{"id":"https://openalex.org/W3190895447","doi":"https://doi.org/10.1109/tdsc.2021.3101649","title":"Poirot: Causal Correlation Aided Semantic Analysis for Advanced Persistent Threat Detection","display_name":"Poirot: Causal Correlation Aided Semantic Analysis for Advanced Persistent Threat Detection","publication_year":2021,"publication_date":"2021-08-04","ids":{"openalex":"https://openalex.org/W3190895447","doi":"https://doi.org/10.1109/tdsc.2021.3101649","mag":"3190895447"},"language":"en","primary_location":{"id":"doi:10.1109/tdsc.2021.3101649","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2021.3101649","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5083577000","display_name":"Jian Yang","orcid":"https://orcid.org/0000-0002-7329-4738"},"institutions":[{"id":"https://openalex.org/I126520041","display_name":"University of Science and Technology of China","ror":"https://ror.org/04c4dkn09","country_code":"CN","type":"education","lineage":["https://openalex.org/I126520041","https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Jian Yang","raw_affiliation_strings":["School of Information Science and Technology, University of Science and Technology of China, Hefei, Anhui, China"],"affiliations":[{"raw_affiliation_string":"School of Information Science and Technology, University of Science and Technology of China, Hefei, Anhui, China","institution_ids":["https://openalex.org/I126520041"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100360194","display_name":"Qi Zhang","orcid":"https://orcid.org/0000-0001-5303-9804"},"institutions":[{"id":"https://openalex.org/I126520041","display_name":"University of Science and Technology of China","ror":"https://ror.org/04c4dkn09","country_code":"CN","type":"education","lineage":["https://openalex.org/I126520041","https://openalex.org/I19820366"]},{"id":"https://openalex.org/I1297991670","display_name":"Southwest University of Science and Technology","ror":"https://ror.org/04d996474","country_code":"CN","type":"education","lineage":["https://openalex.org/I1297991670"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qi Zhang","raw_affiliation_strings":["School of Information Science and Technology, University of Science and Technology of China, Hefei, Anhui, China","School of Information Engineering, Southwest University of Science and Technology, Mianyang, Sichuan, China"],"affiliations":[{"raw_affiliation_string":"School of Information Science and Technology, University of Science and Technology of China, Hefei, Anhui, China","institution_ids":["https://openalex.org/I126520041"]},{"raw_affiliation_string":"School of Information Engineering, Southwest University of Science and Technology, Mianyang, Sichuan, China","institution_ids":["https://openalex.org/I1297991670"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5088416755","display_name":"Xiaofeng Jiang","orcid":"https://orcid.org/0000-0001-7595-2397"},"institutions":[{"id":"https://openalex.org/I126520041","display_name":"University of Science and Technology of China","ror":"https://ror.org/04c4dkn09","country_code":"CN","type":"education","lineage":["https://openalex.org/I126520041","https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xiaofeng Jiang","raw_affiliation_strings":["School of Information Science and Technology, University of Science and Technology of China, Hefei, Anhui, China","Science and Technology on Communication Networks Laboratory, Hefei, Anhui, China"],"affiliations":[{"raw_affiliation_string":"School of Information Science and Technology, University of Science and Technology of China, Hefei, Anhui, China","institution_ids":["https://openalex.org/I126520041"]},{"raw_affiliation_string":"Science and Technology on Communication Networks Laboratory, Hefei, Anhui, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5045720734","display_name":"Shuangwu Chen","orcid":"https://orcid.org/0000-0003-2817-9738"},"institutions":[{"id":"https://openalex.org/I126520041","display_name":"University of Science and Technology of China","ror":"https://ror.org/04c4dkn09","country_code":"CN","type":"education","lineage":["https://openalex.org/I126520041","https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Shuangwu Chen","raw_affiliation_strings":["School of Information Science and Technology, University of Science and Technology of China, Hefei, Anhui, China"],"affiliations":[{"raw_affiliation_string":"School of Information Science and Technology, University of Science and Technology of China, Hefei, Anhui, China","institution_ids":["https://openalex.org/I126520041"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5101805982","display_name":"Feng Yang","orcid":"https://orcid.org/0000-0002-4760-6005"},"institutions":[{"id":"https://openalex.org/I126520041","display_name":"University of Science and Technology of China","ror":"https://ror.org/04c4dkn09","country_code":"CN","type":"education","lineage":["https://openalex.org/I126520041","https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Feng Yang","raw_affiliation_strings":["School of Information Science and Technology, University of Science and Technology of China, Hefei, Anhui, China"],"affiliations":[{"raw_affiliation_string":"School of Information Science and Technology, University of Science and Technology of China, Hefei, Anhui, China","institution_ids":["https://openalex.org/I126520041"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5083577000"],"corresponding_institution_ids":["https://openalex.org/I126520041"],"apc_list":null,"apc_paid":null,"fwci":4.4592,"has_fulltext":false,"cited_by_count":44,"citation_normalized_percentile":{"value":0.94616482,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":100},"biblio":{"volume":"19","issue":"5","first_page":"3546","last_page":"3563"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9977999925613403,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9977999925613403,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9973000288009644,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7456523776054382},{"id":"https://openalex.org/keywords/correlation","display_name":"Correlation","score":0.444114089012146},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.10304152965545654}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7456523776054382},{"id":"https://openalex.org/C117220453","wikidata":"https://www.wikidata.org/wiki/Q5172842","display_name":"Correlation","level":2,"score":0.444114089012146},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.10304152965545654},{"id":"https://openalex.org/C2524010","wikidata":"https://www.wikidata.org/wiki/Q8087","display_name":"Geometry","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tdsc.2021.3101649","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2021.3101649","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.4399999976158142}],"awards":[{"id":"https://openalex.org/G8473468630","display_name":null,"funder_award_id":"CX2100107001","funder_id":"https://openalex.org/F4320322847","funder_display_name":"Youth Innovation Promotion Association of the Chinese Academy of Sciences"}],"funders":[{"id":"https://openalex.org/F4320322847","display_name":"Youth Innovation Promotion Association of the Chinese Academy of Sciences","ror":"https://ror.org/031141b54"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":50,"referenced_works":["https://openalex.org/W1559377889","https://openalex.org/W1568555062","https://openalex.org/W1580345535","https://openalex.org/W1936523258","https://openalex.org/W1975062332","https://openalex.org/W1976413307","https://openalex.org/W1980501414","https://openalex.org/W1991906836","https://openalex.org/W1992705187","https://openalex.org/W2039858940","https://openalex.org/W2103587173","https://openalex.org/W2180696299","https://openalex.org/W2182819203","https://openalex.org/W2342850280","https://openalex.org/W2486441280","https://openalex.org/W2501070846","https://openalex.org/W2501259350","https://openalex.org/W2518895230","https://openalex.org/W2537328283","https://openalex.org/W2545820541","https://openalex.org/W2560932476","https://openalex.org/W2582259743","https://openalex.org/W2604409140","https://openalex.org/W2748696935","https://openalex.org/W2766227136","https://openalex.org/W2783740942","https://openalex.org/W2789667377","https://openalex.org/W2808323833","https://openalex.org/W2818789173","https://openalex.org/W2883847230","https://openalex.org/W2903839691","https://openalex.org/W2910711617","https://openalex.org/W2912294729","https://openalex.org/W2914411038","https://openalex.org/W2959653735","https://openalex.org/W2962703433","https://openalex.org/W2964010858","https://openalex.org/W2991452545","https://openalex.org/W2996497879","https://openalex.org/W2998038410","https://openalex.org/W3002573977","https://openalex.org/W3005127313","https://openalex.org/W3095395190","https://openalex.org/W3136858577","https://openalex.org/W4231510805","https://openalex.org/W6634071051","https://openalex.org/W6639619044","https://openalex.org/W6675301171","https://openalex.org/W6686096946","https://openalex.org/W6792169831"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W2390279801","https://openalex.org/W4391913857","https://openalex.org/W2358668433","https://openalex.org/W4396701345","https://openalex.org/W2376932109","https://openalex.org/W2001405890","https://openalex.org/W4396696052"],"abstract_inverted_index":{"The":[0,104,177],"volatile,":[1],"covert":[2],"and":[3,40,100,170],"slow":[4],"multistage":[5],"attack":[6,136,174],"patterns":[7],"of":[8,17,85,118,166,173,187],"Advanced":[9],"Persistent":[10],"Threat":[11],"(APT)":[12],"present":[13],"a":[14,55,73,153],"tricky":[15],"challenge":[16],"APT":[18,144,193],"detection,":[19],"which":[20,92],"are":[21,180],"vital":[22],"for":[23,67,132,141],"organisations":[24],"to":[25,35,45,50,113,126,157,182],"protect":[26],"their":[27],"critical":[28],"assets.":[29],"In":[30,48],"this":[31],"article,":[32],"we":[33,53],"aim":[34],"develop":[36],"system":[37,105],"that":[38],"aggregates":[39],"uses":[41],"existing":[42,77],"systems\u2019":[43,78],"alerts":[44,99],"detect":[46],"APTs.":[47],"order":[49],"achieve":[51],"this,":[52],"propose":[54],"causal":[56],"correlation":[57],"aided":[58],"semantic":[59,116,130,190],"analysis":[60,131,191],"system,":[61],"called":[62],"<sc":[63,80,161],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[64,81,162],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">Poirot</small>":[65,82,163],",":[66],"detecting":[68],"the":[69,97,108,115,119,129,134,143,159,167,171,184,188],"multi-stage":[70],"threats":[71],"over":[72],"long-time":[74],"span":[75],"from":[76],"alerts.":[79],"is":[83],"capable":[84],"autonomously":[86],"mining":[87],"causality":[88],"between":[89],"anomalous":[90],"events,":[91],"instructs":[93],"us":[94,125],"in":[95,101,164],"reorganizing":[96],"original":[98],"constructing":[102],"alert-chains.":[103,120],"further":[106],"exploits":[107],"Latent":[109],"Dirichlet":[110],"Allocation":[111],"(LDA)":[112],"model":[114,123],"context":[117],"This":[121],"LDA":[122],"facilitates":[124],"carry":[127],"out":[128],"capturing":[133],"latent":[135],"intent":[137],"as":[138,140],"well":[139],"reconstructing":[142],"scenario.":[145],"We":[146],"use":[147],"an":[148],"alert":[149],"dataset":[150],"provided":[151],"by":[152],"cyber":[154],"security":[155],"company":[156],"verify":[158],"proposed":[160,189],"terms":[165],"detection":[168],"accuracy":[169],"capability":[172],"scenario":[175],"reconstruction.":[176],"experiment":[178],"results":[179],"presented":[181],"show":[183],"achievable":[185],"performance":[186],"based":[192],"detection.":[194]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":15},{"year":2024,"cited_by_count":13},{"year":2023,"cited_by_count":9},{"year":2022,"cited_by_count":6}],"updated_date":"2026-03-28T08:17:26.163206","created_date":"2025-10-10T00:00:00"}