Actions. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Mukherjee Kunal","year":"2023","unstructured":"Kunal Mukherjee, Joshua Wiedemeier, Tianhao Wang, James Wei, Feng Chen, Muhyun Kim, Murat Kantarcioglu, and Kangkook Jee. 2023. Evading Provenance-Based ML Detectors with Adversarial System Actions. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 1199--1216. https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/mukherjee"},{"key":"e_1_3_2_1_34_1","volume-title":"graph2vec: Learning distributed representations of graphs. arXiv preprint arXiv:1707.05005","author":"Narayanan Annamalai","year":"2017","unstructured":"Annamalai Narayanan, Mahinthan Chandramohan, Rajasekar Venkatesan, Lihui Chen, Yang Liu, and Shantanu Jaiswal. 2017. graph2vec: Learning distributed representations of graphs. arXiv preprint arXiv:1707.05005 (2017)."},{"key":"e_1_3_2_1_35_1","volume-title":"Adam Bates, Christopher Fletcher, Andrew Miller, and Dave Tian.","author":"Paccagnella Riccardo","year":"2020","unstructured":"Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan, Adam Bates, Christopher Fletcher, Andrew Miller, and Dave Tian. 2020. Custos: Practical tamper-evident auditing of operating systems using trusted execution. In Network and distributed system security symposium."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3127479.3129249"},{"key":"e_1_3_2_1_37_1","volume-title":"Scikit-learn: Machine learning in Python. the Journal of machine Learning research 12","author":"Pedregosa Fabian","year":"2011","unstructured":"Fabian Pedregosa, Ga\u00ebl Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, et al. 2011. Scikit-learn: Machine learning in Python. the Journal of machine Learning research 12 (2011), 2825--2830."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00139"},{"key":"e_1_3_2_1_39_1","volume-title":"Temporal graph networks for deep learning on dynamic graphs. arXiv preprint arXiv:2006.10637","author":"Rossi Emanuele","year":"2020","unstructured":"Emanuele Rossi, Ben Chamberlain, Fabrizio Frasca, Davide Eynard, Federico Monti, and Michael Bronstein. 2020. Temporal graph networks for deep learning on dynamic graphs. arXiv preprint arXiv:2006.10637 (2020)."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3678890.3678916"},{"key":"e_1_3_2_1_41_1","volume-title":"Attack2vec: Leveraging temporal word embeddings to understand the evolution of cyberattacks. 28 st USENIX Security Symposium (USENIX Security 2019)","author":"Shen Yun","year":"2019","unstructured":"Yun Shen and Gianluca Stringhini. 2019. Attack2vec: Leveraging temporal word embeddings to understand the evolution of cyberattacks. 28 st USENIX Security Symposium (USENIX Security 2019) (2019)."},{"key":"e_1_3_2_1_42_1","volume-title":"Graph attention networks. arXiv preprint arXiv:1710.10903","author":"Velickovic Petar","year":"2017","unstructured":"Petar Velickovic, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Lio, and Yoshua Bengio. 2017. Graph attention networks. arXiv preprint arXiv:1710.10903 (2017)."},{"key":"e_1_3_2_1_43_1","unstructured":"Minjie Wang Da Zheng Zihao Ye Quan Gan Mufei Li Xiang Song Jinjing Zhou Chao Ma Lingfan Yu Yu Gai et al. 2019. Deep graph library: A graphcentric highly-performant package for graph neural networks. arXiv preprint arXiv:1909.01315 (2019)."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3208815"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380186"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/264"},{"key":"e_1_3_2_1_47_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Yang Fan","year":"2023","unstructured":"Fan Yang, Jiacen Xu, Chunlin Xiong, Zhou Li, and Kehuan Zhang. 2023. PROGRAPHER: An Anomaly Detection System based on Provenance Graph Embedding. In 32nd USENIX Security Symposium (USENIX Security 23). 4355--4372."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2018\/505"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833669"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560570"},{"key":"e_1_3_2_1_51_1","volume-title":"APTSHIELD: A Stable, Efficient and Real-time APT Detection System for Linux Hosts","author":"Zhu Tiantian","year":"2023","unstructured":"Tiantian Zhu, Jinkai Yu, Chunlin Xiong, Wenrui Cheng, Qixuan Yuan, Jie Ying, Tieming Chen, Jiabo Zhang, Mingqi Lv, Yan Chen, et al. 2023. APTSHIELD: A Stable, Efficient and Real-time APT Detection System for Linux Hosts. IEEE Transactions on Dependable and Secure Computing (2023)."}],"event":{"name":"WWW '25: The ACM Web Conference 2025","location":"Sydney NSW Australia","acronym":"WWW '25","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"]},"container-title":["Proceedings of the ACM on Web Conference 2025"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714925","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696410.3714925","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:54Z","timestamp":1750295934000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714925"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,22]]},"references-count":51,"alternative-id":["10.1145\/3696410.3714925","10.1145\/3696410"],"URL":"https:\/\/doi.org\/10.1145\/3696410.3714925","relation":{},"subject":[],"published":{"date-parts":[[2025,4,22]]},"assertion":[{"value":"2025-04-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}