{"id":"https://openalex.org/W4413395030","doi":"https://doi.org/10.1109/tifs.2025.3601381","title":"TeRed: Normal Behavior-Based Efficient Provenance Graph Reduction for Large-Scale Attack Forensics","display_name":"TeRed: Normal Behavior-Based Efficient Provenance Graph Reduction for Large-Scale Attack Forensics","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W4413395030","doi":"https://doi.org/10.1109/tifs.2025.3601381"},"language":"en","primary_location":{"id":"doi:10.1109/tifs.2025.3601381","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2025.3601381","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5073737220","display_name":"Xiaoxiang Li","orcid":null},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Xiaoxiang Li","raw_affiliation_strings":["Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5012481721","display_name":"Xinyu Jiang","orcid":"https://orcid.org/0000-0002-1035-6364"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xinyu Jiang","raw_affiliation_strings":["Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5073617379","display_name":"Hai Wan","orcid":"https://orcid.org/0000-0002-9608-5808"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Hai Wan","raw_affiliation_strings":["Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100773043","display_name":"Xibin Zhao","orcid":"https://orcid.org/0000-0002-6168-7016"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xibin Zhao","raw_affiliation_strings":["Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Beijing National Research Center for Information Science and Technology (BNRist), Key Laboratory for Information System Security, Ministry of Education (KLISS), School of Software, Tsinghua University, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5073737220"],"corresponding_institution_ids":["https://openalex.org/I99065089"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.31819914,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"20","issue":null,"first_page":"9463","last_page":"9476"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9944999814033508,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9944999814033508,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.984000027179718,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11719","display_name":"Data Quality and Management","score":0.9531000256538391,"subfield":{"id":"https://openalex.org/subfields/1803","display_name":"Management Science and Operations Research"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.785819411277771},{"id":"https://openalex.org/keywords/reduction","display_name":"Reduction (mathematics)","score":0.5468071699142456},{"id":"https://openalex.org/keywords/provenance","display_name":"Provenance","score":0.48304063081741333},{"id":"https://openalex.org/keywords/scale","display_name":"Scale (ratio)","score":0.44872137904167175},{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.43813690543174744},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.42490291595458984},{"id":"https://openalex.org/keywords/theoretical-computer-science","display_name":"Theoretical computer science","score":0.22746431827545166},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.12271988391876221},{"id":"https://openalex.org/keywords/geology","display_name":"Geology","score":0.0910697877407074}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.785819411277771},{"id":"https://openalex.org/C111335779","wikidata":"https://www.wikidata.org/wiki/Q3454686","display_name":"Reduction (mathematics)","level":2,"score":0.5468071699142456},{"id":"https://openalex.org/C2780049196","wikidata":"https://www.wikidata.org/wiki/Q23582628","display_name":"Provenance","level":2,"score":0.48304063081741333},{"id":"https://openalex.org/C2778755073","wikidata":"https://www.wikidata.org/wiki/Q10858537","display_name":"Scale (ratio)","level":2,"score":0.44872137904167175},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.43813690543174744},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.42490291595458984},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.22746431827545166},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.12271988391876221},{"id":"https://openalex.org/C127313418","wikidata":"https://www.wikidata.org/wiki/Q1069","display_name":"Geology","level":0,"score":0.0910697877407074},{"id":"https://openalex.org/C2524010","wikidata":"https://www.wikidata.org/wiki/Q8087","display_name":"Geometry","level":1,"score":0.0},{"id":"https://openalex.org/C62520636","wikidata":"https://www.wikidata.org/wiki/Q944","display_name":"Quantum mechanics","level":1,"score":0.0},{"id":"https://openalex.org/C5900021","wikidata":"https://www.wikidata.org/wiki/Q163082","display_name":"Petrology","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2025.3601381","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2025.3601381","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1100049447","display_name":null,"funder_award_id":"6212780016","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G387533902","display_name":null,"funder_award_id":"2023YFB3307500","funder_id":"https://openalex.org/F4320323970","funder_display_name":"Ministry of Industry and Information Technology of the People's Republic of China"},{"id":"https://openalex.org/G8468279689","display_name":null,"funder_award_id":"2024B0101030002","funder_id":"https://openalex.org/F4320335795","funder_display_name":"Science and Technology Planning Project of Guangdong Province"},{"id":"https://openalex.org/G8842463778","display_name":null,"funder_award_id":"2023RC4014","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320323970","display_name":"Ministry of Industry and Information Technology of the People's Republic of China","ror":"https://ror.org/0385nmy68"},{"id":"https://openalex.org/F4320335795","display_name":"Science and Technology Planning Project of Guangdong Province","ror":null}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":34,"referenced_works":["https://openalex.org/W1582690601","https://openalex.org/W2000041758","https://openalex.org/W2018900730","https://openalex.org/W2029852131","https://openalex.org/W2068132916","https://openalex.org/W2082773934","https://openalex.org/W2096347345","https://openalex.org/W2147010252","https://openalex.org/W2147344024","https://openalex.org/W2147405597","https://openalex.org/W2170726034","https://openalex.org/W2266568276","https://openalex.org/W2284900416","https://openalex.org/W2532844970","https://openalex.org/W2747669027","https://openalex.org/W2767094836","https://openalex.org/W2792591096","https://openalex.org/W2889727957","https://openalex.org/W2978956219","https://openalex.org/W2998038410","https://openalex.org/W2999013495","https://openalex.org/W3006711782","https://openalex.org/W3008508243","https://openalex.org/W3008991042","https://openalex.org/W3094213939","https://openalex.org/W3109160943","https://openalex.org/W3138838255","https://openalex.org/W3143573050","https://openalex.org/W3195954353","https://openalex.org/W3200583622","https://openalex.org/W4311165723","https://openalex.org/W4380433106","https://openalex.org/W4384948624","https://openalex.org/W4385679792"],"related_works":["https://openalex.org/W2354627941","https://openalex.org/W2347483153","https://openalex.org/W2353379336","https://openalex.org/W2379683085","https://openalex.org/W2363868702","https://openalex.org/W2374448931","https://openalex.org/W2376723740","https://openalex.org/W2370535391","https://openalex.org/W2370679613","https://openalex.org/W2380057024"],"abstract_inverted_index":{"System":[0],"intrusions,":[1],"particularly":[2],"Advanced":[3],"Persistent":[4],"Threats":[5],"(APTs),":[6],"pose":[7],"significant":[8,146],"threats":[9],"to":[10,103,114],"enterprises":[11],"and":[12,18,49,52,80,143],"organizations.":[13],"Provenance":[14],"graph-based":[15],"attack":[16,78,141],"detection":[17,79,142],"investigation":[19],"methods":[20,69],"are":[21,111],"crucial":[22],"for":[23,89],"defending":[24],"against":[25],"these":[26,56],"intrusions.":[27],"To":[28],"detect":[29],"various":[30],"attacks,":[31],"security":[32,74],"systems":[33],"collect":[34],"comprehensive":[35],"operating":[36],"system":[37],"event":[38],"data,":[39],"resulting":[40],"in":[41],"massive":[42],"provenance":[43,57,91,117,129],"graphs":[44,58,92],"that":[45,124],"increase":[46],"storage":[47],"costs":[48],"complicate":[50],"analysis":[51],"querying.":[53],"Efficiently":[54],"optimizing":[55],"has":[59],"thus":[60],"become":[61],"a":[62,86],"core":[63],"issue.":[64],"However,":[65],"existing":[66],"data":[67,150],"reduction":[68,151],"often":[70],"mistakenly":[71],"delete":[72],"critical":[73],"information,":[75],"significantly":[76],"impacting":[77],"investigation.":[81],"This":[82],"paper":[83],"introduces":[84],"TeRed,":[85],"novel":[87],"method":[88,126],"reducing":[90],"based":[93],"on":[94,120],"normal":[95,107],"behavior":[96,108],"patterns.":[97],"Our":[98],"approach":[99],"employs":[100],"unit":[101],"tests":[102],"learn":[104],"the":[105,116,128],"system\u2019s":[106],"patterns,":[109],"which":[110],"then":[112],"used":[113],"streamline":[115],"graph.":[118],"Experiments":[119],"five":[121],"datasets":[122],"show":[123],"our":[125],"reduces":[127],"graph":[130],"while":[131],"preserving":[132],"all":[133],"attack-related":[134],"information.":[135],"Importantly,":[136],"it":[137],"does":[138],"not":[139],"compromise":[140],"investigation,":[144],"showcasing":[145],"advantages":[147],"over":[148],"other":[149],"techniques.":[152]},"counts_by_year":[],"updated_date":"2026-04-09T08:11:56.329763","created_date":"2025-10-10T00:00:00"}