{"id":"https://openalex.org/W4411449762","doi":"https://doi.org/10.1145/3729346","title":"CAShift: Benchmarking Log-Based Cloud Attack Detection under Normality Shift","display_name":"CAShift: Benchmarking Log-Based Cloud Attack Detection under Normality Shift","publication_year":2025,"publication_date":"2025-06-19","ids":{"openalex":"https://openalex.org/W4411449762","doi":"https://doi.org/10.1145/3729346"},"language":"en","primary_location":{"id":"doi:10.1145/3729346","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3729346","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1145/3729346","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5058013874","display_name":"Jiongchi Yu","orcid":"https://orcid.org/0000-0002-2888-4499"},"institutions":[{"id":"https://openalex.org/I79891267","display_name":"Singapore Management University","ror":"https://ror.org/050qmg959","country_code":"SG","type":"education","lineage":["https://openalex.org/I79891267"]}],"countries":["SG"],"is_corresponding":true,"raw_author_name":"Jiongchi Yu","raw_affiliation_strings":["Singapore Management University, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0000-0002-2888-4499","affiliations":[{"raw_affiliation_string":"Singapore Management University, Singapore, Singapore","institution_ids":["https://openalex.org/I79891267"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5084396416","display_name":"Xiaofei Xie","orcid":"https://orcid.org/0000-0002-1288-6502"},"institutions":[{"id":"https://openalex.org/I79891267","display_name":"Singapore Management University","ror":"https://ror.org/050qmg959","country_code":"SG","type":"education","lineage":["https://openalex.org/I79891267"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Xiaofei Xie","raw_affiliation_strings":["Singapore Management University, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0000-0002-1288-6502","affiliations":[{"raw_affiliation_string":"Singapore Management University, Singapore, Singapore","institution_ids":["https://openalex.org/I79891267"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101406450","display_name":"Qiang Hu","orcid":"https://orcid.org/0000-0002-8251-1669"},"institutions":[{"id":"https://openalex.org/I162868743","display_name":"Tianjin University","ror":"https://ror.org/012tb2g32","country_code":"CN","type":"education","lineage":["https://openalex.org/I162868743"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qiang Hu","raw_affiliation_strings":["Tianjin University, Tianjin, China"],"raw_orcid":"https://orcid.org/0000-0002-8251-1669","affiliations":[{"raw_affiliation_string":"Tianjin University, Tianjin, China","institution_ids":["https://openalex.org/I162868743"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Bowen Zhang","orcid":"https://orcid.org/0009-0009-7513-2319"},"institutions":[{"id":"https://openalex.org/I79891267","display_name":"Singapore Management University","ror":"https://ror.org/050qmg959","country_code":"SG","type":"education","lineage":["https://openalex.org/I79891267"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Bowen Zhang","raw_affiliation_strings":["Singapore Management University, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0009-0009-7513-2319","affiliations":[{"raw_affiliation_string":"Singapore Management University, Singapore, Singapore","institution_ids":["https://openalex.org/I79891267"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101902155","display_name":"Ziming Zhao","orcid":"https://orcid.org/0000-0003-1455-4330"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Ziming Zhao","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"raw_orcid":"https://orcid.org/0000-0003-1455-4330","affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5063706766","display_name":"Yun Lin","orcid":"https://orcid.org/0000-0001-8255-0118"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yun Lin","raw_affiliation_strings":["Shanghai Jiao Tong University, Shanghai, China"],"raw_orcid":"https://orcid.org/0000-0001-8255-0118","affiliations":[{"raw_affiliation_string":"Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101468661","display_name":"Lei Ma","orcid":"https://orcid.org/0000-0002-8621-2420"},"institutions":[{"id":"https://openalex.org/I154425047","display_name":"University of Alberta","ror":"https://ror.org/0160cpw27","country_code":"CA","type":"education","lineage":["https://openalex.org/I154425047"]},{"id":"https://openalex.org/I74801974","display_name":"The University of Tokyo","ror":"https://ror.org/057zh3y96","country_code":"JP","type":"education","lineage":["https://openalex.org/I74801974"]}],"countries":["CA","JP"],"is_corresponding":false,"raw_author_name":"Lei Ma","raw_affiliation_strings":["University of Alberta, Alberta, Canada","University of Tokyo, Tokyo, Japan"],"raw_orcid":"https://orcid.org/0000-0002-8621-2420","affiliations":[{"raw_affiliation_string":"University of Alberta, Alberta, Canada","institution_ids":["https://openalex.org/I154425047"]},{"raw_affiliation_string":"University of Tokyo, Tokyo, Japan","institution_ids":["https://openalex.org/I74801974"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5032257261","display_name":"Ruitao Feng","orcid":"https://orcid.org/0000-0001-9080-6865"},"institutions":[{"id":"https://openalex.org/I66809481","display_name":"Southern Cross University","ror":"https://ror.org/001xkv632","country_code":"AU","type":"education","lineage":["https://openalex.org/I66809481"]},{"id":"https://openalex.org/I79891267","display_name":"Singapore Management University","ror":"https://ror.org/050qmg959","country_code":"SG","type":"education","lineage":["https://openalex.org/I79891267"]}],"countries":["AU","SG"],"is_corresponding":false,"raw_author_name":"Ruitao Feng","raw_affiliation_strings":["Singapore Management University, Singapore, Singapore","Southern Cross University, Gold Coast, Australia"],"raw_orcid":"https://orcid.org/0000-0001-9080-6865","affiliations":[{"raw_affiliation_string":"Singapore Management University, Singapore, Singapore","institution_ids":["https://openalex.org/I79891267"]},{"raw_affiliation_string":"Southern Cross University, Gold Coast, Australia","institution_ids":["https://openalex.org/I66809481"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5117414511","display_name":"Frank Liauw","orcid":"https://orcid.org/0009-0009-1462-9794"},"institutions":[{"id":"https://openalex.org/I2802950585","display_name":"Defence Science and Technology Agency","ror":"https://ror.org/02rvm6b03","country_code":"SG","type":"government","lineage":["https://openalex.org/I1325159990","https://openalex.org/I2802950585"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Frank Liauw","raw_affiliation_strings":["Government Technology Agency of Singapore, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0009-0009-1462-9794","affiliations":[{"raw_affiliation_string":"Government Technology Agency of Singapore, Singapore, Singapore","institution_ids":["https://openalex.org/I2802950585"]}]}],"institutions":[],"countries_distinct_count":5,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5058013874"],"corresponding_institution_ids":["https://openalex.org/I79891267"],"apc_list":null,"apc_paid":null,"fwci":1.3517,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.82793534,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":91,"max":95},"biblio":{"volume":"2","issue":"FSE","first_page":"1687","last_page":"1709"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9994000196456909,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9948999881744385,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.8593595027923584},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6851745843887329},{"id":"https://openalex.org/keywords/normality","display_name":"Normality","score":0.6698507070541382},{"id":"https://openalex.org/keywords/benchmarking","display_name":"Benchmarking","score":0.5766115784645081},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.46392735838890076},{"id":"https://openalex.org/keywords/construct","display_name":"Construct (python library)","score":0.4545527994632721},{"id":"https://openalex.org/keywords/paradigm-shift","display_name":"Paradigm shift","score":0.43254178762435913},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.4155067205429077},{"id":"https://openalex.org/keywords/statistics","display_name":"Statistics","score":0.16367900371551514},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.10521727800369263},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.07735905051231384}],"concepts":[{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.8593595027923584},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6851745843887329},{"id":"https://openalex.org/C2776157432","wikidata":"https://www.wikidata.org/wiki/Q1375683","display_name":"Normality","level":2,"score":0.6698507070541382},{"id":"https://openalex.org/C86251818","wikidata":"https://www.wikidata.org/wiki/Q816754","display_name":"Benchmarking","level":2,"score":0.5766115784645081},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.46392735838890076},{"id":"https://openalex.org/C2780801425","wikidata":"https://www.wikidata.org/wiki/Q5164392","display_name":"Construct (python library)","level":2,"score":0.4545527994632721},{"id":"https://openalex.org/C43540301","wikidata":"https://www.wikidata.org/wiki/Q689971","display_name":"Paradigm shift","level":2,"score":0.43254178762435913},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.4155067205429077},{"id":"https://openalex.org/C105795698","wikidata":"https://www.wikidata.org/wiki/Q12483","display_name":"Statistics","level":1,"score":0.16367900371551514},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.10521727800369263},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.07735905051231384},{"id":"https://openalex.org/C111472728","wikidata":"https://www.wikidata.org/wiki/Q9471","display_name":"Epistemology","level":1,"score":0.0},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.0},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3729346","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3729346","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"},{"id":"pmh:oai:ink.library.smu.edu.sg:sis_research-11325","is_oa":true,"landing_page_url":"https://ink.library.smu.edu.sg/sis_research/10324","pdf_url":null,"source":{"id":"https://openalex.org/S4306401925","display_name":"Singapore Management University Institutional Knowledge (InK) (Singapore Management University)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79891267","host_organization_name":"Singapore Management University","host_organization_lineage":["https://openalex.org/I79891267"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://dl.acm.org/doi/10.1145/3729346","raw_type":"Conference Proceeding Article"}],"best_oa_location":{"id":"doi:10.1145/3729346","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3729346","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":32,"referenced_works":["https://openalex.org/W153260845","https://openalex.org/W2187089797","https://openalex.org/W2579648093","https://openalex.org/W2911282308","https://openalex.org/W2930957955","https://openalex.org/W2965838158","https://openalex.org/W3040197085","https://openalex.org/W3216137074","https://openalex.org/W4200549251","https://openalex.org/W4205596332","https://openalex.org/W4210788642","https://openalex.org/W4224214784","https://openalex.org/W4238124605","https://openalex.org/W4238297360","https://openalex.org/W4253752119","https://openalex.org/W4281260190","https://openalex.org/W4283776948","https://openalex.org/W4285167208","https://openalex.org/W4285417467","https://openalex.org/W4285490400","https://openalex.org/W4315746341","https://openalex.org/W4319963669","https://openalex.org/W4379472926","https://openalex.org/W4383102502","https://openalex.org/W4386185236","https://openalex.org/W4386363082","https://openalex.org/W4391614207","https://openalex.org/W4392739326","https://openalex.org/W4401691527","https://openalex.org/W4402443087","https://openalex.org/W4404952834","https://openalex.org/W4409657429"],"related_works":["https://openalex.org/W4238897586","https://openalex.org/W435179959","https://openalex.org/W2619091065","https://openalex.org/W2059640416","https://openalex.org/W1490753184","https://openalex.org/W2284465472","https://openalex.org/W2291782699","https://openalex.org/W1993948687","https://openalex.org/W2000169967","https://openalex.org/W2030263215"],"abstract_inverted_index":{"With":[0],"the":[1,20,81,87,93,150,201,214,228,234,251,270,279,285,292],"rapid":[2],"advancement":[3],"of":[4,48,95,134,152,160,203,216,236,272,281,294],"cloud-native":[5],"computing,":[6],"securing":[7],"cloud":[8,55,61,120,128,163,176,187],"environments":[9],"has":[10],"become":[11],"an":[12,289],"important":[13],"task.":[14],"Log-based":[15],"Anomaly":[16],"Detection":[17],"(LAD)":[18],"is":[19,75,137],"most":[21,229],"representative":[22],"technique":[23],"used":[24,274],"in":[25,154,162,185,207,291,309],"different":[26,118,158,182],"systems":[27],"for":[28,54,275,306,317],"attack":[29,183],"detection":[30],"and":[31,38,63,90,131,175,179,257,278,315],"safety":[32],"guarantee,":[33],"where":[34,250],"multiple":[35],"LAD":[36,153,205,244,313,318],"methods":[37,206,231,245,262,316],"relevant":[39],"datasets":[40,50],"have":[41],"been":[42],"proposed.":[43],"However,":[44],"even":[45],"though":[46],"some":[47],"these":[49],"are":[51,115,227,263],"specifically":[52],"prepared":[53],"systems,":[56,164],"they":[57],"only":[58,100],"cover":[59],"limited":[60],"behaviors":[62,130],"lack":[64],"information":[65],"from":[66,86,247],"a":[67,123,145,195],"whole-system":[68],"perspective.":[69],"Another":[70],"critical":[71],"issue":[72],"to":[73,148,199,212,232,255,265,296],"consider":[74],"normality":[76,135,168,208,248],"shift,":[77,172,174],"which":[78,156,226],"implies":[79],"that":[80,125,241],"test":[82],"distribution":[83,89,237],"could":[84],"differ":[85],"training":[88],"highly":[91,283],"affect":[92,284],"performance":[94,151,252],"LAD.":[96],"Unfortunately,":[97],"existing":[98,204,259],"works":[99],"focus":[101],"on":[102,191,299],"simple":[103],"shift":[104,113,169,209,217,249,267,286,319],"types":[105,114,133,170],"such":[106],"as":[107],"chronological":[108],"changes,":[109],"while":[110],"other":[111],"cloud-specific":[112],"ignored,":[116],"e.g.,":[117],"deployed":[119],"architectures.":[121],"Therefore,":[122],"dataset":[124,146],"captures":[126],"diverse":[127],"system":[129,188],"various":[132,186],"shifts":[136],"essential.":[138],"To":[139],"fill":[140],"this":[141],"gap,":[142],"we":[143,193,219,302],"construct":[144],"CAShift":[147],"evaluate":[149],"cloud,":[155],"considers":[157],"roles":[159],"software":[161],"supports":[165],"three":[166,222],"real-world":[167],"(application":[171],"version":[173],"architecture":[177],"shift),":[178],"features":[180],"20":[181],"scenarios":[184],"components.":[189],"Based":[190,298],"CAShift,":[192],"conduct":[194],"comprehensive":[196],"empirical":[197],"study":[198],"investigate":[200,221],"effectiveness":[202],"scenarios.":[210],"Additionally,":[211],"explore":[213],"feasibility":[215],"adaptation,":[218,287],"further":[220],"continuous":[223,260],"learning":[224,261],"approaches,":[225],"common":[230],"mitigate":[233],"impact":[235],"shift.":[238],"Results":[239],"demonstrated":[240],"1)":[242],"all":[243],"suffer":[246],"drops":[253],"up":[254,295],"34%,":[256],"2)":[258],"promising":[264],"address":[266],"drawbacks,":[268],"but":[269],"ratio":[271],"data":[273],"model":[276],"retraining":[277],"selection":[280],"algorithms":[282],"with":[288],"increase":[290],"F1-Score":[293],"27%.":[297],"our":[300],"findings,":[301],"offer":[303],"valuable":[304],"implications":[305],"future":[307],"research":[308],"designing":[310],"more":[311],"robust":[312],"models":[314],"adaptation.":[320]},"counts_by_year":[{"year":2025,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}