{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T09:18:58Z","timestamp":1773825538578,"version":"3.50.1"},"reference-count":37,"publisher":"Association for Computing Machinery (ACM)","issue":"4","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. VLDB Endow."],"published-print":{"date-parts":[[2015,12]]},"abstract":"<jats:p>Computer system monitoring generates huge amounts of logs that record the interaction of system entities. How to query such data to better understand system behaviors and identify potential system risks and malicious behaviors becomes a challenging task for system administrators due to the dynamics and heterogeneity of the data. System monitoring data are essentially heterogeneous temporal graphs with nodes being system entities and edges being their interactions over time. Given the complexity of such graphs, it becomes time-consuming for system administrators to manually formulate useful queries in order to examine abnormal activities, attacks, and vulnerabilities in computer systems.<\/jats:p>\n          <jats:p>\n            In this work, we investigate how to query temporal graphs and treat\n            <jats:italic>query formulation<\/jats:italic>\n            as a discriminative temporal graph pattern mining problem. We introduce TGMiner to mine discriminative patterns from system logs, and these patterns can be taken as templates for building more complex queries. TGMiner leverages temporal information in graphs to prune graph patterns that share similar growth trend without compromising pattern quality. Experimental results on real system data show that TGMiner is 6-32 times faster than baseline methods. The discovered patterns were verified by system experts; they achieved high precision (97%) and recall (91%).\n          <\/jats:p>","DOI":"10.14778\/2856318.2856320","type":"journal-article","created":{"date-parts":[[2016,2,1]],"date-time":"2016-02-01T14:10:31Z","timestamp":1454335831000},"page":"240-251","source":"Crossref","is-referenced-by-count":25,"title":["Behavior query discovery in system-generated temporal graphs"],"prefix":"10.14778","volume":"9","author":[{"given":"Bo","family":"Zong","sequence":"first","affiliation":[{"name":"UC Santa Barbara"}]},{"given":"Xusheng","family":"Xiao","sequence":"additional","affiliation":[{"name":"NEC Labs America, Inc."}]},{"given":"Zhichun","family":"Li","sequence":"additional","affiliation":[{"name":"NEC Labs America, Inc."}]},{"given":"Zhenyu","family":"Wu","sequence":"additional","affiliation":[{"name":"NEC Labs America, Inc."}]},{"given":"Zhiyun","family":"Qian","sequence":"additional","affiliation":[{"name":"UC Riverside"}]},{"given":"Xifeng","family":"Yan","sequence":"additional","affiliation":[{"name":"UC Santa Barbara"}]},{"given":"Ambuj K.","family":"Singh","sequence":"additional","affiliation":[{"name":"UC Santa Barbara"}]},{"given":"Guofei","family":"Jiang","sequence":"additional","affiliation":[{"name":"NEC Labs America, Inc."}]}],"member":"320","published-online":{"date-parts":[[2015,12]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Splunk. http:\/\/www.splunk.com\/.  Splunk. http:\/\/www.splunk.com\/."},{"key":"e_1_2_1_2_1","unstructured":"Ssh brute force - the 10 year old attack that still persists. http:\/\/blog.sucuri.net\/2013\/07\/.  Ssh brute force - the 10 year old attack that still persists. http:\/\/blog.sucuri.net\/2013\/07\/."},{"key":"e_1_2_1_3_1","volume-title":"LEET","author":"Bayer U.","year":"2009","unstructured":"U. Bayer , I. Habibi , D. Balzarotti , E. Kirda , and C. Kruegel . A view on current malware behaviors . In LEET , 2009 . U. Bayer, I. Habibi, D. Balzarotti, E. Kirda, and C. Kruegel. A view on current malware behaviors. In LEET, 2009."},{"key":"e_1_2_1_4_1","volume-title":"Firewalls and Internet Security: Repelling the Wily Hacker","author":"Cheswick W. R.","year":"2003","unstructured":"W. R. Cheswick , S. M. Bellovin , and A. D. Rubin . Firewalls and Internet Security: Repelling the Wily Hacker . 2003 . W. R. Cheswick, S. M. Bellovin, and A. D. Rubin. Firewalls and Internet Security: Repelling the Wily Hacker. 2003."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2004.75"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE.2014.6816681"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2592798.2592799"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/951949.952101"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2588555.2610495"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1807167.1807262"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE.2013.6544892"},{"key":"e_1_2_1_12_1","volume-title":"NDSS","author":"King S. T.","year":"2005","unstructured":"S. T. King , Z. M. Mao , D. G. Lucchetti , and P. M. Chen . Enriching intrusion alerts through multi-host causality . In NDSS , 2005 . S. T. King, Z. M. Mao, D. G. Lucchetti, and P. M. Chen. Enriching intrusion alerts through multi-host causality. In NDSS, 2005."},{"key":"e_1_2_1_13_1","first-page":"43","volume-title":"BD3 at VLDB","author":"Labouseur A. G.","year":"2013","unstructured":"A. G. Labouseur , P. W. Olsen , and J.-H. Hwang . Scalable and robust management of dynamic graph data . In BD3 at VLDB , pages 43 -- 48 , 2013 . A. G. Labouseur, P. W. Olsen, and J.-H. Hwang. Scalable and robust management of dynamic graph data. In BD3 at VLDB, pages 43--48, 2013."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE.2014.6816635"},{"key":"e_1_2_1_15_1","volume-title":"Computers and intractability: a guide to the theory of np-completeness","author":"Michael R. G.","year":"1979","unstructured":"R. G. Michael and S. J. David . Computers and intractability: a guide to the theory of np-completeness . 1979 . R. G. Michael and S. J. David. Computers and intractability: a guide to the theory of np-completeness. 1979."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2588555.2612182"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2487575.2487692"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE.2009.133"},{"key":"e_1_2_1_19_1","first-page":"726","volume-title":"VLDB","author":"Ren C.","year":"2011","unstructured":"C. Ren , E. Lo , B. Kao , X. Zhu , and R. Cheng . On querying historical evolving graph sequences . In VLDB , pages 726 -- 737 , 2011 . C. Ren, E. Lo, B. Kao, X. Zhu, and R. Cheng. On querying historical evolving graph sequences. In VLDB, pages 726--737, 2011."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2588555.2612184"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.14778\/2311906.2311907"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1137\/1.9781611972795.92"},{"key":"e_1_2_1_23_1","volume-title":"USENIX Security","author":"Venema W.","year":"1992","unstructured":"W. Venema . TCP wrapper : Network monitoring, access control, and booby traps . In USENIX Security , 1992 . W. Venema. TCP wrapper: Network monitoring, access control, and booby traps. In USENIX Security, 1992."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1830252.1830272"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1807167.1807189"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.14778\/2732939.2732945"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/1376616.1376662"},{"key":"e_1_2_1_28_1","first-page":"721","volume-title":"ICDM","author":"Yan X.","year":"2002","unstructured":"X. Yan and J. Han . gspan: Graph-based substructure pattern mining . In ICDM , pages 721 -- 724 , 2002 . X. Yan and J. Han. gspan: Graph-based substructure pattern mining. In ICDM, pages 721--724, 2002."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.14778\/2732939.2732941"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315261"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE.2014.6816660"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.14778\/1920841.1920988"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2820783.2820813"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2588555.2612181"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE.2014.6816704"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2623330.2623729"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.14778\/2856318.2856320"}],"container-title":["Proceedings of the VLDB Endowment"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.14778\/2856318.2856320","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,28]],"date-time":"2022-12-28T10:23:51Z","timestamp":1672223031000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.14778\/2856318.2856320"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,12]]},"references-count":37,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2015,12]]}},"alternative-id":["10.14778\/2856318.2856320"],"URL":"https:\/\/doi.org\/10.14778\/2856318.2856320","relation":{},"ISSN":["2150-8097"],"issn-type":[{"value":"2150-8097","type":"print"}],"subject":[],"published":{"date-parts":[[2015,12]]}}}