{"id":"https://openalex.org/W2997780732","doi":"https://doi.org/10.1109/icct46805.2019.8947201","title":"Needle in a Haystack: Attack Detection from Large-Scale System Audit","display_name":"Needle in a Haystack: Attack Detection from Large-Scale System Audit","publication_year":2019,"publication_date":"2019-10-01","ids":{"openalex":"https://openalex.org/W2997780732","doi":"https://doi.org/10.1109/icct46805.2019.8947201","mag":"2997780732"},"language":"en","primary_location":{"id":"doi:10.1109/icct46805.2019.8947201","is_oa":false,"landing_page_url":"https://doi.org/10.1109/icct46805.2019.8947201","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2019 IEEE 19th International Conference on Communication Technology (ICCT)","raw_type":"proceedings-article"},"type":"conference-paper","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101448320","display_name":"Han Yu","orcid":"https://orcid.org/0000-0002-5516-5537"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Han Yu","raw_affiliation_strings":["College of Computer, National University of Defense Technology, Changsha, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"College of Computer, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5081729072","display_name":"Aiping Li","orcid":"https://orcid.org/0000-0001-6174-0991"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Aiping Li","raw_affiliation_strings":["College of Computer, National University of Defense Technology, Changsha, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"College of Computer, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5091107196","display_name":"Rong Jiang","orcid":"https://orcid.org/0000-0003-4160-8349"},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Rong Jiang","raw_affiliation_strings":["College of Computer, National University of Defense Technology, Changsha, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"College of Computer, National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":1,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I170215575"],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":12,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1418","last_page":"1426"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9991000294685364,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9958000183105469,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/haystack","display_name":"Haystack","score":0.9313404560089111},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8394323587417603},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.7649749517440796},{"id":"https://openalex.org/keywords/scalability","display_name":"Scalability","score":0.6601522564888},{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.5205446481704712},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.4822274148464203},{"id":"https://openalex.org/keywords/path","display_name":"Path (computing)","score":0.4429628551006317},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.43372613191604614},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.4084343910217285},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.16331705451011658},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.15038684010505676},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.08894199132919312}],"concepts":[{"id":"https://openalex.org/C13424479","wikidata":"https://www.wikidata.org/wiki/Q5687237","display_name":"Haystack","level":2,"score":0.9313404560089111},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8394323587417603},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.7649749517440796},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.6601522564888},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.5205446481704712},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.4822274148464203},{"id":"https://openalex.org/C2777735758","wikidata":"https://www.wikidata.org/wiki/Q817765","display_name":"Path (computing)","level":2,"score":0.4429628551006317},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.43372613191604614},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4084343910217285},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.16331705451011658},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.15038684010505676},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.08894199132919312},{"id":"https://openalex.org/C162324750","wikidata":"https://www.wikidata.org/wiki/Q8134","display_name":"Economics","level":0,"score":0.0},{"id":"https://openalex.org/C187736073","wikidata":"https://www.wikidata.org/wiki/Q2920921","display_name":"Management","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/icct46805.2019.8947201","is_oa":false,"landing_page_url":"https://doi.org/10.1109/icct46805.2019.8947201","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2019 IEEE 19th International Conference on Communication Technology (ICCT)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.5799999833106995,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":41,"referenced_works":["https://openalex.org/W168132470","https://openalex.org/W1513765469","https://openalex.org/W1537198022","https://openalex.org/W1601789105","https://openalex.org/W1606099259","https://openalex.org/W1813893391","https://openalex.org/W1884606608","https://openalex.org/W2008704879","https://openalex.org/W2009232481","https://openalex.org/W2031489231","https://openalex.org/W2093406244","https://openalex.org/W2106649514","https://openalex.org/W2108747667","https://openalex.org/W2117020308","https://openalex.org/W2118528519","https://openalex.org/W2120665430","https://openalex.org/W2123886726","https://openalex.org/W2166743230","https://openalex.org/W2170967934","https://openalex.org/W2271004381","https://openalex.org/W2397699236","https://openalex.org/W2560810941","https://openalex.org/W2579106964","https://openalex.org/W2751114427","https://openalex.org/W2751844787","https://openalex.org/W2794988934","https://openalex.org/W2888974175","https://openalex.org/W2962703433","https://openalex.org/W2962785074","https://openalex.org/W4244726870","https://openalex.org/W4245421994","https://openalex.org/W6630749910","https://openalex.org/W6632104034","https://openalex.org/W6639223989","https://openalex.org/W6675849491","https://openalex.org/W6677690934","https://openalex.org/W6678571874","https://openalex.org/W6712595259","https://openalex.org/W6743841043","https://openalex.org/W6754375631","https://openalex.org/W6755539112"],"related_works":["https://openalex.org/W4253878822","https://openalex.org/W1965563707","https://openalex.org/W4210692028","https://openalex.org/W1736550718","https://openalex.org/W2808729870","https://openalex.org/W2479343091","https://openalex.org/W2278064783","https://openalex.org/W3174858427","https://openalex.org/W1972480475","https://openalex.org/W4253922839"],"abstract_inverted_index":{"In":[0,55],"this":[1],"paper,":[2],"we":[3,58,71,101],"present":[4],"a":[5,35,50,61,78],"system":[6,67],"NeedleHunter":[7,124],"to":[8,21,33,76,88,106],"detect":[9],"Advanced":[10],"and":[11,15,27,84,136],"Persistent":[12],"Threats":[13],"(APTs)":[14],"reconstruction":[16],"of":[17,38,46,81,110,119,130,140],"attack":[18,48,91],"scenarios.":[19],"Due":[20],"the":[22,43,47,73,82,95,103,108,111,127,138,141],"information":[23,98],"asymmetry":[24],"between":[25,97],"attackers":[26],"defenders,":[28],"detecting":[29],"APT":[30,131],"attacks":[31,87],"remains":[32],"be":[34],"challenge.":[36],"Instead":[37],"targeting":[39],"individual":[40],"exploits,":[41],"correlating":[42],"various":[44],"stages":[45,129],"is":[49],"substantially":[51],"more":[52],"feasible":[53],"strategy.":[54],"our":[56,120],"approach,":[57],"first":[59],"construct":[60],"version-based":[62],"provenance":[63],"graph":[64,112],"by":[65,93],"analyzing":[66],"audit":[68],"logs.":[69],"Then,":[70],"use":[72],"rule-based":[74],"technique":[75,105],"detection":[77],"particular":[79],"stage":[80],"attack,":[83],"connect":[85],"these":[86],"generate":[89],"an":[90],"path":[92],"leveraging":[94],"correlation":[96],"flows.":[99],"Also,":[100],"implement":[102],"compaction":[104],"compress":[107],"scale":[109],"for":[113],"scalable":[114],"forensic":[115],"analysis.":[116],"An":[117],"evaluation":[118],"approach":[121],"indicates":[122],"that":[123],"can":[125],"capture":[126],"key":[128],"campaigns":[132],"with":[133],"high":[134],"precision":[135],"reconstruct":[137],"details":[139],"attacks.":[142]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":3},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":3},{"year":2020,"cited_by_count":1}],"updated_date":"2026-07-14T23:27:15.235271","created_date":"2025-10-10T00:00:00"}
