{"id":"https://openalex.org/W4414539086","doi":"https://doi.org/10.1109/icc52391.2025.11160975","title":"A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching","display_name":"A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching","publication_year":2025,"publication_date":"2025-06-08","ids":{"openalex":"https://openalex.org/W4414539086","doi":"https://doi.org/10.1109/icc52391.2025.11160975"},"language":"en","primary_location":{"id":"doi:10.1109/icc52391.2025.11160975","is_oa":false,"landing_page_url":"https://doi.org/10.1109/icc52391.2025.11160975","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ICC 2025 - IEEE International Conference on Communications","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5113870111","display_name":"Yi\u2010Ting Huang","orcid":"https://orcid.org/0009-0004-3279-1289"},"institutions":[{"id":"https://openalex.org/I49645291","display_name":"National Taipei University of Education","ror":"https://ror.org/02bzpph30","country_code":"TW","type":"education","lineage":["https://openalex.org/I49645291"]}],"countries":["TW"],"is_corresponding":true,"raw_author_name":"Yi-Ting Huang","raw_affiliation_strings":["EE, NTUST,Taipei,Taiwan"],"affiliations":[{"raw_affiliation_string":"EE, NTUST,Taipei,Taiwan","institution_ids":["https://openalex.org/I49645291"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089608199","display_name":"Ying-Ren Guo","orcid":"https://orcid.org/0000-0002-7508-0397"},"institutions":[{"id":"https://openalex.org/I4210086894","display_name":"Research Center for Information Technology Innovation, Academia Sinica","ror":"https://ror.org/000zgvm20","country_code":"TW","type":"facility","lineage":["https://openalex.org/I4210086894","https://openalex.org/I84653119"]}],"countries":["TW"],"is_corresponding":false,"raw_author_name":"Ying-Ren Guo","raw_affiliation_strings":["CITI, Academia Sinica,Taipei,Taiwan"],"affiliations":[{"raw_affiliation_string":"CITI, Academia Sinica,Taipei,Taiwan","institution_ids":["https://openalex.org/I4210086894"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5031103842","display_name":"Guo-Wei Wong","orcid":"https://orcid.org/0000-0002-1748-7818"},"institutions":[{"id":"https://openalex.org/I99613584","display_name":"National Taipei University","ror":"https://ror.org/03e29r284","country_code":"TW","type":"education","lineage":["https://openalex.org/I99613584"]}],"countries":["TW"],"is_corresponding":false,"raw_author_name":"Guo-Wei Wong","raw_affiliation_strings":["CSIE, NTU,Taipei,Taiwan"],"affiliations":[{"raw_affiliation_string":"CSIE, NTU,Taipei,Taiwan","institution_ids":["https://openalex.org/I99613584"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5052520979","display_name":"Meng Chang Chen","orcid":"https://orcid.org/0000-0002-6815-2436"},"institutions":[{"id":"https://openalex.org/I4210086894","display_name":"Research Center for Information Technology Innovation, Academia Sinica","ror":"https://ror.org/000zgvm20","country_code":"TW","type":"facility","lineage":["https://openalex.org/I4210086894","https://openalex.org/I84653119"]}],"countries":["TW"],"is_corresponding":false,"raw_author_name":"Meng Chang Chen","raw_affiliation_strings":["CITI, Academia Sinica,Taipei,Taiwan"],"affiliations":[{"raw_affiliation_string":"CITI, Academia Sinica,Taipei,Taiwan","institution_ids":["https://openalex.org/I4210086894"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5113870111"],"corresponding_institution_ids":["https://openalex.org/I49645291"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.37906577,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1073","last_page":"1078"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12016","display_name":"Web Data Mining and Analysis","score":0.8766000270843506,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12016","display_name":"Web Data Mining and Analysis","score":0.8766000270843506,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.8170999884605408,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.7439000010490417,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/event","display_name":"Event (particle physics)","score":0.7001000046730042},{"id":"https://openalex.org/keywords/matching","display_name":"Matching (statistics)","score":0.5309000015258789},{"id":"https://openalex.org/keywords/pattern-matching","display_name":"Pattern matching","score":0.35350000858306885},{"id":"https://openalex.org/keywords/identification","display_name":"Identification (biology)","score":0.3452000021934509},{"id":"https://openalex.org/keywords/attack-patterns","display_name":"Attack patterns","score":0.32260000705718994},{"id":"https://openalex.org/keywords/attribution","display_name":"Attribution","score":0.2912999987602234}],"concepts":[{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.7001000046730042},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.680899977684021},{"id":"https://openalex.org/C165064840","wikidata":"https://www.wikidata.org/wiki/Q1321061","display_name":"Matching (statistics)","level":2,"score":0.5309000015258789},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.4212000072002411},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.39809998869895935},{"id":"https://openalex.org/C68859911","wikidata":"https://www.wikidata.org/wiki/Q1503724","display_name":"Pattern matching","level":2,"score":0.35350000858306885},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.3452000021934509},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.34150001406669617},{"id":"https://openalex.org/C2780741293","wikidata":"https://www.wikidata.org/wiki/Q4818019","display_name":"Attack patterns","level":3,"score":0.32260000705718994},{"id":"https://openalex.org/C204321447","wikidata":"https://www.wikidata.org/wiki/Q30642","display_name":"Natural language processing","level":1,"score":0.29269999265670776},{"id":"https://openalex.org/C143299363","wikidata":"https://www.wikidata.org/wiki/Q900584","display_name":"Attribution","level":2,"score":0.2912999987602234},{"id":"https://openalex.org/C123606473","wikidata":"https://www.wikidata.org/wiki/Q907918","display_name":"Complex event processing","level":3,"score":0.2896000146865845},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2768000066280365},{"id":"https://openalex.org/C2987896495","wikidata":"https://www.wikidata.org/wiki/Q5416716","display_name":"Event data","level":3,"score":0.27250000834465027},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.262800008058548},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.2603999972343445},{"id":"https://openalex.org/C2777532361","wikidata":"https://www.wikidata.org/wiki/Q687185","display_name":"Lexicalization","level":2,"score":0.2506999969482422}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/icc52391.2025.11160975","is_oa":false,"landing_page_url":"https://doi.org/10.1109/icc52391.2025.11160975","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ICC 2025 - IEEE International Conference on Communications","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G3803733004","display_name":null,"funder_award_id":"113-2634-F-001-002MBK,112-2222-E-011-011-MY2","funder_id":"https://openalex.org/F2461203286","funder_display_name":"National Science and Technology Council"}],"funders":[{"id":"https://openalex.org/F2461203286","display_name":"National Science and Technology Council","ror":"https://ror.org/02kv4zf79"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":20,"referenced_works":["https://openalex.org/W1965142824","https://openalex.org/W2126359798","https://openalex.org/W2147405597","https://openalex.org/W2157331557","https://openalex.org/W2962703433","https://openalex.org/W3015650867","https://openalex.org/W3016038045","https://openalex.org/W3137205257","https://openalex.org/W3196683638","https://openalex.org/W3206415475","https://openalex.org/W4200442713","https://openalex.org/W4206266728","https://openalex.org/W4284975312","https://openalex.org/W4286375281","https://openalex.org/W4288057803","https://openalex.org/W4298082496","https://openalex.org/W4311703141","https://openalex.org/W4319079731","https://openalex.org/W4388407860","https://openalex.org/W4389779304"],"related_works":[],"abstract_inverted_index":{"As":[0],"Advanced":[1],"Persistent":[2],"Threats":[3],"(APTs)":[4],"grow":[5],"increasingly":[6],"sophisticated,":[7],"the":[8,19,65,83,100,114],"demand":[9],"for":[10,75],"effective":[11],"detection":[12],"methods":[13],"has":[14],"intensified.":[15],"This":[16],"study":[17],"addresses":[18],"challenge":[20],"of":[21,54,71],"identifying":[22,80],"APT":[23,39,87,103,110],"campaign":[24,40,88],"attacks":[25,89],"through":[26],"system":[27,47],"event":[28,48],"logs.":[29],"A":[30],"cascading":[31],"approach,":[32],"name":[33],"SFM,":[34],"combines":[35],"Technique":[36],"hunting":[37],"and":[38,63],"attribution.":[41],"The":[42],"approach":[43,116],"assumes":[44],"that":[45,64,113],"real-world":[46,109],"logs":[49,66],"contain":[50],"a":[51],"vast":[52],"majority":[53],"normal":[55],"events":[56],"interspersed":[57],"with":[58,69,94],"few":[59],"suspiciously":[60],"malicious":[61],"ones":[62],"are":[67],"annotated":[68],"Techniques":[70,81,93],"MITRE":[72],"ATT&CK":[73],"framework":[74],"attack":[76,96],"pattern":[77],"recognition.":[78],"After":[79],"from":[82],"log,":[84],"we":[85],"attribute":[86],"by":[90],"aligning":[91],"detected":[92],"known":[95],"sequences":[97],"to":[98],"determine":[99],"most":[101],"likely":[102],"campaign.":[104],"Evaluations":[105],"on":[106],"five":[107],"synthetic":[108],"campaigns":[111],"indicate":[112],"proposed":[115],"demonstrates":[117],"reliable":[118],"performance.":[119]},"counts_by_year":[],"updated_date":"2026-04-09T08:11:56.329763","created_date":"2025-10-10T00:00:00"}