{"id":"https://openalex.org/W4402467005","doi":"https://doi.org/10.1109/tdsc.2025.3611866","title":"HADES: Detecting and Investigating Active Directory Attacks via Whole Network Provenance Analytics","display_name":"HADES: Detecting and Investigating Active Directory Attacks via Whole Network Provenance Analytics","publication_year":2025,"publication_date":"2025-09-22","ids":{"openalex":"https://openalex.org/W4402467005","doi":"https://doi.org/10.1109/tdsc.2025.3611866"},"language":"en","primary_location":{"id":"doi:10.1109/tdsc.2025.3611866","is_oa":true,"landing_page_url":"https://doi.org/10.1109/tdsc.2025.3611866","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},"type":"preprint","indexed_in":["arxiv","crossref","datacite"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1109/tdsc.2025.3611866","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5100453232","display_name":"Qi Liu","orcid":"https://orcid.org/0000-0002-9334-953X"},"institutions":[{"id":"https://openalex.org/I102335020","display_name":"Karlsruhe Institute of Technology","ror":"https://ror.org/04t3en479","country_code":"DE","type":"education","lineage":["https://openalex.org/I102335020","https://openalex.org/I1305996414"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Qi Liu","raw_affiliation_strings":["Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology (KIT), Eggenstein-Leopoldshafen, Germany"],"raw_orcid":"https://orcid.org/0000-0002-9334-953X","affiliations":[{"raw_affiliation_string":"Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology (KIT), Eggenstein-Leopoldshafen, Germany","institution_ids":["https://openalex.org/I102335020"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5062261948","display_name":"Kaibin Bao","orcid":"https://orcid.org/0000-0002-8231-4331"},"institutions":[{"id":"https://openalex.org/I102335020","display_name":"Karlsruhe Institute of Technology","ror":"https://ror.org/04t3en479","country_code":"DE","type":"education","lineage":["https://openalex.org/I102335020","https://openalex.org/I1305996414"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Kaibin Bao","raw_affiliation_strings":["Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology (KIT), Eggenstein-Leopoldshafen, Germany"],"raw_orcid":"https://orcid.org/0000-0002-8231-4331","affiliations":[{"raw_affiliation_string":"Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology (KIT), Eggenstein-Leopoldshafen, Germany","institution_ids":["https://openalex.org/I102335020"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089936565","display_name":"Wajih Ul Hassan","orcid":"https://orcid.org/0000-0002-5676-6027"},"institutions":[{"id":"https://openalex.org/I51556381","display_name":"University of Virginia","ror":"https://ror.org/0153tk833","country_code":"US","type":"education","lineage":["https://openalex.org/I51556381"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Wajih Ul Hassan","raw_affiliation_strings":["School of Engineering &#x0026; Applied Science, University of Virginia, Charlottesville, VA, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Engineering &#x0026; Applied Science, University of Virginia, Charlottesville, VA, USA","institution_ids":["https://openalex.org/I51556381"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5014228448","display_name":"Veit Hagenmeyer","orcid":"https://orcid.org/0000-0002-3572-9083"},"institutions":[{"id":"https://openalex.org/I102335020","display_name":"Karlsruhe Institute of Technology","ror":"https://ror.org/04t3en479","country_code":"DE","type":"education","lineage":["https://openalex.org/I102335020","https://openalex.org/I1305996414"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Veit Hagenmeyer","raw_affiliation_strings":["Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology (KIT), Eggenstein-Leopoldshafen, Germany"],"raw_orcid":"https://orcid.org/0000-0002-3572-9083","affiliations":[{"raw_affiliation_string":"Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology (KIT), Eggenstein-Leopoldshafen, Germany","institution_ids":["https://openalex.org/I102335020"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":9.1143,"has_fulltext":true,"cited_by_count":4,"citation_normalized_percentile":{"value":0.96747007,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":97},"biblio":{"volume":"23","issue":"1","first_page":"936","last_page":"953"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.9959999918937683,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.9959999918937683,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9205999970436096,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/directory","display_name":"Directory","score":0.8454866409301758},{"id":"https://openalex.org/keywords/provenance","display_name":"Provenance","score":0.686970591545105},{"id":"https://openalex.org/keywords/analytics","display_name":"Analytics","score":0.6827627420425415},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6275748014450073},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.3813084363937378},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.3585544228553772},{"id":"https://openalex.org/keywords/data-science","display_name":"Data science","score":0.3309926390647888},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.15731626749038696},{"id":"https://openalex.org/keywords/geology","display_name":"Geology","score":0.0487179160118103}],"concepts":[{"id":"https://openalex.org/C2777683733","wikidata":"https://www.wikidata.org/wiki/Q201456","display_name":"Directory","level":2,"score":0.8454866409301758},{"id":"https://openalex.org/C2780049196","wikidata":"https://www.wikidata.org/wiki/Q23582628","display_name":"Provenance","level":2,"score":0.686970591545105},{"id":"https://openalex.org/C79158427","wikidata":"https://www.wikidata.org/wiki/Q485396","display_name":"Analytics","level":2,"score":0.6827627420425415},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6275748014450073},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.3813084363937378},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3585544228553772},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.3309926390647888},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.15731626749038696},{"id":"https://openalex.org/C127313418","wikidata":"https://www.wikidata.org/wiki/Q1069","display_name":"Geology","level":0,"score":0.0487179160118103},{"id":"https://openalex.org/C5900021","wikidata":"https://www.wikidata.org/wiki/Q163082","display_name":"Petrology","level":1,"score":0.0}],"mesh":[],"locations_count":4,"locations":[{"id":"doi:10.1109/tdsc.2025.3611866","is_oa":true,"landing_page_url":"https://doi.org/10.1109/tdsc.2025.3611866","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},{"id":"pmh:oai:arXiv.org:2407.18858","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2407.18858","pdf_url":"https://arxiv.org/pdf/2407.18858","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"text"},{"id":"pmh:oai:arXiv.org:2407.18858","is_oa":true,"landing_page_url":"https://arxiv.org/abs/2407.18858","pdf_url":"https://arxiv.org/pdf/2407.18858","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},{"id":"doi:10.48550/arxiv.2407.18858","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2407.18858","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.1109/tdsc.2025.3611866","is_oa":true,"landing_page_url":"https://doi.org/10.1109/tdsc.2025.3611866","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320325698","display_name":"Helmholtz Association","ror":null}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":18,"referenced_works":["https://openalex.org/W2579106964","https://openalex.org/W2790316935","https://openalex.org/W2962703433","https://openalex.org/W2947745012","https://openalex.org/W3015650867","https://openalex.org/W3016038045","https://openalex.org/W4402288718","https://openalex.org/W4402265033","https://openalex.org/W4288057803","https://openalex.org/W4388858881","https://openalex.org/W2213728018","https://openalex.org/W3185502221","https://openalex.org/W2998038410","https://openalex.org/W4384948624","https://openalex.org/W2802509343","https://openalex.org/W4406460906","https://openalex.org/W3130250190","https://openalex.org/W2911994103"],"related_works":["https://openalex.org/W3115906952","https://openalex.org/W2354627941","https://openalex.org/W3134811395","https://openalex.org/W3155196058","https://openalex.org/W4252960523","https://openalex.org/W1529821365","https://openalex.org/W2135486207","https://openalex.org/W2347483153","https://openalex.org/W1499611046","https://openalex.org/W4390482427"],"abstract_inverted_index":{"Due":[0],"to":[1,43,73,78,116],"its":[2],"crucial":[3],"role":[4],"in":[5,10,53,64,120,163,185],"identity":[6],"and":[7,76,201],"access":[8],"management":[9],"modern":[11],"enterprise":[12],"networks,":[13],"Active":[14],"Directory":[15],"(AD)":[16],"is":[17],"a":[18,86,105,155,176,202],"top":[19],"target":[20],"of":[21,82,97,167],"Advanced":[22],"Persistence":[23],"Threat":[24],"(APT)":[25],"actors.":[26,50],"Conventional":[27],"intrusion":[28],"detection":[29,160,199],"systems":[30,200],"(IDS)":[31],"excel":[32],"at":[33],"identifying":[34],"malicious":[35,61],"behaviors":[36],"caused":[37],"by":[38,48,59,103],"malware,":[39],"but":[40],"often":[41],"fail":[42],"detect":[44],"stealthy":[45],"attacks":[46],"launched":[47],"APT":[49],"Recent":[51],"advance":[52],"provenance-based":[54],"IDS":[55],"(PIDS)":[56],"shows":[57],"promises":[58],"exposing":[60],"system":[62],"activities":[63],"causal":[65],"attack":[66,172,206],"graphs.":[67],"However,":[68],"existing":[69],"approaches":[70],"are":[71],"restricted":[72],"intra-machine":[74],"tracing,":[75],"unable":[77],"reveal":[79],"the":[80,93],"scope":[81],"attackers'":[83],"traversal":[84],"inside":[85],"network.":[87],"We":[88,123],"propose":[89],"<sc":[90,125,192],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[91,110,126,193],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">HADES</small>,":[92],"first":[94,141],"PIDS":[95],"capable":[96],"performing":[98],"accurate":[99],"causality-based":[100],"cross-machine":[101,121],"tracing":[102,132,137],"leveraging":[104],"novel":[106,156],"concept":[107],"called":[108],"<italic":[109],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">logon":[111],"session":[112],"based":[113],"execution":[114],"partitioning</i>":[115],"overcome":[117],"several":[118],"challenges":[119],"tracing.":[122],"design":[124],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">HADES</small>":[127,194],"as":[128],"an":[129,143,147],"efficient":[130],"on-demand":[131],"system,":[133],"which":[134,152],"performs":[135],"whole-network":[136],"only":[138],"when":[139],"it":[140],"identifies":[142],"authentication":[144,158],"anomaly":[145,159],"signifying":[146],"ongoing":[148],"AD":[149,168,186,205],"attack,":[150],"for":[151],"we":[153,174,183],"introduce":[154],"lightweight":[157],"model":[161],"rooted":[162],"our":[164],"extensive":[165],"analysis":[166],"attacks.":[169,187],"To":[170],"triage":[171],"alerts,":[173],"present":[175],"new":[177],"algorithm":[178],"integrating":[179],"two":[180],"key":[181],"insights":[182],"identified":[184],"Our":[188],"evaluations":[189],"show":[190],"that":[191],"outperforms":[195],"both":[196],"popular":[197],"open-source":[198],"prominent":[203],"commercial":[204],"detector.":[207]},"counts_by_year":[{"year":2025,"cited_by_count":3},{"year":2024,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2024-09-13T00:00:00"}