{"id":"https://openalex.org/W3211991114","doi":"https://doi.org/10.1145/3460120.3484762","title":"Themis: Ambiguity-Aware Network Intrusion Detection based on Symbolic Model Comparison","display_name":"Themis: Ambiguity-Aware Network Intrusion Detection based on Symbolic Model Comparison","publication_year":2021,"publication_date":"2021-11-12","ids":{"openalex":"https://openalex.org/W3211991114","doi":"https://doi.org/10.1145/3460120.3484762","mag":"3211991114"},"language":"en","primary_location":{"id":"doi:10.1145/3460120.3484762","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3460120.3484762","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3460120.3484762","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3460120.3484762","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5100738315","display_name":"Zhongjie Wang","orcid":"https://orcid.org/0000-0002-9084-7373"},"institutions":[{"id":"https://openalex.org/I103635307","display_name":"University of California, Riverside","ror":"https://ror.org/03nawhv43","country_code":"US","type":"education","lineage":["https://openalex.org/I103635307"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Zhongjie Wang","raw_affiliation_strings":["University of California, Riverside, Riverside, CA, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Riverside, Riverside, CA, USA","institution_ids":["https://openalex.org/I103635307"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5062977951","display_name":"Shitong Zhu","orcid":null},"institutions":[{"id":"https://openalex.org/I103635307","display_name":"University of California, Riverside","ror":"https://ror.org/03nawhv43","country_code":"US","type":"education","lineage":["https://openalex.org/I103635307"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Shitong Zhu","raw_affiliation_strings":["University of California, Riverside, Riverside, CA, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Riverside, Riverside, CA, USA","institution_ids":["https://openalex.org/I103635307"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5072828043","display_name":"Keyu Man","orcid":"https://orcid.org/0009-0008-4196-2392"},"institutions":[{"id":"https://openalex.org/I103635307","display_name":"University of California, Riverside","ror":"https://ror.org/03nawhv43","country_code":"US","type":"education","lineage":["https://openalex.org/I103635307"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Keyu Man","raw_affiliation_strings":["University of California, Riverside, Riverside, CA, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Riverside, Riverside, CA, USA","institution_ids":["https://openalex.org/I103635307"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5081510381","display_name":"Pengxiong Zhu","orcid":"https://orcid.org/0000-0003-2224-5079"},"institutions":[{"id":"https://openalex.org/I103635307","display_name":"University of California, Riverside","ror":"https://ror.org/03nawhv43","country_code":"US","type":"education","lineage":["https://openalex.org/I103635307"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Pengxiong Zhu","raw_affiliation_strings":["University of California, Riverside, Riverside, CA, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Riverside, Riverside, CA, USA","institution_ids":["https://openalex.org/I103635307"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100337968","display_name":"Hao Yu","orcid":"https://orcid.org/0000-0002-3944-3162"},"institutions":[{"id":"https://openalex.org/I103635307","display_name":"University of California, Riverside","ror":"https://ror.org/03nawhv43","country_code":"US","type":"education","lineage":["https://openalex.org/I103635307"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yu Hao","raw_affiliation_strings":["University of California, Riverside, Riverside, CA, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Riverside, Riverside, CA, USA","institution_ids":["https://openalex.org/I103635307"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022038961","display_name":"Zhiyun Qian","orcid":"https://orcid.org/0000-0003-1506-2522"},"institutions":[{"id":"https://openalex.org/I103635307","display_name":"University of California, Riverside","ror":"https://ror.org/03nawhv43","country_code":"US","type":"education","lineage":["https://openalex.org/I103635307"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Zhiyun Qian","raw_affiliation_strings":["University of California, Riverside, Riverside, CA, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Riverside, Riverside, CA, USA","institution_ids":["https://openalex.org/I103635307"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5086268637","display_name":"Srikanth V. Krishnamurthy","orcid":"https://orcid.org/0000-0002-6533-4381"},"institutions":[{"id":"https://openalex.org/I103635307","display_name":"University of California, Riverside","ror":"https://ror.org/03nawhv43","country_code":"US","type":"education","lineage":["https://openalex.org/I103635307"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Srikanth V. Krishnamurthy","raw_affiliation_strings":["University of California, Riverside, Riverside, CA, USA"],"affiliations":[{"raw_affiliation_string":"University of California, Riverside, Riverside, CA, USA","institution_ids":["https://openalex.org/I103635307"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5103832183","display_name":"Tom La Porta","orcid":null},"institutions":[{"id":"https://openalex.org/I130769515","display_name":"Pennsylvania State University","ror":"https://ror.org/04p491231","country_code":"US","type":"education","lineage":["https://openalex.org/I130769515"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Tom La Porta","raw_affiliation_strings":["Pennsylvania State University, State College, PA, USA"],"affiliations":[{"raw_affiliation_string":"Pennsylvania State University, State College, PA, USA","institution_ids":["https://openalex.org/I130769515"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5049055215","display_name":"Michael J. De Lucia","orcid":null},"institutions":[{"id":"https://openalex.org/I166416128","display_name":"DEVCOM Army Research Laboratory","ror":"https://ror.org/011hc8f90","country_code":"US","type":"government","lineage":["https://openalex.org/I1304082316","https://openalex.org/I1330347796","https://openalex.org/I166416128","https://openalex.org/I2802705668","https://openalex.org/I4210154437"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Michael J. De Lucia","raw_affiliation_strings":["U.S. Army Research Laboratory, Adelphi, MD, USA"],"affiliations":[{"raw_affiliation_string":"U.S. Army Research Laboratory, Adelphi, MD, USA","institution_ids":["https://openalex.org/I166416128"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5100738315"],"corresponding_institution_ids":["https://openalex.org/I103635307"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":6,"citation_normalized_percentile":{"value":0.1982927,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":96,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"3384","last_page":"3399"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12326","display_name":"Network Packet Processing and Optimization","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8604127764701843},{"id":"https://openalex.org/keywords/implementation","display_name":"Implementation","score":0.8569812774658203},{"id":"https://openalex.org/keywords/network-packet","display_name":"Network packet","score":0.7008641958236694},{"id":"https://openalex.org/keywords/nondeterministic-algorithm","display_name":"Nondeterministic algorithm","score":0.6366077661514282},{"id":"https://openalex.org/keywords/overhead","display_name":"Overhead (engineering)","score":0.5525979399681091},{"id":"https://openalex.org/keywords/evasion","display_name":"Evasion (ethics)","score":0.5335382223129272},{"id":"https://openalex.org/keywords/ambiguity","display_name":"Ambiguity","score":0.5139617323875427},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.5073108077049255},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.4507078528404236},{"id":"https://openalex.org/keywords/automaton","display_name":"Automaton","score":0.43765708804130554},{"id":"https://openalex.org/keywords/theoretical-computer-science","display_name":"Theoretical computer science","score":0.40723946690559387},{"id":"https://openalex.org/keywords/distributed-computing","display_name":"Distributed computing","score":0.37350085377693176},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.2603350877761841},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.17163100838661194},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.16756397485733032}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8604127764701843},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.8569812774658203},{"id":"https://openalex.org/C158379750","wikidata":"https://www.wikidata.org/wiki/Q214111","display_name":"Network packet","level":2,"score":0.7008641958236694},{"id":"https://openalex.org/C176181172","wikidata":"https://www.wikidata.org/wiki/Q3490301","display_name":"Nondeterministic algorithm","level":2,"score":0.6366077661514282},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.5525979399681091},{"id":"https://openalex.org/C2781251061","wikidata":"https://www.wikidata.org/wiki/Q5416089","display_name":"Evasion (ethics)","level":3,"score":0.5335382223129272},{"id":"https://openalex.org/C2780522230","wikidata":"https://www.wikidata.org/wiki/Q1140419","display_name":"Ambiguity","level":2,"score":0.5139617323875427},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.5073108077049255},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.4507078528404236},{"id":"https://openalex.org/C112505250","wikidata":"https://www.wikidata.org/wiki/Q787116","display_name":"Automaton","level":2,"score":0.43765708804130554},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.40723946690559387},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.37350085377693176},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.2603350877761841},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.17163100838661194},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.16756397485733032},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C8891405","wikidata":"https://www.wikidata.org/wiki/Q1059","display_name":"Immune system","level":2,"score":0.0},{"id":"https://openalex.org/C203014093","wikidata":"https://www.wikidata.org/wiki/Q101929","display_name":"Immunology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3460120.3484762","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3460120.3484762","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3460120.3484762","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3460120.3484762","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3460120.3484762","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3460120.3484762","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[{"score":0.5099999904632568,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[{"id":"https://openalex.org/G2043895709","display_name":null,"funder_award_id":"W911NF-13-2-0045","funder_id":"https://openalex.org/F4320338295","funder_display_name":"Army Research Laboratory"},{"id":"https://openalex.org/G5124561427","display_name":null,"funder_award_id":"1652954","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320338295","display_name":"Army Research Laboratory","ror":"https://ror.org/011hc8f90"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W3211991114.pdf","grobid_xml":"https://content.openalex.org/works/W3211991114.grobid-xml"},"referenced_works_count":35,"referenced_works":["https://openalex.org/W203690387","https://openalex.org/W1516506771","https://openalex.org/W1585877844","https://openalex.org/W1976919795","https://openalex.org/W1979693894","https://openalex.org/W2040333627","https://openalex.org/W2078186835","https://openalex.org/W2094382938","https://openalex.org/W2103953153","https://openalex.org/W2104993088","https://openalex.org/W2107147876","https://openalex.org/W2132523160","https://openalex.org/W2137530017","https://openalex.org/W2155300758","https://openalex.org/W2166509025","https://openalex.org/W2274774510","https://openalex.org/W2538556898","https://openalex.org/W2610511123","https://openalex.org/W2650293344","https://openalex.org/W2701082322","https://openalex.org/W2768904474","https://openalex.org/W2768945008","https://openalex.org/W2785474195","https://openalex.org/W2915011089","https://openalex.org/W2946925508","https://openalex.org/W2963723316","https://openalex.org/W2985708757","https://openalex.org/W3007237867","https://openalex.org/W3043711568","https://openalex.org/W3046608336","https://openalex.org/W3109620927","https://openalex.org/W3111490787","https://openalex.org/W4232665781","https://openalex.org/W4288079251","https://openalex.org/W6836643044"],"related_works":["https://openalex.org/W184826316","https://openalex.org/W2120447654","https://openalex.org/W2977179488","https://openalex.org/W3132573772","https://openalex.org/W2144453115","https://openalex.org/W1576777252","https://openalex.org/W2128223750","https://openalex.org/W2808001300","https://openalex.org/W1548771250","https://openalex.org/W2060032524"],"abstract_inverted_index":{"Network":[0],"intrusion":[1],"detection":[2],"systems":[3],"(NIDS)":[4],"can":[5,174,197],"be":[6,198],"evaded":[7],"by":[8],"carefully":[9],"crafted":[10],"packets":[11,58,123],"that":[12,69,168,196],"exploit":[13],"implementation-level":[14],"discrepancies":[15,29,93,114,195],"between":[16],"how":[17],"they":[18],"are":[19,89,126],"processed":[20],"on":[21],"the":[22,26,33,53,76,109,158],"NIDS":[23,54,64,110],"and":[24,38,55,73,115,173],"at":[25,52],"endhosts.":[27],"These":[28],"arise":[30],"due":[31],"to":[32,44,71,91,154,180,200],"plethora":[34],"of":[35,50,61,157],"endhost":[36,78,96],"implementations":[37,51,68,142],"evolutions":[39],"thereof.":[40],"It":[41],"is":[42,83,170],"prohibitive":[43],"proactively":[45],"employ":[46],"a":[47,103,150],"large":[48],"set":[49],"check":[56],"incoming":[57],"against":[59],"all":[60,176],"those.":[62],"Hence,":[63],"typically":[65],"choose":[66],"simplified":[67],"attempt":[70],"approximate":[72],"generalize":[74],"across":[75],"different":[77],"implementations.":[79,97],"Unfortunately,":[80],"this":[81,99],"solution":[82],"fundamentally":[84],"flawed":[85],"since":[86],"such":[87],"approximations":[88],"bound":[90],"have":[92],"with":[94,124],"some":[95],"In":[98],"paper,":[100],"we":[101,189],"develop":[102],"lightweight":[104],"system":[105],"Themis,":[106],"which":[107,135],"empowers":[108],"in":[111,134],"identifying":[112],"these":[113],"reactively":[116],"forking":[117],"its":[118],"connection":[119],"states":[120,159],"when":[121],"any":[122],"\"ambiguities\"":[125],"encountered.":[127],"Specifically,":[128],"Themis":[129,169],"incorporates":[130],"an":[131],"offline":[132],"phase":[133],"it":[136,148],"extracts":[137],"models":[138],"from":[139],"various":[140],"popular":[141],"using":[143],"symbolic":[144],"execution.":[145],"During":[146],"runtime,":[147],"maintains":[149],"nondeterministic":[151],"finite":[152],"automaton":[153],"keep":[155],"track":[156],"for":[160],"each":[161],"possible":[162],"implementation.":[163],"Our":[164],"extensive":[165],"evaluations":[166],"show":[167],"extremely":[171,184],"effective":[172],"detect":[175],"evasion":[177],"attacks":[178],"known":[179],"date,":[181],"while":[182],"consuming":[183],"low":[185],"overhead.":[186],"En":[187],"route,":[188],"also":[190],"discovered":[191],"multiple":[192],"previously":[193],"unknown":[194],"exploited":[199],"bypass":[201],"current":[202],"NIDS.":[203]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":5}],"updated_date":"2026-03-27T14:29:43.386196","created_date":"2025-10-10T00:00:00"}