{"id":"https://openalex.org/W4416549364","doi":"https://doi.org/10.1145/3719027.3765219","title":"OCR-APT: Reconstructing APT Stories from Audit Logs using Subgraph Anomaly Detection and LLMs","display_name":"OCR-APT: Reconstructing APT Stories from Audit Logs using Subgraph Anomaly Detection and LLMs","publication_year":2025,"publication_date":"2025-11-19","ids":{"openalex":"https://openalex.org/W4416549364","doi":"https://doi.org/10.1145/3719027.3765219"},"language":null,"primary_location":{"id":"doi:10.1145/3719027.3765219","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765219","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3719027.3765219","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101946640","display_name":"Ahmed H. Aly","orcid":"https://orcid.org/0000-0001-7626-8124"},"institutions":[{"id":"https://openalex.org/I60158472","display_name":"Concordia University","ror":"https://ror.org/0420zvk78","country_code":"CA","type":"education","lineage":["https://openalex.org/I60158472"]}],"countries":["CA"],"is_corresponding":true,"raw_author_name":"Ahmed Aly","raw_affiliation_strings":["Concordia University, Montreal, Quebec, Canada"],"affiliations":[{"raw_affiliation_string":"Concordia University, Montreal, Quebec, Canada","institution_ids":["https://openalex.org/I60158472"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040207089","display_name":"E. M. E. Mansour","orcid":"https://orcid.org/0000-0001-6851-6351"},"institutions":[{"id":"https://openalex.org/I60158472","display_name":"Concordia University","ror":"https://ror.org/0420zvk78","country_code":"CA","type":"education","lineage":["https://openalex.org/I60158472"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Essam Mansour","raw_affiliation_strings":["Concordia University, Montreal, Quebec, Canada"],"affiliations":[{"raw_affiliation_string":"Concordia University, Montreal, Quebec, Canada","institution_ids":["https://openalex.org/I60158472"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5085765243","display_name":"Amr Youssef","orcid":"https://orcid.org/0000-0002-4284-8646"},"institutions":[{"id":"https://openalex.org/I60158472","display_name":"Concordia University","ror":"https://ror.org/0420zvk78","country_code":"CA","type":"education","lineage":["https://openalex.org/I60158472"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Amr Youssef","raw_affiliation_strings":["Concordia University, Montreal, Quebec, Canada"],"affiliations":[{"raw_affiliation_string":"Concordia University, Montreal, Quebec, Canada","institution_ids":["https://openalex.org/I60158472"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5101946640"],"corresponding_institution_ids":["https://openalex.org/I60158472"],"apc_list":null,"apc_paid":null,"fwci":4.1556,"has_fulltext":false,"cited_by_count":3,"citation_normalized_percentile":{"value":0.94802414,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"261","last_page":"275"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.614300012588501,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.614300012588501,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.062199998646974564,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11273","display_name":"Advanced Graph Neural Networks","score":0.04100000113248825,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.7152000069618225},{"id":"https://openalex.org/keywords/spurious-relationship","display_name":"Spurious relationship","score":0.5478000044822693},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.5332000255584717},{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.48240000009536743},{"id":"https://openalex.org/keywords/attack-patterns","display_name":"Attack patterns","score":0.37929999828338623},{"id":"https://openalex.org/keywords/subgraph-isomorphism-problem","display_name":"Subgraph isomorphism problem","score":0.3736000061035156},{"id":"https://openalex.org/keywords/iterated-function","display_name":"Iterated function","score":0.3635999858379364},{"id":"https://openalex.org/keywords/audit-trail","display_name":"Audit trail","score":0.35249999165534973}],"concepts":[{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.7152000069618225},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.714900016784668},{"id":"https://openalex.org/C97256817","wikidata":"https://www.wikidata.org/wiki/Q1462316","display_name":"Spurious relationship","level":2,"score":0.5478000044822693},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.5332000255584717},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.48829999566078186},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.48240000009536743},{"id":"https://openalex.org/C2780741293","wikidata":"https://www.wikidata.org/wiki/Q4818019","display_name":"Attack patterns","level":3,"score":0.37929999828338623},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.37770000100135803},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.37709999084472656},{"id":"https://openalex.org/C131992880","wikidata":"https://www.wikidata.org/wiki/Q2528185","display_name":"Subgraph isomorphism problem","level":3,"score":0.3736000061035156},{"id":"https://openalex.org/C140479938","wikidata":"https://www.wikidata.org/wiki/Q5254619","display_name":"Iterated function","level":2,"score":0.3635999858379364},{"id":"https://openalex.org/C80958533","wikidata":"https://www.wikidata.org/wiki/Q1047174","display_name":"Audit trail","level":3,"score":0.35249999165534973},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.34940001368522644},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.3434000015258789},{"id":"https://openalex.org/C12997251","wikidata":"https://www.wikidata.org/wiki/Q567560","display_name":"Anomaly (physics)","level":2,"score":0.31439998745918274},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.2800000011920929},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.2745000123977661},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.27239999175071716},{"id":"https://openalex.org/C108010975","wikidata":"https://www.wikidata.org/wiki/Q500094","display_name":"Pruning","level":2,"score":0.26910001039505005},{"id":"https://openalex.org/C2779599972","wikidata":"https://www.wikidata.org/wiki/Q82231","display_name":"NoSQL","level":3,"score":0.26660001277923584},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.25780001282691956},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.25679999589920044},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.2565000057220459},{"id":"https://openalex.org/C12267149","wikidata":"https://www.wikidata.org/wiki/Q282453","display_name":"Support vector machine","level":2,"score":0.2551000118255615},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.2549999952316284}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3719027.3765219","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765219","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3719027.3765219","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765219","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":14,"referenced_works":["https://openalex.org/W2029437526","https://openalex.org/W2042492403","https://openalex.org/W2131681506","https://openalex.org/W2493916176","https://openalex.org/W2910711617","https://openalex.org/W2962703433","https://openalex.org/W3045004532","https://openalex.org/W3133518153","https://openalex.org/W3212868562","https://openalex.org/W4285066127","https://openalex.org/W4385187421","https://openalex.org/W4393029443","https://openalex.org/W4396574997","https://openalex.org/W4404731747"],"related_works":[],"abstract_inverted_index":{"Advanced":[0],"Persistent":[1],"Threats":[2],"(APTs)":[3],"are":[4,28],"stealthy":[5],"cyberattacks":[6],"that":[7,27,84,187,204],"often":[8,43],"evade":[9],"detection":[10,38,68,105,194],"in":[11,192],"system-level":[12],"audit":[13],"logs.":[14],"Provenance":[15],"graphs":[16,41],"model":[17],"these":[18,40,96],"logs":[19],"as":[20,132],"connected":[21],"entities":[22],"and":[23,50,70,78,106,170,183,196],"events,":[24],"revealing":[25],"relationships":[26],"missed":[29],"by":[30],"linear":[31],"log":[32],"representations.":[33],"Existing":[34],"systems":[35,83,191],"apply":[36],"anomaly":[37,120,144],"to":[39,64,140,157],"but":[42],"suffer":[44],"from":[45],"high":[46],"false":[47],"positive":[48],"rates":[49],"coarse-grained":[51],"alerts.":[52],"Their":[53],"reliance":[54],"on":[55,178],"node":[56],"attributes":[57,130],"like":[58],"file":[59,133],"paths":[60,134],"or":[61,135],"IPs":[62],"leads":[63,139],"spurious":[65],"correlations,":[66],"reducing":[67,168],"robustness":[69],"reliability.":[71],"To":[72,94],"fully":[73],"understand":[74],"an":[75,172],"attack's":[76],"progression":[77],"impact,":[79],"security":[80],"analysts":[81],"need":[82],"can":[85],"generate":[86],"accurate,":[87],"human-like":[88,109,202],"narratives":[89],"of":[90,108],"the":[91,179,207],"entire":[92],"attack.":[93],"address":[95],"challenges,":[97],"we":[98],"introduce":[99],"OCR-APT,":[100],"a":[101,141],"system":[102],"for":[103,118],"APT":[104],"reconstruction":[107],"attack":[110,160,208],"stories.":[111,161],"OCR-APT":[112,188,200],"uses":[113],"Graph":[114],"Neural":[115],"Networks":[116],"(GNNs)":[117],"subgraph":[119],"detection,":[121],"learning":[122],"behavior":[123],"patterns":[124],"around":[125],"nodes":[126],"rather":[127],"than":[128],"fragile":[129],"such":[131],"IPs.":[136],"This":[137],"approach":[138],"more":[142],"robust":[143],"detection.":[145],"It":[146],"then":[147],"iterates":[148],"over":[149],"detected":[150],"subgraphs":[151],"using":[152],"Large":[153],"Language":[154],"Models":[155],"(LLMs)":[156],"reconstruct":[158],"multi-stage":[159],"Each":[162],"stage":[163],"is":[164],"validated":[165],"before":[166],"proceeding,":[167],"hallucinations":[169],"ensuring":[171],"interpretable":[173],"final":[174],"report.":[175],"Our":[176],"evaluations":[177],"DARPA":[180],"TC3,":[181],"OpTC,":[182],"NODLINK":[184],"datasets":[185],"show":[186],"outperforms":[189],"state-of-the-art":[190],"both":[193],"accuracy":[195],"alert":[197],"interpretability.":[198],"Moreover,":[199],"reconstructs":[201],"reports":[203],"comprehensively":[205],"capture":[206],"story.":[209]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":2}],"updated_date":"2026-04-17T18:11:37.981687","created_date":"2025-11-23T00:00:00"}