{"id":"https://openalex.org/W4381744433","doi":"https://doi.org/10.1109/cscwd57460.2023.10152818","title":"GHunter: A Fast Subgraph Matching Method for Threat Hunting","display_name":"GHunter: A Fast Subgraph Matching Method for Threat Hunting","publication_year":2023,"publication_date":"2023-05-24","ids":{"openalex":"https://openalex.org/W4381744433","doi":"https://doi.org/10.1109/cscwd57460.2023.10152818"},"language":"en","primary_location":{"id":"doi:10.1109/cscwd57460.2023.10152818","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cscwd57460.2023.10152818","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 26th International Conference on Computer Supported Cooperative Work in Design (CSCWD)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101282913","display_name":"Zijun Cheng","orcid":null},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Zijun Cheng","raw_affiliation_strings":["University of Chinese Academy of Sciences,School of Cyber Security,Beijing,China","Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"University of Chinese Academy of Sciences,School of Cyber Security,Beijing,China","institution_ids":["https://openalex.org/I4210165038"]},{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]},{"raw_affiliation_string":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210165038"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067065136","display_name":"Rujie Dai","orcid":null},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Rujie Dai","raw_affiliation_strings":["University of Chinese Academy of Sciences,School of Cyber Security,Beijing,China","School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"University of Chinese Academy of Sciences,School of Cyber Security,Beijing,China","institution_ids":["https://openalex.org/I4210165038"]},{"raw_affiliation_string":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210165038"]},{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5051884010","display_name":"Leiqi Wang","orcid":null},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Leiqi Wang","raw_affiliation_strings":["University of Chinese Academy of Sciences,School of Cyber Security,Beijing,China","Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"University of Chinese Academy of Sciences,School of Cyber Security,Beijing,China","institution_ids":["https://openalex.org/I4210165038"]},{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]},{"raw_affiliation_string":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210165038"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5088915426","display_name":"Ziyang Yu","orcid":null},"institutions":[{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Ziyang Yu","raw_affiliation_strings":["University of Chinese Academy of Sciences,School of Cyber Security,Beijing,China","School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"University of Chinese Academy of Sciences,School of Cyber Security,Beijing,China","institution_ids":["https://openalex.org/I4210165038"]},{"raw_affiliation_string":"School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210165038"]},{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101898339","display_name":"Qiujian Lv","orcid":"https://orcid.org/0000-0003-1031-185X"},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qiujian Lv","raw_affiliation_strings":["Chinese Academy of Sciences,Institute of Information Engineering,Beijing,China","Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Chinese Academy of Sciences,Institute of Information Engineering,Beijing,China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]},{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100322706","display_name":"Yan Wang","orcid":"https://orcid.org/0000-0002-5043-8540"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yan Wang","raw_affiliation_strings":["Chinese Academy of Sciences,Institute of Information Engineering,Beijing,China","Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Chinese Academy of Sciences,Institute of Information Engineering,Beijing,China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]},{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5103391171","display_name":"Degang Sun","orcid":"https://orcid.org/0009-0003-3418-8558"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Degang Sun","raw_affiliation_strings":["Chinese Academy of Sciences,Institute of Information Engineering,Beijing,China","Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Chinese Academy of Sciences,Institute of Information Engineering,Beijing,China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]},{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5101282913"],"corresponding_institution_ids":["https://openalex.org/I19820366","https://openalex.org/I4210156404","https://openalex.org/I4210165038"],"apc_list":null,"apc_paid":null,"fwci":1.605,"has_fulltext":false,"cited_by_count":8,"citation_normalized_percentile":{"value":0.84024307,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":96,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1014","last_page":"1019"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9950000047683716,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9950000047683716,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9923999905586243,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10064","display_name":"Complex Network Analysis Techniques","score":0.9886999726295471,"subfield":{"id":"https://openalex.org/subfields/3109","display_name":"Statistical and Nonlinear Physics"},"field":{"id":"https://openalex.org/fields/31","display_name":"Physics and Astronomy"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6232823729515076},{"id":"https://openalex.org/keywords/matching","display_name":"Matching (statistics)","score":0.5479722619056702},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3608197867870331},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.14455509185791016},{"id":"https://openalex.org/keywords/statistics","display_name":"Statistics","score":0.09616023302078247}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6232823729515076},{"id":"https://openalex.org/C165064840","wikidata":"https://www.wikidata.org/wiki/Q1321061","display_name":"Matching (statistics)","level":2,"score":0.5479722619056702},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3608197867870331},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.14455509185791016},{"id":"https://openalex.org/C105795698","wikidata":"https://www.wikidata.org/wiki/Q12483","display_name":"Statistics","level":1,"score":0.09616023302078247}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/cscwd57460.2023.10152818","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cscwd57460.2023.10152818","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 26th International Conference on Computer Supported Cooperative Work in Design (CSCWD)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":21,"referenced_works":["https://openalex.org/W2136761100","https://openalex.org/W2747669027","https://openalex.org/W2962703433","https://openalex.org/W2962711740","https://openalex.org/W2963053388","https://openalex.org/W2978956219","https://openalex.org/W2998038410","https://openalex.org/W2998367408","https://openalex.org/W3005127313","https://openalex.org/W3006711782","https://openalex.org/W3015650867","https://openalex.org/W3038203542","https://openalex.org/W3099203541","https://openalex.org/W3211430557","https://openalex.org/W3211888892","https://openalex.org/W3214329506","https://openalex.org/W6754929296","https://openalex.org/W6756634375","https://openalex.org/W6766867396","https://openalex.org/W6779821014","https://openalex.org/W6793953445"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W2390279801","https://openalex.org/W4391913857","https://openalex.org/W2358668433","https://openalex.org/W4396701345","https://openalex.org/W2376932109","https://openalex.org/W2001405890","https://openalex.org/W4396696052"],"abstract_inverted_index":{"Threat":[0],"hunting":[1,22,48,66,183],"is":[2,142],"the":[3,56,153,156,161],"process":[4],"of":[5,59,145,155,187],"proactively":[6],"searching":[7],"for":[8],"known":[9,111],"attack":[10,82],"behavior":[11],"in":[12,37,160],"an":[13,73,138],"organization\u2019s":[14],"information":[15],"system.":[16,162],"A":[17],"popular":[18],"approach":[19],"to":[20,28,55,70,102,124,132,151,170],"threat":[21,25,47,65],"uses":[23,122],"cyber":[24],"intelligence":[26],"(CTI)":[27],"identify":[29],"advanced":[30],"persistent":[31],"threats":[32],"(APTs)":[33],"that":[34,92,177],"are":[35],"hidden":[36],"kernel-level":[38],"audit":[39],"logs":[40,116],"(e.g.,":[41],"whole-system":[42],"data":[43],"provenance).":[44],"However,":[45],"existing":[46],"mechanisms":[49],"can-not":[50],"produce":[51],"timely":[52],"results":[53,175],"due":[54],"enormous":[57],"size":[58],"provenance":[60,115,130,147,188],"data.":[61,119],"As":[62],"a":[63,90,143,146],"result,":[64],"cannot":[67],"help":[68],"sysadmins":[69,152],"quickly":[71,103],"recognize":[72],"ongoing":[74],"APT":[75,112,126,139,158],"campaign":[76],"and":[77,104,114,129,191],"immediately":[78],"block":[79],"any":[80,134],"subsequent":[81],"activity.":[83],"In":[84],"this":[85],"paper,":[86],"we":[87],"propose":[88],"GHunter,":[89],"system":[91],"performs":[93],"approximate":[94],"subgraph":[95,135,144],"matching":[96],"using":[97],"graph":[98,118,141],"neural":[99],"networks":[100],"(GNNs)":[101],"accurately":[105],"hunt":[106],"APTs.":[107],"GHunter":[108,121,149,178],"first":[109],"converts":[110],"scenarios":[113],"into":[117],"Then,":[120],"GNNs":[123],"embed":[125],"scenario":[127,140,159],"graphs":[128,131],"discover":[133],"relationships.":[136],"If":[137],"graph,":[148],"alerts":[150],"presence":[154],"corresponding":[157],"We":[163],"use":[164],"DARPA\u2019s":[165],"Transparent":[166],"Computing":[167],"(TC)":[168],"datasets":[169],"evaluate":[171],"GHunter\u2019s":[172],"performance.":[173],"The":[174],"show":[176],"achieves":[179],"97%":[180],"accuracy":[181],"when":[182],"APTs":[184],"from":[185],"millions":[186],"log":[189],"entries":[190],"spends":[192],"195x":[193],"less":[194],"execution":[195],"time":[196],"than":[197],"prior":[198],"work.":[199]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":3},{"year":2024,"cited_by_count":4}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}