{"id":"https://openalex.org/W4411552033","doi":"https://doi.org/10.1109/cscwd64889.2025.11033364","title":"AGLHunter: Automated Threat Hunting Using In-Context Learning-Enhanced LLM","display_name":"AGLHunter: Automated Threat Hunting Using In-Context Learning-Enhanced LLM","publication_year":2025,"publication_date":"2025-05-05","ids":{"openalex":"https://openalex.org/W4411552033","doi":"https://doi.org/10.1109/cscwd64889.2025.11033364"},"language":"en","primary_location":{"id":"doi:10.1109/cscwd64889.2025.11033364","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cscwd64889.2025.11033364","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 28th International Conference on Computer Supported Cooperative Work in Design (CSCWD)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5079835728","display_name":"Maxwell Cui","orcid":"https://orcid.org/0009-0001-8804-9102"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Mengjiao Cui","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5020151253","display_name":"Zhengwei Jiang","orcid":null},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhengwei Jiang","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5044754708","display_name":"Yepeng Yao","orcid":"https://orcid.org/0000-0002-2669-4915"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yepeng Yao","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100410916","display_name":"Chunyan Ma","orcid":"https://orcid.org/0009-0003-5154-8922"},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chunyan Ma","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5061266995","display_name":"Qing He","orcid":"https://orcid.org/0000-0002-0563-6134"},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qiying He","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5114045326","display_name":"Peian Yang","orcid":null},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Peian Yang","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences,Beijing,China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5109860620","display_name":"Huamin Feng","orcid":null},"institutions":[{"id":"https://openalex.org/I202334528","display_name":"Beijing Electronic Science and Technology Institute","ror":"https://ror.org/01xdzh226","country_code":"CN","type":"education","lineage":["https://openalex.org/I202334528"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Huamin Feng","raw_affiliation_strings":["Beijing Electronic Science and Technology Institute,Beijing,China"],"affiliations":[{"raw_affiliation_string":"Beijing Electronic Science and Technology Institute,Beijing,China","institution_ids":["https://openalex.org/I202334528"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5079835728"],"corresponding_institution_ids":["https://openalex.org/I19820366","https://openalex.org/I4210156404"],"apc_list":null,"apc_paid":null,"fwci":1.5567,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.85135738,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":97,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1812","last_page":"1819"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9940999746322632,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9940999746322632,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9817000031471252,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10994","display_name":"Terrorism, Counterterrorism, and Political Violence","score":0.9740999937057495,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6710296869277954},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.6582289338111877},{"id":"https://openalex.org/keywords/human\u2013computer-interaction","display_name":"Human\u2013computer interaction","score":0.3446081876754761},{"id":"https://openalex.org/keywords/geography","display_name":"Geography","score":0.10789021849632263},{"id":"https://openalex.org/keywords/archaeology","display_name":"Archaeology","score":0.08888643980026245}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6710296869277954},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.6582289338111877},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.3446081876754761},{"id":"https://openalex.org/C205649164","wikidata":"https://www.wikidata.org/wiki/Q1071","display_name":"Geography","level":0,"score":0.10789021849632263},{"id":"https://openalex.org/C166957645","wikidata":"https://www.wikidata.org/wiki/Q23498","display_name":"Archaeology","level":1,"score":0.08888643980026245}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/cscwd64889.2025.11033364","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cscwd64889.2025.11033364","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 28th International Conference on Computer Supported Cooperative Work in Design (CSCWD)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G8372602484","display_name":null,"funder_award_id":"62202466","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":19,"referenced_works":["https://openalex.org/W2604314403","https://openalex.org/W2801835932","https://openalex.org/W2962703433","https://openalex.org/W2962904108","https://openalex.org/W2978956219","https://openalex.org/W2984488829","https://openalex.org/W3005127313","https://openalex.org/W3015650867","https://openalex.org/W3157720608","https://openalex.org/W3211430557","https://openalex.org/W3211888892","https://openalex.org/W3214329506","https://openalex.org/W4281383000","https://openalex.org/W4381744433","https://openalex.org/W4385571451","https://openalex.org/W4387143043","https://openalex.org/W4396574997","https://openalex.org/W6778883912","https://openalex.org/W6782167706"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W2390279801","https://openalex.org/W4391913857","https://openalex.org/W2358668433","https://openalex.org/W4396701345","https://openalex.org/W2376932109","https://openalex.org/W2001405890","https://openalex.org/W4396696052"],"abstract_inverted_index":{"Advanced":[0],"Persistent":[1],"Threats":[2],"(APTs)":[3],"are":[4,66],"characterized":[5],"by":[6,68,191,198],"their":[7],"persistence,":[8],"sophistication,":[9],"and":[10,34,48,71,90,129,145,153,203],"stealth,":[11],"posing":[12],"significant":[13],"challenges":[14],"to":[15,87,111,134,156],"network":[16],"detection.":[17],"Existing":[18],"research":[19],"on":[20,59],"attack":[21,62],"detection":[22,95,206],"leveraging":[23,180],"Provenance":[24],"Graphs":[25],"(PGs)":[26],"has":[27],"proven":[28],"effective":[29],"in":[30],"correlating":[31],"system":[32,85,98],"entities":[33],"capturing":[35],"persistence.":[36],"However,":[37],"the":[38,100,106,140,184,194],"exponential":[39],"growth":[40],"of":[41,105],"audit":[42],"logs":[43],"makes":[44],"large-scale":[45],"data":[46],"storage":[47],"processing":[49],"difficult.":[50],"In":[51,75],"addition,":[52],"current":[53],"threat":[54,83,147],"hunting":[55,84,196],"methods":[56],"rely":[57],"heavily":[58],"manually":[60],"crafted":[61],"query":[63,114,141,188],"graphs,":[64,142],"which":[65],"limited":[67],"expert":[69],"knowledge":[70],"lack":[72],"automated":[73,82],"solutions.":[74],"this":[76],"paper,":[77],"we":[78,123],"propose":[79],"AGLHunter,":[80,179],"an":[81],"designed":[86],"enhance":[88],"automation":[89,169],"efficiency":[91],"while":[92],"maintaining":[93],"high":[94,205],"accuracy.":[96,207],"Our":[97],"leverages":[99],"In-Context":[101],"Learning":[102],"(ICL)":[103],"capability":[104],"Large":[107],"Language":[108],"Model":[109],"(LLM)":[110],"automatically":[112],"construct":[113],"graphs":[115,138],"from":[116,127],"Cyber":[117],"Threat":[118],"Intelligence":[119],"(CTI)":[120],"reports.":[121],"Next,":[122],"extract":[124],"suspicious":[125],"subgraphs":[126],"PGs":[128],"employ":[130],"graph":[131,189],"representation":[132],"learning":[133],"match":[135],"these":[136],"sub":[137],"with":[139,175],"enabling":[143],"efficient":[144],"accurate":[146],"hunting.":[148],"We":[149],"use":[150],"DARPA":[151],"TC":[152],"OpTC":[154],"datasets":[155],"evaluate":[157],"AGLHunter's":[158],"performance.":[159],"The":[160],"results":[161],"show":[162],"that":[163],"AGLHunter":[164],"not":[165],"only":[166],"achieves":[167],"higher":[168],"but":[170],"also":[171],"shows":[172],"superior":[173],"performance":[174],"reduced":[176,193],"memory":[177],"usage.":[178],"ICL-enhanced":[181],"LLM,":[182],"improved":[183],"F1":[185],"score":[186],"for":[187],"construction":[190],"13.6%,":[192],"overall":[195],"time":[197],"more":[199],"than":[200],"170":[201],"seconds,":[202],"maintained":[204]},"counts_by_year":[{"year":2026,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}