{"id":"https://openalex.org/W7084749640","doi":"https://doi.org/10.1109/ojcs.2025.3618157","title":"TF2ML: Threat Filtering With Two-Stage Machine Learning for Efficient Provenance-Aware Threat Detection and Response","display_name":"TF2ML: Threat Filtering With Two-Stage Machine Learning for Efficient Provenance-Aware Threat Detection and Response","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W7084749640","doi":"https://doi.org/10.1109/ojcs.2025.3618157"},"language":"en","primary_location":{"id":"doi:10.1109/ojcs.2025.3618157","is_oa":true,"landing_page_url":"https://doi.org/10.1109/ojcs.2025.3618157","pdf_url":null,"source":{"id":"https://openalex.org/S4210176459","display_name":"IEEE Open Journal of the Computer Society","issn_l":"2644-1268","issn":["2644-1268"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Open Journal of the Computer Society","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1109/ojcs.2025.3618157","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Krittin Thirasak","orcid":null},"institutions":[{"id":"https://openalex.org/I108108428","display_name":"Thammasat University","ror":"https://ror.org/002yp7f20","country_code":"TH","type":"education","lineage":["https://openalex.org/I108108428"]}],"countries":["TH"],"is_corresponding":true,"raw_author_name":"Krittin Thirasak","raw_affiliation_strings":["Sirindhorn International Institute of Technology, Thammasat University, Bangkok, Thailand"],"affiliations":[{"raw_affiliation_string":"Sirindhorn International Institute of Technology, Thammasat University, Bangkok, Thailand","institution_ids":["https://openalex.org/I108108428"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Teerawat Chuaphanngam","orcid":null},"institutions":[{"id":"https://openalex.org/I108108428","display_name":"Thammasat University","ror":"https://ror.org/002yp7f20","country_code":"TH","type":"education","lineage":["https://openalex.org/I108108428"]}],"countries":["TH"],"is_corresponding":false,"raw_author_name":"Teerawat Chuaphanngam","raw_affiliation_strings":["Sirindhorn International Institute of Technology, Thammasat University, Bangkok, Thailand"],"affiliations":[{"raw_affiliation_string":"Sirindhorn International Institute of Technology, Thammasat University, Bangkok, Thailand","institution_ids":["https://openalex.org/I108108428"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Danupat Chainarong","orcid":null},"institutions":[{"id":"https://openalex.org/I108108428","display_name":"Thammasat University","ror":"https://ror.org/002yp7f20","country_code":"TH","type":"education","lineage":["https://openalex.org/I108108428"]}],"countries":["TH"],"is_corresponding":false,"raw_author_name":"Danupat Chainarong","raw_affiliation_strings":["Sirindhorn International Institute of Technology, Thammasat University, Bangkok, Thailand"],"affiliations":[{"raw_affiliation_string":"Sirindhorn International Institute of Technology, Thammasat University, Bangkok, Thailand","institution_ids":["https://openalex.org/I108108428"]}]},{"author_position":"last","author":{"id":null,"display_name":"Somchart Fugkeaw","orcid":"https://orcid.org/0000-0001-7156-184X"},"institutions":[{"id":"https://openalex.org/I108108428","display_name":"Thammasat University","ror":"https://ror.org/002yp7f20","country_code":"TH","type":"education","lineage":["https://openalex.org/I108108428"]}],"countries":["TH"],"is_corresponding":false,"raw_author_name":"Somchart Fugkeaw","raw_affiliation_strings":["Sirindhorn International Institute of Technology, Thammasat University, Bangkok, Thailand"],"affiliations":[{"raw_affiliation_string":"Sirindhorn International Institute of Technology, Thammasat University, Bangkok, Thailand","institution_ids":["https://openalex.org/I108108428"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I108108428"],"apc_list":{"value":1750,"currency":"USD","value_usd":1750},"apc_paid":{"value":1750,"currency":"USD","value_usd":1750},"fwci":3.1368,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.94556793,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":99},"biblio":{"volume":"6","issue":null,"first_page":"1751","last_page":"1762"},"is_retracted":false,"is_paratext":false,"is_xpac":true,"primary_topic":{"id":"https://openalex.org/T13370","display_name":"Diverse Scientific and Economic Studies","score":0.04019999876618385,"subfield":{"id":"https://openalex.org/subfields/2002","display_name":"Economics and Econometrics"},"field":{"id":"https://openalex.org/fields/20","display_name":"Economics, Econometrics and Finance"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T13370","display_name":"Diverse Scientific and Economic Studies","score":0.04019999876618385,"subfield":{"id":"https://openalex.org/subfields/2002","display_name":"Economics and Econometrics"},"field":{"id":"https://openalex.org/fields/20","display_name":"Economics, Econometrics and Finance"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T13713","display_name":"Diverse Perspectives in Modern Studies","score":0.01360000018030405,"subfield":{"id":"https://openalex.org/subfields/2002","display_name":"Economics and Econometrics"},"field":{"id":"https://openalex.org/fields/20","display_name":"Economics, Econometrics and Finance"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/spark","display_name":"SPARK (programming language)","score":0.6779000163078308},{"id":"https://openalex.org/keywords/scalability","display_name":"Scalability","score":0.6650999784469604},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.5625},{"id":"https://openalex.org/keywords/overhead","display_name":"Overhead (engineering)","score":0.51419997215271},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.4221999943256378},{"id":"https://openalex.org/keywords/reduction","display_name":"Reduction (mathematics)","score":0.41119998693466187},{"id":"https://openalex.org/keywords/filter","display_name":"Filter (signal processing)","score":0.3968000113964081},{"id":"https://openalex.org/keywords/computational-complexity-theory","display_name":"Computational complexity theory","score":0.38989999890327454}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.803600013256073},{"id":"https://openalex.org/C2781215313","wikidata":"https://www.wikidata.org/wiki/Q3493345","display_name":"SPARK (programming language)","level":2,"score":0.6779000163078308},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.6650999784469604},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.6571000218391418},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.649399995803833},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.5625},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.51419997215271},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.4221999943256378},{"id":"https://openalex.org/C111335779","wikidata":"https://www.wikidata.org/wiki/Q3454686","display_name":"Reduction (mathematics)","level":2,"score":0.41119998693466187},{"id":"https://openalex.org/C106131492","wikidata":"https://www.wikidata.org/wiki/Q3072260","display_name":"Filter (signal processing)","level":2,"score":0.3968000113964081},{"id":"https://openalex.org/C179799912","wikidata":"https://www.wikidata.org/wiki/Q205084","display_name":"Computational complexity theory","level":2,"score":0.38989999890327454},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.3882000148296356},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.35670000314712524},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.3547999858856201},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.3434000015258789},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.321399986743927},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.3138999938964844},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.2928999960422516},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.28859999775886536},{"id":"https://openalex.org/C62611344","wikidata":"https://www.wikidata.org/wiki/Q1062658","display_name":"Node (physics)","level":2,"score":0.2849000096321106},{"id":"https://openalex.org/C164226766","wikidata":"https://www.wikidata.org/wiki/Q7293202","display_name":"Rank (graph theory)","level":2,"score":0.2815000116825104},{"id":"https://openalex.org/C52622490","wikidata":"https://www.wikidata.org/wiki/Q1026626","display_name":"Feature extraction","level":2,"score":0.27950000762939453},{"id":"https://openalex.org/C136389625","wikidata":"https://www.wikidata.org/wiki/Q334384","display_name":"Supervised learning","level":3,"score":0.27720001339912415},{"id":"https://openalex.org/C75684735","wikidata":"https://www.wikidata.org/wiki/Q858810","display_name":"Big data","level":2,"score":0.2678000032901764},{"id":"https://openalex.org/C79403827","wikidata":"https://www.wikidata.org/wiki/Q3988","display_name":"Real-time computing","level":1,"score":0.2628999948501587}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/ojcs.2025.3618157","is_oa":true,"landing_page_url":"https://doi.org/10.1109/ojcs.2025.3618157","pdf_url":null,"source":{"id":"https://openalex.org/S4210176459","display_name":"IEEE Open Journal of the Computer Society","issn_l":"2644-1268","issn":["2644-1268"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Open Journal of the Computer Society","raw_type":"journal-article"},{"id":"pmh:oai:doaj.org/article:7d72f2180efd471a94c61e99a5bd393a","is_oa":true,"landing_page_url":"https://doaj.org/article/7d72f2180efd471a94c61e99a5bd393a","pdf_url":null,"source":{"id":"https://openalex.org/S112646816","display_name":"SHILAP Revista de lepidopterolog\u00eda","issn_l":"0300-5267","issn":["0300-5267","2340-4078"],"is_oa":true,"is_in_doaj":true,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"IEEE Open Journal of the Computer Society, Vol 6, Pp 1751-1762 (2025)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.1109/ojcs.2025.3618157","is_oa":true,"landing_page_url":"https://doi.org/10.1109/ojcs.2025.3618157","pdf_url":null,"source":{"id":"https://openalex.org/S4210176459","display_name":"IEEE Open Journal of the Computer Society","issn_l":"2644-1268","issn":["2644-1268"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Open Journal of the Computer Society","raw_type":"journal-article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.4045235514640808}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"As":[0],"cyber":[1],"threats":[2],"grow":[3],"more":[4],"sophisticated,":[5],"traditional":[6,206],"detection":[7,28,44,61],"methods":[8],"struggle":[9],"to":[10,26,86,180],"identify":[11],"advanced":[12],"and":[13,19,30,83,105,112,133,139,147,163,199,215,223],"zero-day":[14],"vulnerabilities.":[15],"Machine":[16],"learning":[17,21,47],"(ML)":[18],"federated":[20],"approaches":[22],"have":[23],"been":[24],"explored":[25],"improve":[27],"accuracy":[29,54,178,204],"scalability;":[31],"however,":[32],"they":[33],"often":[34],"sacrifice":[35],"efficiency,":[36,214],"either":[37],"by":[38],"increasing":[39],"computational":[40,49,154,213],"overhead":[41],"or":[42],"compromising":[43],"precision.":[45],"Federated":[46],"reduces":[48,152],"requirements":[50],"but":[51],"suffers":[52],"from":[53],"loss,":[55],"while":[56,174,218],"centralized":[57],"models":[58],"provide":[59],"better":[60],"capabilities":[62],"at":[63],"the":[64,153,157],"expense":[65],"of":[66],"scalability.":[67],"This":[68,208],"paper":[69],"presents":[70],"a":[71,79,193,200],"provenance-aware":[72,116,185],"threat-hunting":[73],"system":[74,151],"that":[75,119],"integrates":[76],"rule-based":[77],"preprocessing,":[78,97],"Two-Stage":[80],"ML":[81,158,182,187],"approach,":[82],"provenance":[84],"tracking":[85],"enhance":[87],"network":[88,121,131],"security":[89],"efficiency.":[90],"We":[91],"introduce":[92],"Rule-Based":[93],"CVE":[94],"Filtering":[95],"for":[96,101,108],"leveraging":[98],"Apache":[99],"Spark":[100],"scalable":[102],"log":[103,122],"processing":[104,172,197],"MITRE":[106],"ATT&CK":[107],"structured":[109],"threat":[110],"intelligence":[111],"attack":[113,134],"mapping.":[114],"Our":[115,184],"approach":[117],"ensures":[118],"each":[120],"is":[123],"enriched":[124],"with":[125],"metadata\u2014including":[126],"device":[127],"ID,":[128],"user":[129],"session,":[130],"segment,":[132],"source\u2014enabling":[135],"precise":[136],"anomaly":[137],"attribution":[138],"targeted":[140],"mitigation.":[141],"By":[142],"filtering":[143],"out":[144],"known":[145,222],"vulnerabilities":[146],"common":[148],"threats,":[149],"our":[150],"burden":[155],"on":[156],"model,":[159],"accelerating":[160],"both":[161,221],"training":[162],"inference.":[164],"Experimental":[165],"evaluation":[166],"demonstrates":[167],"an":[168],"8.13%":[169],"reduction":[170],"in":[171,196,203],"time":[173],"maintaining":[175],"94%":[176],"classification":[177],"compared":[179],"existing":[181],"models.":[183],"TF2":[186],"model":[188],"further":[189],"improves":[190],"performance,":[191],"achieving":[192],"12.7%":[194],"increase":[195],"speed":[198],"4.5%":[201],"boost":[202],"over":[205],"approaches.":[207],"hybrid":[209],"solution":[210],"balances":[211],"scalability,":[212],"real-time":[216],"response,":[217],"effectively":[219],"detecting":[220],"unknown":[224],"threats.":[225]},"counts_by_year":[{"year":2026,"cited_by_count":1}],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-10T00:00:00"}