{"id":"https://openalex.org/W7131248654","doi":"https://doi.org/10.1109/tetc.2026.3665235","title":"Graph-Based Anomaly APT Attack Detection via Threat Intelligence","display_name":"Graph-Based Anomaly APT Attack Detection via Threat Intelligence","publication_year":2026,"publication_date":"2026-01-01","ids":{"openalex":"https://openalex.org/W7131248654","doi":"https://doi.org/10.1109/tetc.2026.3665235"},"language":null,"primary_location":{"id":"doi:10.1109/tetc.2026.3665235","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tetc.2026.3665235","pdf_url":null,"source":{"id":"https://openalex.org/S2496326734","display_name":"IEEE Transactions on Emerging Topics in Computing","issn_l":"2168-6750","issn":["2168-6750","2376-4562"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Emerging Topics in Computing","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5018793696","display_name":"Cheng Fan","orcid":"https://orcid.org/0000-0002-3440-3276"},"institutions":[{"id":"https://openalex.org/I142974352","display_name":"National Sun Yat-sen University","ror":"https://ror.org/00mjawt10","country_code":"TW","type":"education","lineage":["https://openalex.org/I142974352"]}],"countries":["TW"],"is_corresponding":true,"raw_author_name":"Chun-I Fan","raw_affiliation_strings":["Department of Computer Science and Engineering, National Sun Yat-sen University, Kaohsiung, Taiwan"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Engineering, National Sun Yat-sen University, Kaohsiung, Taiwan","institution_ids":["https://openalex.org/I142974352"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126708417","display_name":"Cheng-Han Shie","orcid":null},"institutions":[{"id":"https://openalex.org/I142974352","display_name":"National Sun Yat-sen University","ror":"https://ror.org/00mjawt10","country_code":"TW","type":"education","lineage":["https://openalex.org/I142974352"]}],"countries":["TW"],"is_corresponding":false,"raw_author_name":"Cheng-Han Shie","raw_affiliation_strings":["Department of Computer Science and Engineering, National Sun Yat-sen University, Kaohsiung, Taiwan"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Engineering, National Sun Yat-sen University, Kaohsiung, Taiwan","institution_ids":["https://openalex.org/I142974352"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100511861","display_name":"Ying-Chan Chang","orcid":null},"institutions":[{"id":"https://openalex.org/I142974352","display_name":"National Sun Yat-sen University","ror":"https://ror.org/00mjawt10","country_code":"TW","type":"education","lineage":["https://openalex.org/I142974352"]}],"countries":["TW"],"is_corresponding":false,"raw_author_name":"Ying-Chan Chang","raw_affiliation_strings":["Department of Computer Science and Engineering, National Sun Yat-sen University, Kaohsiung, Taiwan"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Engineering, National Sun Yat-sen University, Kaohsiung, Taiwan","institution_ids":["https://openalex.org/I142974352"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126666431","display_name":"Tao Ban","orcid":null},"institutions":[{"id":"https://openalex.org/I90023481","display_name":"National Institute of Information and Communications Technology","ror":"https://ror.org/016bgq349","country_code":"JP","type":"facility","lineage":["https://openalex.org/I90023481"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Tao Ban","raw_affiliation_strings":["National Institute of Information and Communications Technology, Koganei, Japan"],"affiliations":[{"raw_affiliation_string":"National Institute of Information and Communications Technology, Koganei, Japan","institution_ids":["https://openalex.org/I90023481"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126673326","display_name":"Tomohiro Morikawa","orcid":null},"institutions":[{"id":"https://openalex.org/I180941496","display_name":"University of Hyogo","ror":"https://ror.org/0151bmh98","country_code":"JP","type":"education","lineage":["https://openalex.org/I180941496"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Tomohiro Morikawa","raw_affiliation_strings":["University of Hyogo, Kobe, Japan"],"affiliations":[{"raw_affiliation_string":"University of Hyogo, Kobe, Japan","institution_ids":["https://openalex.org/I180941496"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5121685034","display_name":"Takeshi Takahashi","orcid":null},"institutions":[{"id":"https://openalex.org/I90023481","display_name":"National Institute of Information and Communications Technology","ror":"https://ror.org/016bgq349","country_code":"JP","type":"facility","lineage":["https://openalex.org/I90023481"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Takeshi Takahashi","raw_affiliation_strings":["National Institute of Information and Communications Technology, Koganei, Japan"],"affiliations":[{"raw_affiliation_string":"National Institute of Information and Communications Technology, Koganei, Japan","institution_ids":["https://openalex.org/I90023481"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5018793696"],"corresponding_institution_ids":["https://openalex.org/I142974352"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.47204136,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"14","issue":"1","first_page":"348","last_page":"363"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.24459999799728394,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.24459999799728394,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.094200000166893,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10917","display_name":"Smart Grid Security and Resilience","score":0.08410000056028366,"subfield":{"id":"https://openalex.org/subfields/2207","display_name":"Control and Systems Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.5812000036239624},{"id":"https://openalex.org/keywords/hacker","display_name":"Hacker","score":0.5698999762535095},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.5608000159263611},{"id":"https://openalex.org/keywords/attack-patterns","display_name":"Attack patterns","score":0.37279999256134033},{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.3675999939441681},{"id":"https://openalex.org/keywords/ransomware","display_name":"Ransomware","score":0.3528999984264374},{"id":"https://openalex.org/keywords/artificial-neural-network","display_name":"Artificial neural network","score":0.34610000252723694},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.3431999981403351}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8400999903678894},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.5812000036239624},{"id":"https://openalex.org/C86844869","wikidata":"https://www.wikidata.org/wiki/Q2798820","display_name":"Hacker","level":2,"score":0.5698999762535095},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.5608000159263611},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.49079999327659607},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3993000090122223},{"id":"https://openalex.org/C2780741293","wikidata":"https://www.wikidata.org/wiki/Q4818019","display_name":"Attack patterns","level":3,"score":0.37279999256134033},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.3675999939441681},{"id":"https://openalex.org/C2777667771","wikidata":"https://www.wikidata.org/wiki/Q926331","display_name":"Ransomware","level":3,"score":0.3528999984264374},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.34610000252723694},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.3431999981403351},{"id":"https://openalex.org/C2781067378","wikidata":"https://www.wikidata.org/wiki/Q17027399","display_name":"Interpretability","level":2,"score":0.33820000290870667},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.33379998803138733},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.3312999904155731},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.329800009727478},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.31189998984336853},{"id":"https://openalex.org/C145804949","wikidata":"https://www.wikidata.org/wiki/Q478123","display_name":"Situation awareness","level":2,"score":0.3025999963283539},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.2851000130176544},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.27410000562667847},{"id":"https://openalex.org/C2781251061","wikidata":"https://www.wikidata.org/wiki/Q5416089","display_name":"Evasion (ethics)","level":3,"score":0.27399998903274536},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.26190000772476196}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tetc.2026.3665235","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tetc.2026.3665235","pdf_url":null,"source":{"id":"https://openalex.org/S2496326734","display_name":"IEEE Transactions on Emerging Topics in Computing","issn_l":"2168-6750","issn":["2168-6750","2376-4562"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Emerging Topics in Computing","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Climate action","id":"https://metadata.un.org/sdg/13","score":0.49056050181388855}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":9,"referenced_works":["https://openalex.org/W2064675550","https://openalex.org/W2112796928","https://openalex.org/W2131904035","https://openalex.org/W2296719434","https://openalex.org/W2970641574","https://openalex.org/W3008991042","https://openalex.org/W3015650867","https://openalex.org/W3109160943","https://openalex.org/W4402265033"],"related_works":[],"abstract_inverted_index":{"Among":[0],"Advanced":[1],"Persistent":[2],"Threats":[3],"in":[4],"recent":[5],"years,":[6],"hackers":[7],"have":[8,45],"combined":[9],"multiple":[10],"defense":[11],"evasion":[12],"techniques":[13,36],"to":[14,75,155,194],"hide":[15],"themselves":[16],"from":[17,120,168],"the":[18,26,34,43,48,58,105,109,113,116,121,126,136,148,161,165,169,172,175,178,183,188],"detection":[19,89,185],"of":[20,28,82,108,129,150,171,177],"traditional":[21,196],"antivirus":[22],"software.":[23],"For":[24],"example,":[25],"combination":[27],"fileless":[29],"malware":[30],"and":[31,37,51,73],"Living":[32],"Off":[33],"Land":[35],"abusing":[38],"legitimate":[39],"cloud":[40],"services":[41],"force":[42,70],"enterprises":[44],"gradually":[46],"adopted":[47],"Endpoint":[49],"Detection":[50],"Response":[52],"(EDR)":[53],"instead.":[54],"However,":[55],"EDR":[56],"has":[57],"disadvantage":[59],"that":[60,135,182],"this":[61],"tool":[62],"may":[63],"produce":[64],"massive":[65],"false":[66,151],"alarms.":[67],"This":[68],"situation":[69],"security":[71,166],"maintainer":[72],"analysts":[74],"be":[76],"burdened":[77],"with":[78],"a":[79,97,130,195],"large":[80],"amount":[81],"additional":[83],"analyses.":[84],"We":[85],"proposed":[86,137],"an":[87],"anomaly":[88],"system":[90,114,138,180],"based":[91,186],"on":[92,164,187],"graphs.":[93],"First,":[94],"we":[95,146],"input":[96],"provenance":[98,122],"graph":[99,123,189],"containing":[100],"threat":[101],"intelligence":[102],"constructed":[103],"by":[104,153],"normal":[106],"behaviors":[107],"system.":[110],"After":[111],"that,":[112],"learns":[115],"potential":[117],"structured":[118],"information":[119],"for":[124],"detecting":[125],"abnormal":[127,142,184],"behavior":[128],"host.":[131],"The":[132,157],"results":[133],"show":[134],"can":[139],"effectively":[140],"detect":[141],"event":[143],"logs.":[144],"Moreover,":[145],"reduce":[147],"number":[149],"alarms":[152],"up":[154],"97.67%.":[156],"improvement":[158],"dramatically":[159],"reduces":[160],"heavy":[162],"burdens":[163],"maintainers":[167],"analyses":[170],"records.":[173],"Furthermore,":[174],"performance":[176],"designed":[179],"shows":[181],"neural":[190,197],"network":[191,198],"is":[192],"superior":[193]},"counts_by_year":[],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2026-02-25T00:00:00"}