{"id":"https://openalex.org/W4415179056","doi":"https://doi.org/10.1109/tdsc.2025.3621434","title":"SParse: Semantic Tracking and Path Analysis for Attack Investigation in Real-Time","display_name":"SParse: Semantic Tracking and Path Analysis for Attack Investigation in Real-Time","publication_year":2025,"publication_date":"2025-10-14","ids":{"openalex":"https://openalex.org/W4415179056","doi":"https://doi.org/10.1109/tdsc.2025.3621434"},"language":"en","primary_location":{"id":"doi:10.1109/tdsc.2025.3621434","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2025.3621434","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5038660211","display_name":"Jie Ying","orcid":"https://orcid.org/0009-0006-4293-5850"},"institutions":[{"id":"https://openalex.org/I55712492","display_name":"Zhejiang University of Technology","ror":"https://ror.org/02djqfd08","country_code":"CN","type":"education","lineage":["https://openalex.org/I55712492"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Jie Ying","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China","institution_ids":["https://openalex.org/I55712492"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5029428788","display_name":"Tiantian Zhu","orcid":"https://orcid.org/0000-0002-8657-662X"},"institutions":[{"id":"https://openalex.org/I55712492","display_name":"Zhejiang University of Technology","ror":"https://ror.org/02djqfd08","country_code":"CN","type":"education","lineage":["https://openalex.org/I55712492"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Tiantian Zhu","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China","institution_ids":["https://openalex.org/I55712492"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5060735807","display_name":"Wenrui Cheng","orcid":"https://orcid.org/0000-0003-1690-164X"},"institutions":[{"id":"https://openalex.org/I55712492","display_name":"Zhejiang University of Technology","ror":"https://ror.org/02djqfd08","country_code":"CN","type":"education","lineage":["https://openalex.org/I55712492"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Wenrui Cheng","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China","institution_ids":["https://openalex.org/I55712492"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037870298","display_name":"Qixuan Yuan","orcid":"https://orcid.org/0000-0002-3360-4025"},"institutions":[{"id":"https://openalex.org/I55712492","display_name":"Zhejiang University of Technology","ror":"https://ror.org/02djqfd08","country_code":"CN","type":"education","lineage":["https://openalex.org/I55712492"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qixuan Yuan","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China","institution_ids":["https://openalex.org/I55712492"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101625368","display_name":"Mingjun Ma","orcid":"https://orcid.org/0009-0005-7863-3021"},"institutions":[{"id":"https://openalex.org/I55712492","display_name":"Zhejiang University of Technology","ror":"https://ror.org/02djqfd08","country_code":"CN","type":"education","lineage":["https://openalex.org/I55712492"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Mingjun Ma","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China","institution_ids":["https://openalex.org/I55712492"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5024324179","display_name":"Chunlin Xiong","orcid":"https://orcid.org/0000-0003-4426-3585"},"institutions":[{"id":"https://openalex.org/I6507939","display_name":"China United Network Communications Group (China)","ror":"https://ror.org/028w99c90","country_code":"CN","type":"company","lineage":["https://openalex.org/I6507939"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chunlin Xiong","raw_affiliation_strings":["China Unicom (Guangdong) Industrial Internet Company, Ltd., Guangzhou, China","China Unicom (Guangdong) Industrial Internet Co., Ltd., Guangzhou, China"],"affiliations":[{"raw_affiliation_string":"China Unicom (Guangdong) Industrial Internet Company, Ltd., Guangzhou, China","institution_ids":["https://openalex.org/I6507939"]},{"raw_affiliation_string":"China Unicom (Guangdong) Industrial Internet Co., Ltd., Guangzhou, China","institution_ids":["https://openalex.org/I6507939"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5056827411","display_name":"Tieming Chen","orcid":"https://orcid.org/0000-0003-4664-3311"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]},{"id":"https://openalex.org/I4210123185","display_name":"Zhejiang Lab","ror":"https://ror.org/02m2h7991","country_code":"CN","type":"facility","lineage":["https://openalex.org/I4210123185"]},{"id":"https://openalex.org/I55712492","display_name":"Zhejiang University of Technology","ror":"https://ror.org/02djqfd08","country_code":"CN","type":"education","lineage":["https://openalex.org/I55712492"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Tieming Chen","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China","College of Computer Science and Technology, Zhejiang University of Technology and Zhejiang Key Laboratory of Visual Information Intelligent Processing, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China","institution_ids":["https://openalex.org/I55712492"]},{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University of Technology and Zhejiang Key Laboratory of Visual Information Intelligent Processing, Hangzhou, China","institution_ids":["https://openalex.org/I55712492","https://openalex.org/I168879160","https://openalex.org/I4210123185"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5068773146","display_name":"Mingqi Lv","orcid":"https://orcid.org/0000-0003-4810-7491"},"institutions":[{"id":"https://openalex.org/I55712492","display_name":"Zhejiang University of Technology","ror":"https://ror.org/02djqfd08","country_code":"CN","type":"education","lineage":["https://openalex.org/I55712492"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Mingqi Lv","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, China","institution_ids":["https://openalex.org/I55712492"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100378138","display_name":"Yan Chen","orcid":"https://orcid.org/0000-0003-0409-9485"},"institutions":[{"id":"https://openalex.org/I111979921","display_name":"Northwestern University","ror":"https://ror.org/000e0be47","country_code":"US","type":"education","lineage":["https://openalex.org/I111979921"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yan Chen","raw_affiliation_strings":["Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA"],"affiliations":[{"raw_affiliation_string":"Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA","institution_ids":["https://openalex.org/I111979921"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5038660211"],"corresponding_institution_ids":["https://openalex.org/I55712492"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.15216152,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"23","issue":"2","first_page":"1865","last_page":"1878"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9975000023841858,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9975000023841858,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9965999722480774,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9940000176429749,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.5105999708175659},{"id":"https://openalex.org/keywords/component","display_name":"Component (thermodynamics)","score":0.4722999930381775},{"id":"https://openalex.org/keywords/control-flow-graph","display_name":"Control flow graph","score":0.454800009727478},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.4462999999523163},{"id":"https://openalex.org/keywords/semantics","display_name":"Semantics (computer science)","score":0.413100004196167},{"id":"https://openalex.org/keywords/filter","display_name":"Filter (signal processing)","score":0.38940000534057617},{"id":"https://openalex.org/keywords/critical-path-method","display_name":"Critical path method","score":0.3531999886035919},{"id":"https://openalex.org/keywords/latency","display_name":"Latency (audio)","score":0.3260999917984009}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8208000063896179},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.5105999708175659},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4991999864578247},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.4722999930381775},{"id":"https://openalex.org/C27458966","wikidata":"https://www.wikidata.org/wiki/Q1187693","display_name":"Control flow graph","level":2,"score":0.454800009727478},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.4462999999523163},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.44440001249313354},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.413100004196167},{"id":"https://openalex.org/C106131492","wikidata":"https://www.wikidata.org/wiki/Q3072260","display_name":"Filter (signal processing)","level":2,"score":0.38940000534057617},{"id":"https://openalex.org/C115874739","wikidata":"https://www.wikidata.org/wiki/Q825377","display_name":"Critical path method","level":2,"score":0.3531999886035919},{"id":"https://openalex.org/C82876162","wikidata":"https://www.wikidata.org/wiki/Q17096504","display_name":"Latency (audio)","level":2,"score":0.3260999917984009},{"id":"https://openalex.org/C156884757","wikidata":"https://www.wikidata.org/wiki/Q798554","display_name":"Backtracking","level":2,"score":0.31709998846054077},{"id":"https://openalex.org/C64357122","wikidata":"https://www.wikidata.org/wiki/Q1149766","display_name":"Causality (physics)","level":2,"score":0.29989999532699585},{"id":"https://openalex.org/C489000","wikidata":"https://www.wikidata.org/wiki/Q747385","display_name":"Data flow diagram","level":2,"score":0.2888999879360199},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.2856999933719635},{"id":"https://openalex.org/C88230418","wikidata":"https://www.wikidata.org/wiki/Q131476","display_name":"Graph theory","level":2,"score":0.28349998593330383},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.27489998936653137},{"id":"https://openalex.org/C23123220","wikidata":"https://www.wikidata.org/wiki/Q816826","display_name":"Information retrieval","level":1,"score":0.26759999990463257},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.2662999927997589},{"id":"https://openalex.org/C176225458","wikidata":"https://www.wikidata.org/wiki/Q595971","display_name":"Graph database","level":3,"score":0.25949999690055847},{"id":"https://openalex.org/C106937863","wikidata":"https://www.wikidata.org/wiki/Q7236518","display_name":"Power graph analysis","level":3,"score":0.25760000944137573}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tdsc.2025.3621434","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2025.3621434","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":29,"referenced_works":["https://openalex.org/W168132470","https://openalex.org/W2131681506","https://openalex.org/W2135143063","https://openalex.org/W2295705535","https://openalex.org/W2532844970","https://openalex.org/W2560810941","https://openalex.org/W2579106964","https://openalex.org/W2790557990","https://openalex.org/W2792591096","https://openalex.org/W2889727957","https://openalex.org/W2947745012","https://openalex.org/W2962703433","https://openalex.org/W2965563623","https://openalex.org/W2998038410","https://openalex.org/W3005127313","https://openalex.org/W3015650867","https://openalex.org/W3094213939","https://openalex.org/W3110889769","https://openalex.org/W3137205257","https://openalex.org/W3157720608","https://openalex.org/W3176367300","https://openalex.org/W3195954353","https://openalex.org/W4319663646","https://openalex.org/W4384948624","https://openalex.org/W4388858673","https://openalex.org/W4392357737","https://openalex.org/W4402263650","https://openalex.org/W4402265033","https://openalex.org/W4402288718"],"related_works":[],"abstract_inverted_index":{"As":[0],"Advanced":[1],"Persistent":[2],"Threats":[3],"(APTs)":[4],"become":[5],"more":[6,203],"complex":[7],"and":[8,42,54,105,136,151],"destructive,":[9],"attack":[10,164],"investigation":[11],"has":[12],"gained":[13],"importance.":[14],"Analysts":[15],"use":[16],"provenance":[17,52],"graphs":[18,69,96],"for":[19,65],"causality":[20],"analysis":[21],"on":[22,85,161],"Point-Of-Interest":[23],"(POI)":[24],"events":[25,91],"to":[26,46,147,156,210],"capture":[27],"critical":[28,58,67,73,171],"events.":[29,59,159],"However,":[30],"existing":[31],"methods":[32],"suffer":[33],"from":[34,75],"problems":[35],"of":[36,50,57,72,99],"high":[37,40,43],"false":[38],"positives,":[39],"overhead,":[41],"latency":[44],"due":[45],"the":[47,51,55,110,126,148,189],"vast":[48],"size":[49],"graph":[53,173,191],"rarity":[56],"We":[60],"propose":[61],"<sc":[62,116],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[63,117,175,193],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">SPARSE</small>":[64,118],"constructing":[66],"component":[68,172],"(i.e.,":[70],"consisting":[71],"events)":[74],"streaming":[76],"logs":[77],"in":[78,93,180,205],"real":[79],"time.":[80],"Our":[81],"approach":[82],"is":[83,184,199],"based":[84],"two":[86],"key":[87],"observations:":[88],"1)":[89],"Critical":[90],"exist":[92,113],"suspicious":[94,103,142],"semantic":[95,133],"(SSGs)":[97],"composed":[98],"interaction":[100],"flows":[101,108],"between":[102],"entities,":[104],"2)":[106],"Information":[107],"accomplishing":[109],"attacker's":[111],"goal":[112],"as":[114],"paths.":[115],"uses":[119],"a":[120,129,162,170],"two-stage":[121],"framework":[122],"that":[123],"first":[124],"constructs":[125],"SSG":[127],"using":[128],"state-based":[130],"mode":[131],"with":[132],"transfer":[134],"rules":[135],"storage":[137],"strategies.":[138],"Then,":[139],"it":[140],"identifies":[141],"flow":[143],"paths":[144],"(SFPs)":[145],"related":[146],"POI":[149],"event":[150],"quantifies":[152],"each":[153],"path's":[154],"influence":[155],"filter":[157],"irrelevant":[158,207],"Evaluation":[160],"large-scale":[163],"dataset":[165],"shows":[166],"our":[167],"system":[168],"generates":[169],"(<inline-formula":[174,192],"xmlns:xlink=\"http://www.w3.org/1999/xlink\"><tex-math":[176,194],"notation=\"LaTeX\">$\\sim$</tex-math></inline-formula>":[177,195],"113":[178],"edges)":[179],"1.6":[181],"seconds,":[182],"which":[183],"2014":[185],"\u00d7":[186,202],"smaller":[187],"than":[188],"backtracking":[190],"227,589":[196],"edges).":[197],"It":[198],"also":[200],"25":[201],"effective":[204],"filtering":[206],"edges":[208],"compared":[209],"other":[211],"state-of-the-art":[212],"techniques.":[213]},"counts_by_year":[],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-15T00:00:00"}