{"id":"https://openalex.org/W3128070938","doi":"https://doi.org/10.1109/tnsm.2021.3056999","title":"From TTP to IoC: Advanced Persistent Graphs for Threat Hunting","display_name":"From TTP to IoC: Advanced Persistent Graphs for Threat Hunting","publication_year":2021,"publication_date":"2021-02-03","ids":{"openalex":"https://openalex.org/W3128070938","doi":"https://doi.org/10.1109/tnsm.2021.3056999","mag":"3128070938"},"language":"en","primary_location":{"id":"doi:10.1109/tnsm.2021.3056999","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tnsm.2021.3056999","pdf_url":null,"source":{"id":"https://openalex.org/S173527311","display_name":"IEEE Transactions on Network and Service Management","issn_l":"1932-4537","issn":["1932-4537","2373-7379"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Network and Service Management","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://inria.hal.science/hal-03131262","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5067903450","display_name":"Aimad Berady","orcid":"https://orcid.org/0000-0001-7515-271X"},"institutions":[{"id":"https://openalex.org/I1294671590","display_name":"Centre National de la Recherche Scientifique","ror":"https://ror.org/02feahw73","country_code":"FR","type":"government","lineage":["https://openalex.org/I1294671590"]},{"id":"https://openalex.org/I1326498283","display_name":"Institut national de recherche en sciences et technologies du num\u00e9rique","ror":"https://ror.org/02kvxyf05","country_code":"FR","type":"government","lineage":["https://openalex.org/I1326498283"]},{"id":"https://openalex.org/I2802519937","display_name":"Institut de Recherche en Informatique et Syst\u00e8mes Al\u00e9atoires","ror":"https://ror.org/00myn0z94","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I1294671590","https://openalex.org/I1326498283","https://openalex.org/I205703379","https://openalex.org/I2802204017","https://openalex.org/I2802519937","https://openalex.org/I28221208","https://openalex.org/I4210127572","https://openalex.org/I4210159245","https://openalex.org/I56067802"]}],"countries":["FR"],"is_corresponding":true,"raw_author_name":"Aimad Berady","raw_affiliation_strings":["CentraleSup\u00e9lec, Inria, University Rennes, CNRS, IRISA, Rennes, France","CIDRE - Confidentialit\u00e9, Int\u00e9grit\u00e9, Disponibilit\u00e9 et R\u00e9partition (France)"],"affiliations":[{"raw_affiliation_string":"CentraleSup\u00e9lec, Inria, University Rennes, CNRS, IRISA, Rennes, France","institution_ids":["https://openalex.org/I2802519937","https://openalex.org/I1326498283","https://openalex.org/I1294671590"]},{"raw_affiliation_string":"CIDRE - Confidentialit\u00e9, Int\u00e9grit\u00e9, Disponibilit\u00e9 et R\u00e9partition (France)","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030156758","display_name":"Mathieu Jaume","orcid":"https://orcid.org/0000-0002-5714-3251"},"institutions":[{"id":"https://openalex.org/I1294671590","display_name":"Centre National de la Recherche Scientifique","ror":"https://ror.org/02feahw73","country_code":"FR","type":"government","lineage":["https://openalex.org/I1294671590"]},{"id":"https://openalex.org/I204730241","display_name":"Universit\u00e9 Paris Cit\u00e9","ror":"https://ror.org/05f82e368","country_code":"FR","type":"education","lineage":["https://openalex.org/I204730241"]},{"id":"https://openalex.org/I39804081","display_name":"Sorbonne Universit\u00e9","ror":"https://ror.org/02en5vm52","country_code":"FR","type":"education","lineage":["https://openalex.org/I39804081"]},{"id":"https://openalex.org/I4210159731","display_name":"LIP6","ror":"https://ror.org/05krcen59","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I1294671590","https://openalex.org/I39804081","https://openalex.org/I4210159245","https://openalex.org/I4210159731"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Mathieu Jaume","raw_affiliation_strings":["Sorbonne Universit\u00e9, CNRS, LIP6, Paris, France","MoVe - Mod\u00e9lisation et V\u00e9rification (France)"],"affiliations":[{"raw_affiliation_string":"Sorbonne Universit\u00e9, CNRS, LIP6, Paris, France","institution_ids":["https://openalex.org/I4210159731","https://openalex.org/I204730241","https://openalex.org/I1294671590","https://openalex.org/I39804081"]},{"raw_affiliation_string":"MoVe - Mod\u00e9lisation et V\u00e9rification (France)","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5055063840","display_name":"Val\u00e9rie Vi\u00eat Tri\u00eam T\u00f4ng","orcid":"https://orcid.org/0000-0003-4838-2952"},"institutions":[{"id":"https://openalex.org/I1294671590","display_name":"Centre National de la Recherche Scientifique","ror":"https://ror.org/02feahw73","country_code":"FR","type":"government","lineage":["https://openalex.org/I1294671590"]},{"id":"https://openalex.org/I1326498283","display_name":"Institut national de recherche en sciences et technologies du num\u00e9rique","ror":"https://ror.org/02kvxyf05","country_code":"FR","type":"government","lineage":["https://openalex.org/I1326498283"]},{"id":"https://openalex.org/I2802519937","display_name":"Institut de Recherche en Informatique et Syst\u00e8mes Al\u00e9atoires","ror":"https://ror.org/00myn0z94","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I1294671590","https://openalex.org/I1326498283","https://openalex.org/I205703379","https://openalex.org/I2802204017","https://openalex.org/I2802519937","https://openalex.org/I28221208","https://openalex.org/I4210127572","https://openalex.org/I4210159245","https://openalex.org/I56067802"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Valerie Viet Triem Tong","raw_affiliation_strings":["CentraleSup\u00e9lec, Inria, University Rennes, CNRS, IRISA, Rennes, France","CIDRE - Confidentialit\u00e9, Int\u00e9grit\u00e9, Disponibilit\u00e9 et R\u00e9partition (France)"],"affiliations":[{"raw_affiliation_string":"CentraleSup\u00e9lec, Inria, University Rennes, CNRS, IRISA, Rennes, France","institution_ids":["https://openalex.org/I2802519937","https://openalex.org/I1326498283","https://openalex.org/I1294671590"]},{"raw_affiliation_string":"CIDRE - Confidentialit\u00e9, Int\u00e9grit\u00e9, Disponibilit\u00e9 et R\u00e9partition (France)","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5052795665","display_name":"Gilles Guette","orcid":null},"institutions":[{"id":"https://openalex.org/I1294671590","display_name":"Centre National de la Recherche Scientifique","ror":"https://ror.org/02feahw73","country_code":"FR","type":"government","lineage":["https://openalex.org/I1294671590"]},{"id":"https://openalex.org/I1326498283","display_name":"Institut national de recherche en sciences et technologies du num\u00e9rique","ror":"https://ror.org/02kvxyf05","country_code":"FR","type":"government","lineage":["https://openalex.org/I1326498283"]},{"id":"https://openalex.org/I2802519937","display_name":"Institut de Recherche en Informatique et Syst\u00e8mes Al\u00e9atoires","ror":"https://ror.org/00myn0z94","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I1294671590","https://openalex.org/I1326498283","https://openalex.org/I205703379","https://openalex.org/I2802204017","https://openalex.org/I2802519937","https://openalex.org/I28221208","https://openalex.org/I4210127572","https://openalex.org/I4210159245","https://openalex.org/I56067802"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Gilles Guette","raw_affiliation_strings":["CentraleSup\u00e9lec, Inria, University Rennes, CNRS, IRISA, Rennes, France","CIDRE - Confidentialit\u00e9, Int\u00e9grit\u00e9, Disponibilit\u00e9 et R\u00e9partition (France)"],"affiliations":[{"raw_affiliation_string":"CentraleSup\u00e9lec, Inria, University Rennes, CNRS, IRISA, Rennes, France","institution_ids":["https://openalex.org/I2802519937","https://openalex.org/I1326498283","https://openalex.org/I1294671590"]},{"raw_affiliation_string":"CIDRE - Confidentialit\u00e9, Int\u00e9grit\u00e9, Disponibilit\u00e9 et R\u00e9partition (France)","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5067903450"],"corresponding_institution_ids":["https://openalex.org/I1294671590","https://openalex.org/I1326498283","https://openalex.org/I2802519937"],"apc_list":null,"apc_paid":null,"fwci":3.9823,"has_fulltext":false,"cited_by_count":36,"citation_normalized_percentile":{"value":0.93658365,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":93,"max":99},"biblio":{"volume":"18","issue":"2","first_page":"1321","last_page":"1333"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9991000294685364,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9991000294685364,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10064","display_name":"Complex Network Analysis Techniques","score":0.9984999895095825,"subfield":{"id":"https://openalex.org/subfields/3109","display_name":"Statistical and Nonlinear Physics"},"field":{"id":"https://openalex.org/fields/31","display_name":"Physics and Astronomy"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9958999752998352,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8203006982803345},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.8148521184921265},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.7758306264877319},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.6857157945632935},{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.5615743398666382},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.5008814334869385},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.4588916599750519},{"id":"https://openalex.org/keywords/quality","display_name":"Quality (philosophy)","score":0.4293574094772339},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.19940420985221863}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8203006982803345},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.8148521184921265},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7758306264877319},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.6857157945632935},{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.5615743398666382},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.5008814334869385},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.4588916599750519},{"id":"https://openalex.org/C2779530757","wikidata":"https://www.wikidata.org/wiki/Q1207505","display_name":"Quality (philosophy)","level":2,"score":0.4293574094772339},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.19940420985221863},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C111472728","wikidata":"https://www.wikidata.org/wiki/Q9471","display_name":"Epistemology","level":1,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/tnsm.2021.3056999","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tnsm.2021.3056999","pdf_url":null,"source":{"id":"https://openalex.org/S173527311","display_name":"IEEE Transactions on Network and Service Management","issn_l":"1932-4537","issn":["1932-4537","2373-7379"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Network and Service Management","raw_type":"journal-article"},{"id":"pmh:oai:HAL:hal-03131262v1","is_oa":true,"landing_page_url":"https://inria.hal.science/hal-03131262","pdf_url":null,"source":{"id":"https://openalex.org/S4306402512","display_name":"HAL (Le Centre pour la Communication Scientifique Directe)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1294671590","host_organization_name":"Centre National de la Recherche Scientifique","host_organization_lineage":["https://openalex.org/I1294671590"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"IEEE Transactions on Network and Service Management, 2021, Special Issue on Latest Developments for Security Management of Networks and Services, 18 (2), pp.1321 - 1333. ⟨10.1109/TNSM.2021.3056999⟩","raw_type":"Journal articles"}],"best_oa_location":{"id":"pmh:oai:HAL:hal-03131262v1","is_oa":true,"landing_page_url":"https://inria.hal.science/hal-03131262","pdf_url":null,"source":{"id":"https://openalex.org/S4306402512","display_name":"HAL (Le Centre pour la Communication Scientifique Directe)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1294671590","host_organization_name":"Centre National de la Recherche Scientifique","host_organization_lineage":["https://openalex.org/I1294671590"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"IEEE Transactions on Network and Service Management, 2021, Special Issue on Latest Developments for Security Management of Networks and Services, 18 (2), pp.1321 - 1333. ⟨10.1109/TNSM.2021.3056999⟩","raw_type":"Journal articles"},"sustainable_development_goals":[{"score":0.4699999988079071,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":19,"referenced_works":["https://openalex.org/W145844368","https://openalex.org/W2110092041","https://openalex.org/W2560810941","https://openalex.org/W2560828726","https://openalex.org/W2784054170","https://openalex.org/W2843669218","https://openalex.org/W2977489474","https://openalex.org/W2990619902","https://openalex.org/W2990671699","https://openalex.org/W2990900275","https://openalex.org/W2995590922","https://openalex.org/W3013896538","https://openalex.org/W3035166524","https://openalex.org/W3114455162","https://openalex.org/W3115515195","https://openalex.org/W3149878498","https://openalex.org/W4244728560","https://openalex.org/W6769035812","https://openalex.org/W6770670857"],"related_works":["https://openalex.org/W2573831620","https://openalex.org/W2085319386","https://openalex.org/W1551379303","https://openalex.org/W2034199088","https://openalex.org/W1482973429","https://openalex.org/W2157301192","https://openalex.org/W4200223299","https://openalex.org/W3130460901","https://openalex.org/W2335883597","https://openalex.org/W2076205949"],"abstract_inverted_index":{"Defenders":[0],"fighting":[1],"against":[2],"Advanced":[3],"Persistent":[4],"Threats":[5],"need":[6],"to":[7,68,89,105,119,133,178,187],"discover":[8],"the":[9,40,69,96,103,109,113,117,121,159,164,167,174,183,196],"propagation":[10],"area":[11],"of":[12,26,56,71,79,108,123,166],"an":[13,27,57,86,146],"adversary":[14],"as":[15,17],"quickly":[16],"possible.":[18],"This":[19,65],"discovery":[20],"takes":[21],"place":[22],"through":[23],"a":[24,48,76,151,155],"phase":[25],"incident":[28],"response":[29],"operation":[30],"called":[31],"Threat":[32,124,191],"Hunting,":[33],"where":[34],"defenders":[35],"track":[36],"down":[37],"attackers":[38],"within":[39],"compromised":[41],"network.":[42],"In":[43,138],"this":[44,139,143],"article,":[45,140],"we":[46,141],"propose":[47],"formal":[49],"model":[50,66,144],"that":[51],"dissects":[52],"and":[53,62,81,94,100,129,171,193],"abstracts":[54],"elements":[55],"attack,":[58],"from":[59],"both":[60,92],"attacker":[61,104],"defender":[63,93,118,184],"perspectives.":[64],"leads":[67],"construction":[70],"two":[72],"persistent":[73],"graphs":[74],"on":[75,112],"common":[77],"set":[78],"objects":[80],"components":[82],"allowing":[83],"for":[84,91,136],"(1)":[85],"omniscient":[87],"actor":[88],"compare,":[90],"attacker,":[95],"gap":[97],"in":[98,154,185],"knowledge":[99],"perceptions;":[101],"(2)":[102],"become":[106],"aware":[107],"traces":[110],"left":[111],"targeted":[114],"network;":[115],"(3)":[116],"improve":[120],"quality":[122,165],"Hunting":[125],"by":[126,158,182],"identifying":[127],"false-positives":[128],"adapting":[130],"logging":[131],"policy":[132],"be":[134],"oriented":[135],"investigations.":[137],"challenge":[142],"using":[145],"attack":[147],"campaign":[148],"mimicking":[149],"APT29,":[150],"real-world":[152],"threat,":[153],"scenario":[156],"designed":[157],"MITRE":[160],"Corporation.":[161],"We":[162],"measure":[163],"defensive":[168],"architecture":[169],"experimentally":[170],"then":[172],"determine":[173],"most":[175],"effective":[176],"strategy":[177],"exploit":[179],"data":[180],"collected":[181],"order":[186],"extract":[188],"actionable":[189],"Cyber":[190],"Intelligence,":[192],"finally":[194],"unveil":[195],"attacker.":[197]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":9},{"year":2024,"cited_by_count":9},{"year":2023,"cited_by_count":10},{"year":2022,"cited_by_count":4},{"year":2021,"cited_by_count":2}],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-10T00:00:00"}