{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,3]],"date-time":"2026-03-03T01:31:51Z","timestamp":1772501511260,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":65,"publisher":"ACM","funder":[{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2023YFB2904000"],"award-info":[{"award-number":["2023YFB2904000"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Natural Science Basic Research Program of Shaanxi","award":["2025JC-JCQN-073"],"award-info":[{"award-number":["2025JC-JCQN-073"]}]},{"name":"National Natural Science Foundation of China under Grant","award":["62272370"],"award-info":[{"award-number":["62272370"]}]},{"name":"Young Elite Scientists Sponsorship Program by CAST","award":["2022QNRC001"],"award-info":[{"award-number":["2022QNRC001"]}]},{"name":"China 111Project","award":["B16037"],"award-info":[{"award-number":["B16037"]}]},{"name":"Qinchuangyuan Scientist + Engineer Team Program of Shaanxi","award":["2024QCY-KXJ-149"],"award-info":[{"award-number":["2024QCY-KXJ-149"]}]},{"name":"Songshan Laboratory","award":["241110210200"],"award-info":[{"award-number":["241110210200"]}]},{"name":"Open Foundation of Key Laboratory of Cyberspace Security, Ministry of Education of China","award":["KLCS20240405"],"award-info":[{"award-number":["KLCS20240405"]}]},{"DOI":"10.13039\/501100012226","name":"Fundamental Research Funds for the Central Universities","doi-asserted-by":"publisher","award":["QTZX23071"],"award-info":[{"award-number":["QTZX23071"]}],"id":[{"id":"10.13039\/501100012226","id-type":"DOI","asserted-by":"publisher"}]},{"name":"National Research Foundation, Singapore, and DSO National Laboratories under the AI Singapore Programme","award":["AISG2-GC-2023-008"],"award-info":[{"award-number":["AISG2-GC-2023-008"]}]},{"name":"National Research Foundation, Singapore, and the Cyber Security Agency under its National Cybersecurity R&D Programme","award":["NCRP25-P04-TAICeN"],"award-info":[{"award-number":["NCRP25-P04-TAICeN"]}]},{"name":"National Research Foundation, Prime Minister?s Office, Singapore under its Campus for Research Excellence and Technological Enterprise (CREATE) programme"},{"name":"Ripple under its University Blockchain Research Initiative (UBRI)"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3744788","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:33:16Z","timestamp":1763854396000},"page":"963-977","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["<scp>Slot<\/scp>\n                    : Provenance-Driven APT Detection through Graph Reinforcement Learning"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1561-9466","authenticated-orcid":false,"given":"Wei","family":"Qiao","sequence":"first","affiliation":[{"name":"School of Cyber Engineering, Xidian University, Xi'an, Shaanxi, China and State Key Laboratory of Integrated Services Networks (ISN), Xi'an, Shaanxi, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7235-2377","authenticated-orcid":false,"given":"Yebo","family":"Feng","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5147-8336","authenticated-orcid":false,"given":"Teng","family":"Li","sequence":"additional","affiliation":[{"name":"School of Cyber Engineering, Xidian University, Xi'an, Shaanxi, China, State Key Laboratory of Integrated Services Networks (ISN), Xi'an, Shaanxi, China, and Key Laboratory of Cyberspace Security, Ministry of Education, Zhengzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6023-2864","authenticated-orcid":false,"given":"Zhuo","family":"Ma","sequence":"additional","affiliation":[{"name":"School of Cyber Engineering, Xidian University, Xi'an, Shaanxi, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8448-705X","authenticated-orcid":false,"given":"Yulong","family":"Shen","sequence":"additional","affiliation":[{"name":"School of Computer Science and Technology, Xidian University, Xi'an, Shaanxi, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4251-1143","authenticated-orcid":false,"given":"Jianfeng","family":"Ma","sequence":"additional","affiliation":[{"name":"School of Cyber Engineering, Xidian University, Xi'an, Shaanxi, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7300-9215","authenticated-orcid":false,"given":"Yang","family":"Liu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Darpa transparent computing program engagement 3 data release. https:\/\/github.com\/darpa-i2o\/Transparent-Computing","year":"2020","unstructured":"[n.d.]. Darpa transparent computing program engagement 3 data release. https:\/\/github.com\/darpa-i2o\/Transparent-Computing. 2020."},{"key":"e_1_3_2_1_2_1","unstructured":"[n.d.]. The Linux audit daemon. https:\/\/linux.die.net\/man\/8\/auditd."},{"key":"e_1_3_2_1_3_1","unstructured":"[n.d.]. MITRE ATT&CK Framework. https:\/\/attack.mitre.org\/"},{"key":"e_1_3_2_1_4_1","unstructured":"[n.d.]. The streamspot dataset. https:\/\/github.com\/sbustreamspot\/sbustreamspotdata.2016."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833745"},{"key":"e_1_3_2_1_6_1","volume-title":"30th USENIX security symposium (USENIX security 21). 3005- 3022.","author":"Alsaheel Abdulellah","unstructured":"Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, GregoryWalkup, Z Berkay Celik, Xiangyu Zhang, and Dongyan Xu. 2021. {ATLAS}: A sequence-based learning approach for attack investigation. In 30th USENIX security symposium (USENIX security 21). 3005- 3022."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2019.2891891"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2022.3165618"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2021.107660"},{"key":"e_1_3_2_1_10_1","volume-title":"Practical Intrusion Detection and Investigation using Whole-system Provenance. arXiv preprint arXiv:2308.05034","author":"Cheng Zijun","year":"2023","unstructured":"Zijun Cheng, Qiujian Lv, Jinyuan Liang, YanWang, Degang Sun, Thomas Pasquier, and Xueyuan Han. 2023. Kairos:: Practical Intrusion Detection and Investigation using Whole-system Provenance. arXiv preprint arXiv:2308.05034 (2023)."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338840.3355641"},{"key":"e_1_3_2_1_12_1","unstructured":"Microsoft Corporation. [n.d.]. Event tracing. https:\/\/docs.microsoft.com\/enus\/windows\/desktop\/ETW\/event-tracing-portal."},{"key":"e_1_3_2_1_13_1","volume-title":"Unmasking the Internet: A Survey of Fine-Grained Network Traffic Analysis","author":"Feng Yebo","year":"2025","unstructured":"Yebo Feng, Jun Li, Jelena Mirkovic, Cong Wu, Chong Wang, Hao Ren, Jiahua Xu, and Yang Liu. 2025. Unmasking the Internet: A Survey of Fine-Grained Network Traffic Analysis. IEEE Communications Surveys & Tutorials (2025)."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/IWQoS49365.2020.9213026"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3301293"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/MPOT.2022.3198929"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24207"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10994-023-06344-7"},{"key":"e_1_3_2_1_19_1","volume-title":"Inductive representation learning on large graphs. Advances in neural information processing systems 30","author":"Hamilton Will","year":"2017","unstructured":"Will Hamilton, Zhitao Ying, and Jure Leskovec. 2017. Inductive representation learning on large graphs. Advances in neural information processing systems 30 (2017)."},{"key":"e_1_3_2_1_20_1","volume-title":"UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats. In 27th Annual Network and Distributed System Security Symposium, NDSS.","author":"Han Xueyuan","year":"2020","unstructured":"Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. 2020. UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats. In 27th Annual Network and Distributed System Security Symposium, NDSS."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"e_1_3_2_1_22_1","volume-title":"Nodoze: Combatting threat alert fatigue with automated provenance triage. In network and distributed systems security symposium.","author":"Hassan Wajih Ul","year":"2019","unstructured":"Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. 2019. Nodoze: Combatting threat alert fatigue with automated provenance triage. In network and distributed systems security symposium."},{"key":"e_1_3_2_1_23_1","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Hossain Md Nahid","year":"2017","unstructured":"Md Nahid Hossain, Sadegh M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott Stoller, and VN Venkatakrishnan. 2017. SLEUTH: Real-time attack scenario reconstruction from COTS audit data. In 26th USENIX Security Symposium (USENIX Security 17). 487- 504."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00064"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3534678.3539321"},{"key":"e_1_3_2_1_26_1","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Jia Zian","year":"2024","unstructured":"Zian Jia, Yun Xiong, Yuhong Nan, Yao Zhang, Jinjing Zhao, and Mi Wen. 2024. MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning. In 33rd USENIX Security Symposium (USENIX Security 24). 5197- 5214."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3512527.3531373"},{"key":"e_1_3_2_1_28_1","volume-title":"Graph convolutional reinforcement learning. arXiv preprint arXiv:1810.09202","author":"Jiang Jiechuan","year":"2018","unstructured":"Jiechuan Jiang, Chen Dun, Tiejun Huang, and Zongqing Lu. 2018. Graph convolutional reinforcement learning. arXiv preprint arXiv:1810.09202 (2018)."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA52953.2021.00273"},{"key":"e_1_3_2_1_30_1","volume-title":"Learning hand-eye coordination for robotic grasping with deep learning and large-scale data collection. The International journal of robotics research 37, 4- 5","author":"Levine Sergey","year":"2018","unstructured":"Sergey Levine, Peter Pastor, Alex Krizhevsky, Julian Ibarz, and Deirdre Quillen. 2018. Learning hand-eye coordination for robotic grasping with deep learning and large-scale data collection. The International journal of robotics research 37, 4- 5 (2018), 421- 436."},{"key":"e_1_3_2_1_31_1","first-page":"20887","article-title":"Large scale learning on non-homophilous graphs: New benchmarks and strong simple methods","volume":"34","author":"Lim Derek","year":"2021","unstructured":"Derek Lim, Felix Hohne, Xiuyu Li, Sijia Linda Huang, Vaishnavi Gupta, Omkar Bhalerao, and Ser Nam Lim. 2021. Large scale learning on non-homophilous graphs: New benchmarks and strong simple methods. Advances in Neural Information Processing Systems 34 (2021), 20887- 20902.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v29i1.9491"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363224"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"crossref","unstructured":"Yushan Liu Mu Zhang Ding Li Kangkook Jee Zhichun Li Zhenyu Wu Junghwan Rhee and Prateek Mittal. 2018. Towards a Timely Causality Analysis for Enterprise Security. In NDSS.","DOI":"10.14722\/ndss.2018.23254"},{"key":"e_1_3_2_1_35_1","volume-title":"Towards deep learning models resistant to adversarial attacks. stat 1050, 9","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. stat 1050, 9 (2017)."},{"key":"e_1_3_2_1_36_1","volume-title":"Proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining. 1035- 1044","author":"Manzoor Emaad","year":"2016","unstructured":"Emaad Manzoor, Sadegh M Milajerdi, and Leman Akoglu. 2016. Fast memoryefficient anomaly detection in streaming heterogeneous graphs. In Proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining. 1035- 1044."},{"key":"e_1_3_2_1_37_1","volume-title":"Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781","author":"Mikolov Tomas","year":"2013","unstructured":"Tomas Mikolov. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013)."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363217"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00026"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-86486-6_48"},{"key":"e_1_3_2_1_41_1","volume-title":"Adam Bates, Christopher Fletcher, Andrew Miller, and Dave Tian.","author":"Paccagnella Riccardo","year":"2020","unstructured":"Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan, Adam Bates, Christopher Fletcher, Andrew Miller, and Dave Tian. 2020. Custos: Practical tamper-evident auditing of operating systems using trusted execution. In Network and distributed system security symposium."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3127479.3129249"},{"key":"e_1_3_2_1_43_1","volume-title":"Proceedings of the 2018 ACMSIGSAC conference on computer and communications security. 1601- 1616","author":"Pasquier Thomas","year":"2018","unstructured":"Thomas Pasquier, Xueyuan Han, Thomas Moyer, Adam Bates, Olivier Hermant, David Eyers, Jean Bacon, and Margo Seltzer. 2018. Runtime analysis of wholesystem provenance. In Proceedings of the 2018 ACMSIGSAC conference on computer and communications security. 1601- 1616."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991122"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3490181"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.5555\/1639537.1639542"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00139"},{"key":"e_1_3_2_1_48_1","unstructured":"SektorCERT. 2023. The attack against Danish critical infrastructure. Available online. https:\/\/sektorcert.dk\/wp-content\/uploads\/2023\/11\/SektorCERT-Theattack-against-Danish-critical-infrastructure-TLP-CLEAR.pdf"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1007\/s12652-023-04603-y"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3449822"},{"key":"e_1_3_2_1_51_1","volume-title":"Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan. https:\/\/symantec-enterprise-blogs.security. com\/threat-intelligence\/grayling-taiwan-cyber-attacks","author":"Team Threat Hunter","year":"2023","unstructured":"Threat Hunter Team. 2023. Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan. https:\/\/symantec-enterprise-blogs.security. com\/threat-intelligence\/grayling-taiwan-cyber-attacks"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2023.10.039"},{"key":"e_1_3_2_1_53_1","volume-title":"Adversarial training and robustness for multiple perturbations. Advances in neural information processing systems 32","author":"Tramer Florian","year":"2019","unstructured":"Florian Tramer and Dan Boneh. 2019. Adversarial training and robustness for multiple perturbations. Advances in neural information processing systems 32 (2019)."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10462-022-10205-5"},{"key":"e_1_3_2_1_55_1","volume-title":"Graph attention networks. arXiv preprint arXiv:1710.10903","author":"Velickovic Petar","year":"2017","unstructured":"Petar Velickovic, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Lio, and Yoshua Bengio. 2017. Graph attention networks. arXiv preprint arXiv:1710.10903 (2017)."},{"key":"e_1_3_2_1_56_1","volume-title":"Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A Gunter, et al.","author":"Wang Qi","year":"2020","unstructured":"Qi Wang, Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A Gunter, et al. 2020. You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis. In NDSS."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3208815"},{"key":"e_1_3_2_1_58_1","volume-title":"Companion Proceedings of the Web Conference","author":"Xiong Jian","year":"2020","unstructured":"RuiWen, JianyuWang, ChunmingWu, and Jian Xiong. 2020. Asa: Adversary situation awareness via heterogeneous graph convolutional networks. In Companion Proceedings of the Web Conference 2020. 674- 678."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ipm.2022.103076"},{"key":"e_1_3_2_1_60_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Yang Fan","year":"2023","unstructured":"Fan Yang, Jiacen Xu, Chunlin Xiong, Zhou Li, and Kehuan Zhang. 2023. {PROGRAPHER}: An Anomaly Detection System based on Provenance Graph Embedding. In 32nd USENIX Security Symposium (USENIX Security 23). 4355- 4372."},{"key":"e_1_3_2_1_61_1","volume-title":"International conference on machine learning. PMLR, 12241- 12252","author":"Yuan Hao","year":"2021","unstructured":"Hao Yuan, Haiyang Yu, Jie Wang, Kang Li, and Shuiwang Ji. 2021. On explainability of graph neural networks via subgraph explorations. In International conference on machine learning. PMLR, 12241- 12252."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833669"},{"key":"e_1_3_2_1_63_1","first-page":"21171","article-title":"Hierarchical graph transformer with adaptive node sampling","volume":"35","author":"Zhang Zaixi","year":"2022","unstructured":"Zaixi Zhang, Qi Liu, Qingyong Hu, and Chee-Kong Lee. 2022. Hierarchical graph transformer with adaptive node sampling. Advances in Neural Information Processing Systems 35 (2022), 21171- 21183.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/1526709.1526781"},{"key":"e_1_3_2_1_65_1","volume-title":"Beyond homophily in graph neural networks: Current limitations and effective designs. Advances in neural information processing systems 33","author":"Zhu Jiong","year":"2020","unstructured":"Jiong Zhu, Yujun Yan, Lingxiao Zhao, Mark Heimann, Leman Akoglu, and Danai Koutra. 2020. Beyond homophily in graph neural networks: Current limitations and effective designs. Advances in neural information processing systems 33 (2020), 7793- 7804."}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","location":"Taipei Taiwan","acronym":"CCS '25","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3744788","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:20:12Z","timestamp":1766442012000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3744788"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":65,"alternative-id":["10.1145\/3719027.3744788","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3744788","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}