{"id":"https://openalex.org/W7084753414","doi":"https://doi.org/10.1109/tifs.2025.3618381","title":"SauronEyes: Disentangling Voluminous Logs to Unveil Camouflaged Attack Intentions","display_name":"SauronEyes: Disentangling Voluminous Logs to Unveil Camouflaged Attack Intentions","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W7084753414","doi":"https://doi.org/10.1109/tifs.2025.3618381"},"language":"en","primary_location":{"id":"doi:10.1109/tifs.2025.3618381","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2025.3618381","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Wei Qiao","orcid":"https://orcid.org/0000-0003-1561-9466"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Wei Qiao","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Weiheng Wu","orcid":null},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Weiheng Wu","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Song Liu","orcid":null},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Song Liu","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Yebo Feng","orcid":"https://orcid.org/0000-0002-7235-2377"},"institutions":[{"id":"https://openalex.org/I172675005","display_name":"Nanyang Technological University","ror":"https://ror.org/02e7b5302","country_code":"SG","type":"education","lineage":["https://openalex.org/I172675005"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Yebo Feng","raw_affiliation_strings":["Nanyang Technological University, Jurong West, Singapore"],"affiliations":[{"raw_affiliation_string":"Nanyang Technological University, Jurong West, Singapore","institution_ids":["https://openalex.org/I172675005"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Zehui Wang","orcid":null},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zehui Wang","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Junrong Liu","orcid":"https://orcid.org/0009-0003-3383-2292"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Junrong Liu","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Teng Li","orcid":"https://orcid.org/0000-0001-5147-8336"},"institutions":[{"id":"https://openalex.org/I149594827","display_name":"Xidian University","ror":"https://ror.org/05s92vm98","country_code":"CN","type":"education","lineage":["https://openalex.org/I149594827"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Teng Li","raw_affiliation_strings":["School of Cyber Engineering, Xidian University, Xi&#x2019;an, China"],"affiliations":[{"raw_affiliation_string":"School of Cyber Engineering, Xidian University, Xi&#x2019;an, China","institution_ids":["https://openalex.org/I149594827"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Bo Jiang","orcid":"https://orcid.org/0000-0002-7185-990X"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Bo Jiang","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Zhigang Lu","orcid":null},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhigang Lu","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"last","author":{"id":null,"display_name":"Baoxu Liu","orcid":null},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Baoxu Liu","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":10,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I19820366","https://openalex.org/I4210156404"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.4953898,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"20","issue":null,"first_page":"11744","last_page":"11758"},"is_retracted":false,"is_paratext":false,"is_xpac":true,"primary_topic":{"id":"https://openalex.org/T11451","display_name":"Advanced Machining and Optimization Techniques","score":0.9614999890327454,"subfield":{"id":"https://openalex.org/subfields/2208","display_name":"Electrical and Electronic Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11451","display_name":"Advanced Machining and Optimization Techniques","score":0.9614999890327454,"subfield":{"id":"https://openalex.org/subfields/2208","display_name":"Electrical and Electronic Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10188","display_name":"Advanced machining processes and optimization","score":0.011900000274181366,"subfield":{"id":"https://openalex.org/subfields/2210","display_name":"Mechanical Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11954","display_name":"Energy Efficiency and Management","score":0.00139999995008111,"subfield":{"id":"https://openalex.org/subfields/2105","display_name":"Renewable Energy, Sustainability and the Environment"},"field":{"id":"https://openalex.org/fields/21","display_name":"Energy"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.6509000062942505},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.5960000157356262},{"id":"https://openalex.org/keywords/attack-patterns","display_name":"Attack patterns","score":0.515500009059906},{"id":"https://openalex.org/keywords/attack-model","display_name":"Attack model","score":0.4260999858379364},{"id":"https://openalex.org/keywords/embedding","display_name":"Embedding","score":0.41100001335144043},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.4009999930858612},{"id":"https://openalex.org/keywords/audit-trail","display_name":"Audit trail","score":0.3725999891757965},{"id":"https://openalex.org/keywords/false-positive-rate","display_name":"False positive rate","score":0.3303999900817871}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8313000202178955},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.6509000062942505},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6075000166893005},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.5960000157356262},{"id":"https://openalex.org/C2780741293","wikidata":"https://www.wikidata.org/wiki/Q4818019","display_name":"Attack patterns","level":3,"score":0.515500009059906},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.4260999858379364},{"id":"https://openalex.org/C41608201","wikidata":"https://www.wikidata.org/wiki/Q980509","display_name":"Embedding","level":2,"score":0.41100001335144043},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.4009999930858612},{"id":"https://openalex.org/C80958533","wikidata":"https://www.wikidata.org/wiki/Q1047174","display_name":"Audit trail","level":3,"score":0.3725999891757965},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3458000123500824},{"id":"https://openalex.org/C95922358","wikidata":"https://www.wikidata.org/wiki/Q5432725","display_name":"False positive rate","level":2,"score":0.3303999900817871},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.31779998540878296},{"id":"https://openalex.org/C50747538","wikidata":"https://www.wikidata.org/wiki/Q7001032","display_name":"Network forensics","level":3,"score":0.3149000108242035},{"id":"https://openalex.org/C62611344","wikidata":"https://www.wikidata.org/wiki/Q1062658","display_name":"Node (physics)","level":2,"score":0.3000999987125397},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.2980000078678131},{"id":"https://openalex.org/C59404180","wikidata":"https://www.wikidata.org/wiki/Q17013334","display_name":"Feature learning","level":2,"score":0.28679999709129333},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.26249998807907104},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.2623000144958496},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.258899986743927},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.25519999861717224},{"id":"https://openalex.org/C137822555","wikidata":"https://www.wikidata.org/wiki/Q2587068","display_name":"Information sensitivity","level":2,"score":0.25290000438690186},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.25099998712539673}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2025.3618381","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2025.3618381","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G8103677214","display_name":null,"funder_award_id":"No.2023YFC2206402","funder_id":"https://openalex.org/F4320335777","funder_display_name":"National Key Research and Development Program of China"},{"id":"https://openalex.org/G8268380026","display_name":null,"funder_award_id":"62272370","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320321133","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35"},{"id":"https://openalex.org/F4320335777","display_name":"National Key Research and Development Program of China","ror":null}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":36,"referenced_works":["https://openalex.org/W168132470","https://openalex.org/W2131681506","https://openalex.org/W2139694940","https://openalex.org/W2163922914","https://openalex.org/W2244109919","https://openalex.org/W2560810941","https://openalex.org/W2747669027","https://openalex.org/W2766852928","https://openalex.org/W2790557990","https://openalex.org/W2891432086","https://openalex.org/W2947745012","https://openalex.org/W2962703433","https://openalex.org/W2962917899","https://openalex.org/W2978956219","https://openalex.org/W2986944522","https://openalex.org/W2998038410","https://openalex.org/W3006711782","https://openalex.org/W3008991042","https://openalex.org/W3015650867","https://openalex.org/W3044311607","https://openalex.org/W3109160943","https://openalex.org/W3110889769","https://openalex.org/W3129482887","https://openalex.org/W3158906645","https://openalex.org/W3194849385","https://openalex.org/W3212868562","https://openalex.org/W4284666445","https://openalex.org/W4288057803","https://openalex.org/W4294170691","https://openalex.org/W4324007191","https://openalex.org/W4372342980","https://openalex.org/W4380433161","https://openalex.org/W4391655576","https://openalex.org/W4402265033","https://openalex.org/W4402288718","https://openalex.org/W4412455369"],"related_works":[],"abstract_inverted_index":{"Advanced":[0],"Persistent":[1],"Threats":[2],"(APTs)":[3],"pose":[4],"escalating":[5],"risks":[6],"to":[7,57,65,87,122,138,157],"large":[8],"enterprises":[9],"and":[10,106,133,162,183,197,213,230],"institutions.":[11],"While":[12],"current":[13],"research":[14],"has":[15],"predominantly":[16],"focused":[17],"on":[18,110],"data":[19],"source":[20],"analysis":[21],"for":[22,205],"identifying":[23],"known":[24],"attack":[25,75,85,107,191,215],"patterns":[26],"or":[27],"anomalous":[28],"behaviors,":[29],"three":[30],"critical":[31],"challenges":[32],"remain":[33],"inadequately":[34],"addressed:":[35],"1)":[36],"APTs":[37,72],"demonstrate":[38,217],"sophisticated":[39],"concealment":[40],"capabilities,":[41],"embedding":[42],"malicious":[43,59],"operations":[44],"within":[45,67,175],"legitimate":[46],"business":[47],"activities;":[48],"2)":[49],"The":[50],"sparse":[51],"nature":[52],"of":[53,100,103,171,228],"APT":[54,118],"attacks":[55],"leads":[56],"low-frequency":[58],"activities":[60],"that":[61,201,218],"prove":[62],"exceptionally":[63],"challenging":[64],"detect":[66],"massive":[68],"log":[69],"datasets;":[70],"3)":[71],"employ":[73],"multi-stage":[74],"chains,":[76],"whereas":[77],"existing":[78],"solutions":[79],"exhibit":[80],"limitations":[81],"in":[82,210],"reconstructing":[83],"complete":[84],"pathways":[86],"enable":[88],"effective":[89],"forensic":[90],"analysis.":[91,207],"In":[92],"this":[93],"paper,":[94],"we":[95,152],"address":[96],"the":[97,101,116,159,172,190,194],"detrimental":[98],"effects":[99],"sparsity":[102],"malevolent":[104],"interactions":[105],"intent":[108],"camouflaging":[109],"anomaly":[111],"detection":[112,119,185,226],"by":[113],"introducing":[114],"SAURONEYES,":[115],"pioneering":[117],"system":[120,176],"tailored":[121],"resolve":[123],"these":[124,137],"challenges.":[125],"SAURONEYES":[126,178,188,219],"constructs":[127],"audit":[128],"logs":[129],"into":[130],"both":[131],"knowledge":[132],"interaction":[134],"views,":[135],"disentangling":[136],"learn":[139],"representations":[140],"through":[141],"graph":[142],"learning":[143,156],"enhanced":[144],"with":[145,223],"an":[146,199,224],"attention-based":[147],"neighbor":[148],"allocation":[149],"mechanism.":[150],"Additionally,":[151],"incorporate":[153],"self-supervised":[154],"contrastive":[155],"discern":[158],"subtle":[160],"similarities":[161],"distinctions":[163],"among":[164],"disentangled":[165],"samples,":[166],"facilitating":[167],"a":[168,231],"deeper":[169],"understanding":[170],"inherent":[173],"structures":[174],"interactions.":[177],"thus":[179],"boasts":[180],"heightened":[181],"sensitivity":[182],"granular":[184],"capabilities.":[186],"Finally,":[187],"reconstructs":[189],"chain":[192],"at":[193],"node":[195],"level":[196],"presents":[198],"attack-chain":[200],"is":[202],"more":[203],"accessible":[204],"security":[206],"Our":[208],"evaluations":[209],"real-world":[211],"scenarios":[212],"simulated":[214],"environments":[216],"achieves":[220],"outstanding":[221],"accuracy,":[222],"average":[225],"rate":[227,234],"99%":[229],"false":[232],"positive":[233],"below":[235],"0.1%.":[236]},"counts_by_year":[],"updated_date":"2026-04-09T08:11:56.329763","created_date":"2025-10-10T00:00:00"}