TGCM: Topic-Guided Generative Disentanglement of Interleaved APT Technique Sequences
Pith reviewed 2026-06-26 20:48 UTC · model grok-4.3
The pith
A consistency-based generative model learns a direct one-step mapping to separate interleaved attack sequences into coherent single-campaign chains.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Topic-Guided Consistency Modeling learns a direct inverse mapping from interleaved multi-campaign observations to structured single-campaign sequences in a single inference step, with the topic-guided prior supplying high-level tactical constraints that favor semantically coherent attack chains during decomposition.
What carries the argument
Consistency Models trained to perform the inverse mapping from mixed sequences to separate campaign sequences, conditioned on a topic-guided prior.
If this is right
- The model jointly infers both the number of latent campaigns and their technique assignments from a single mixed input.
- Separation quality remains higher than pattern-mining, deep-learning, and language-model baselines when interleaving is heavy and techniques are shared.
- The same trained model can be applied directly to new naturally interleaved traces without additional fine-tuning.
- The framework handles variable campaign lengths and overlapping execution periods that defeat single-campaign assumptions.
Where Pith is reading between the lines
- If the one-step inversion holds, security systems could process live audit streams at higher throughput by avoiding multi-step sampling.
- The same inverse-mapping idea might apply to other domains that produce interleaved event sequences, such as concurrent user sessions or distributed system traces.
- Performance would likely degrade on campaigns whose tactic patterns fall outside the distribution used to build the prior, suggesting a need for periodic prior updates.
- Combining the approach with provenance graphs could further constrain the possible assignments when technique sharing is extreme.
Load-bearing premise
The topic-guided prior derived from attack narratives supplies effective high-level tactical constraints that improve decomposition quality and allow zero-shot generalization to naturally interleaved traces.
What would settle it
Run the trained model on a controlled set of interleaved sequences whose underlying campaigns deliberately violate the tactic distributions encoded in the prior and measure whether separation accuracy falls below that of non-prior baselines.
Figures
read the original abstract
In enterprise environments, multiple Advanced Persistent Threat (APT) campaigns often unfold concurrently, producing audit logs in which attack techniques across actors (sources) are interleaved over time. This setting naturally gives rise to an Unknown-K Interleaved Sequence Demixing (UKISD) problem: recovering multiple latent campaigns from an interleaved technique sequence while jointly inferring their number and technique-level assignments. Existing approaches, ranging from statistical pattern mining to provenance-based analysis, typically assume single-campaign settings or rely on rigid heuristics, limiting their effectiveness under realistic conditions involving overlapping campaigns, shared techniques, and variable execution lengths. We present Topic-Guided Consistency Modeling (TGCM), a generative disentanglement framework to tackle the UKSID problem. TGCM leverages Consistency Models to learn a direct inverse mapping from interleaved multi-campaign observations to structured single-campaign sequences in a single inference step. To favor semantically coherent attack chains, TGCM incorporates a topic-guided prior derived from MITRE ATT\&CK narratives, providing high-level tactical constraints during decomposition. We evaluate TGCM on synthetic datasets, established mixed datasets, and incident traces from DARPA TC-E3 and TC-E5, comparing against 15 representative baselines spanning pattern mining, deep learning, and LLM-based methods. Results indicate improved separation robustness over baselines under heavy interleaving and technique sharing, and show that TGCM generalizes zero-shot to a naturally interleaved in-the-wild benchmark (DARPA TC-E5) without retraining.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces Topic-Guided Consistency Modeling (TGCM) as a generative disentanglement framework for the Unknown-K Interleaved Sequence Demixing (UKISD) problem arising from concurrent APT campaigns in enterprise audit logs. TGCM employs Consistency Models to learn a direct single-step inverse mapping from interleaved multi-campaign observations to structured single-campaign sequences and incorporates a topic-guided prior derived from MITRE ATT&CK narratives to enforce semantic coherence. The work evaluates the method on synthetic datasets, established mixed datasets, and incident traces from DARPA TC-E3 and TC-E5, reporting improved separation robustness under heavy interleaving and technique sharing relative to 15 baselines spanning pattern mining, deep learning, and LLM-based approaches, along with zero-shot generalization to naturally interleaved in-the-wild data without retraining.
Significance. If the empirical claims hold after full verification, the approach would represent a meaningful advance in handling realistic multi-actor APT scenarios by replacing heuristic or single-campaign assumptions with a generative, topic-constrained model capable of joint inference of campaign count and technique assignments. The integration of consistency-model acceleration with domain-derived priors from ATT&CK narratives offers a potentially scalable route to more robust provenance and attack-chain reconstruction.
major comments (2)
- [Abstract] Abstract: The central claims of improved robustness, separation quality, and zero-shot generalization to DARPA TC-E5 are asserted without any quantitative metrics, error bars, dataset cardinalities, ablation results, or statistical significance tests; this absence prevents assessment of whether the reported gains are load-bearing or merely descriptive.
- [Abstract] Abstract (and implied methods): No equations, training procedure, loss formulation, or consistency-model architecture details are supplied, so it is impossible to verify whether the single-step inverse mapping is parameter-free, whether the topic prior is applied as a hard constraint or soft regularizer, or whether any performance advantage reduces to the choice of MITRE-derived topics versus the base consistency model.
Simulated Author's Rebuttal
We thank the referee for their thoughtful review and for highlighting areas where the abstract could better support the claims. We address each major comment below and will revise the abstract accordingly.
read point-by-point responses
-
Referee: [Abstract] Abstract: The central claims of improved robustness, separation quality, and zero-shot generalization to DARPA TC-E5 are asserted without any quantitative metrics, error bars, dataset cardinalities, ablation results, or statistical significance tests; this absence prevents assessment of whether the reported gains are load-bearing or merely descriptive.
Authors: We agree the abstract would be strengthened by including key quantitative results. In the revision we will add concise statements of the main metrics (e.g., average F1 improvement, dataset sizes for the DARPA traces, and indication of statistical significance) drawn from the experimental sections, while remaining within length limits. revision: yes
-
Referee: [Abstract] Abstract (and implied methods): No equations, training procedure, loss formulation, or consistency-model architecture details are supplied, so it is impossible to verify whether the single-step inverse mapping is parameter-free, whether the topic prior is applied as a hard constraint or soft regularizer, or whether any performance advantage reduces to the choice of MITRE-derived topics versus the base consistency model.
Authors: Abstracts conventionally omit equations and full procedural details; these appear in Section 3 of the manuscript (consistency-model architecture, single-step mapping via consistency distillation, and the topic-guided regularizer term in the training objective). To improve verifiability we will add one sentence to the abstract clarifying that the ATT&CK topic prior is used as a soft regularizer and that ablations in the paper isolate its contribution beyond the base consistency model. revision: partial
Circularity Check
No significant circularity detected
full rationale
The provided abstract and description present TGCM as a generative framework using Consistency Models for single-step inverse mapping from interleaved sequences plus a topic-guided prior from external MITRE ATT&CK narratives. No derivation equations, fitted parameters renamed as predictions, self-citations, or ansatzes are visible in the text. Without access to methods sections containing explicit equations or citations, no load-bearing step can be shown to reduce to its own inputs by construction. The central claims rest on empirical comparisons to 15 baselines and zero-shot generalization, which are externally falsifiable and not self-referential by the given content.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
A. D. Keromytis. Transparent computing engagement 3 data release. https://gith ub.com/darpa-i2o/Transparent-Computing/blob/master/README-E3.md, 2018
2018
-
[2]
Bears in the midst: Intrusion into the democratic national committee
Dmitri Alperovitch. Bears in the midst: Intrusion into the democratic national committee. CrowdStrike Blog (From the Front Lines), June 2016. Published June 14, 2016. Accessed: 2025-12-23
2016
-
[3]
{ATLAS}: A sequence-based learning approach for attack investigation
Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, Gregory Walkup, Z Berkay Celik, Xiangyu Zhang, and Dongyan Xu. {ATLAS}: A sequence-based learning approach for attack investigation. In30th USENIX security symposium (USENIX security 21), pages 3005–3022, 2021
2021
-
[4]
Provg-searcher: A graph representation learning approach for efficient provenance graph search
Enes Altinisik, Fatih Deniz, and Hüsrev Taha Sencar. Provg-searcher: A graph representation learning approach for efficient provenance graph search. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023
2023
-
[5]
Structured denoising diffusion models in discrete state-spaces.Ad- vances in neural information processing systems, 34:17981–17993, 2021
Jacob Austin, Daniel D Johnson, Jonathan Ho, Daniel Tarlow, and Rianne Van Den Berg. Structured denoising diffusion models in discrete state-spaces.Ad- vances in neural information processing systems, 34:17981–17993, 2021
2021
-
[6]
Jimmy Lei Ba, Jamie Ryan Kiros, and Geoffrey E Hinton. Layer normalization. arXiv preprint arXiv:1607.06450, 2016
Pith/arXiv arXiv 2016
-
[7]
A maximization technique occurring in the statistical analysis of probabilistic functions of markov chains.The annals of mathematical statistics, 41(1):164–171, 1970
Leonard E Baum, Ted Petrie, George Soules, and Norman Weiss. A maximization technique occurring in the statistical analysis of probabilistic functions of markov chains.The annals of mathematical statistics, 41(1):164–171, 1970
1970
-
[8]
A proba- bilistic approach to event-case correlation for process mining
Dina Bayomie, Claudio Di Ciccio, Marcello La Rosa, and Jan Mendling. A proba- bilistic approach to event-case correlation for process mining. InInternational Conference on Conceptual Modeling, pages 136–152. Springer, 2019
2019
-
[9]
Event-case correlation for process mining using probabilistic optimization.Information Systems, 114:102167, 2023
Dina Bayomie, Claudio Di Ciccio, and Jan Mendling. Event-case correlation for process mining using probabilistic optimization.Information Systems, 114:102167, 2023
2023
-
[10]
Latent dirichlet allocation
David M Blei, Andrew Y Ng, and Michael I Jordan. Latent dirichlet allocation. Journal of machine Learning research, 3(Jan):993–1022, 2003
2003
-
[11]
Alexander Böttcher, Wieland Brendel, Bernhard Englitz, and Matthias Bethge. Trace your sources in large-scale data: one ring to find them all.arXiv preprint arXiv:1803.08882, 2018
Pith/arXiv arXiv 2018
-
[12]
Recognizing binary shuffle squares is np-hard.Theoretical Computer Science, 806:116–132, 2020
Laurent Bulteau and Stéphane Vialette. Recognizing binary shuffle squares is np-hard.Theoretical Computer Science, 806:116–132, 2020
2020
-
[13]
Unshuffling a square is np-hard.Journal of Computer and System Sciences, 80(4):766–776, 2014
Sam Buss and Michael Soltys. Unshuffling a square is np-hard.Journal of Computer and System Sciences, 80(4):766–776, 2014
2014
-
[14]
Radar signal deinterleaving with multi-feature semantics and modular network design
Rouxuan Chen, Jibin Zheng, Chenrui Li, Liangtian Wan, and Hongwei Liu. Radar signal deinterleaving with multi-feature semantics and modular network design. IEEE Transactions on Aerospace and Electronic Systems, 2025
2025
-
[15]
Deep attractor network for single- microphone speaker separation
Zhuo Chen, Yi Luo, and Nima Mesgarani. Deep attractor network for single- microphone speaker separation. InAcoustics, Speech and Signal Processing (ICASSP), 2017 IEEE International Conference on, pages 246–250. IEEE, 2017
2017
-
[16]
Kairos: Practical intrusion detection and investigation using whole-system provenance
Zijun Cheng, Qiujian Lv, Jinyuan Liang, Yan Wang, Degang Sun, Thomas Pasquier, and Xueyuan Han. Kairos: Practical intrusion detection and investigation using whole-system provenance. In2024 IEEE Symposium on Security and Privacy (SP), pages 3533–3551. IEEE, 2024
2024
-
[17]
https://www.microsoft.com/security/blog/then-there-were-six
Microsoft DART. https://www.microsoft.com/security/blog/then-there-were-six. Accessed: 2025-08-13
2025
-
[18]
Diffusion models beat gans on image synthesis.Advances in neural information processing systems, 34:8780–8794, 2021
Prafulla Dhariwal and Alexander Nichol. Diffusion models beat gans on image synthesis.Advances in neural information processing systems, 34:8780–8794, 2021
2021
-
[19]
{AIRTAG}: Towards automated attack investigation by unsupervised learning with log texts
Hailun Ding, Juan Zhai, Yuhong Nan, and Shiqing Ma. {AIRTAG}: Towards automated attack investigation by unsupervised learning with log texts. In32nd USENIX Security Symposium (USENIX Security), 2023
2023
-
[20]
Deeplog: Anomaly detection and diagnosis from system logs through deep learning
Min Du, Feifei Li, Guineng Zheng, and Vivek Srikumar. Deeplog: Anomaly detection and diagnosis from system logs through deep learning. InProceedings of the 2017 ACM SIGSAC conference on computer and communications security, pages 1285–1298, 2017
2017
-
[21]
Maxfem: Mining maximal frequent episodes in complex event sequences
Philippe Fournier-Viger, M Saqib Nawaz, Yulin He, Youxi Wu, Farid Nouioua, and Unil Yun. Maxfem: Mining maximal frequent episodes in complex event sequences. InInternational Conference on Multi-disciplinary Trends in Artificial Intelligence, pages 86–98. Springer, 2022
2022
-
[22]
Factorial hidden markov models.Ad- vances in neural information processing systems, 8, 1995
Zoubin Ghahramani and Michael Jordan. Factorial hidden markov models.Ad- vances in neural information processing systems, 8, 1995
1995
-
[23]
Blind source separation of intermittent frequency hopping sources over los and nlos channels.Entropy, 25(9):1292, 2023
Anushreya Ghosh, Annan Dong, Alexander Haimovich, Osvaldo Simeone, and Jason Dabin. Blind source separation of intermittent frequency hopping sources over los and nlos channels.Entropy, 25(9):1292, 2023
2023
-
[24]
Sometimes, you aren’t what you do: Mimicry attacks against provenance graph host intrusion detection systems
Akul Goyal, Xueyuan Han, Gang Wang, and Adam Bates. Sometimes, you aren’t what you do: Mimicry attacks against provenance graph host intrusion detection systems. In30th Network and Distributed System Security Symposium, 2023
2023
-
[25]
Maarten Grootendorst. Bertopic: Neural topic modeling with a class-based tf-idf procedure.arXiv preprint arXiv:2203.05794, 2022
Pith/arXiv arXiv 2022
-
[26]
Logbert: Log anomaly detection via bert
Haixuan Guo, Shuhan Yuan, and Xintao Wu. Logbert: Log anomaly detection via bert. In2021 international joint conference on neural networks (IJCNN), pages 1–8. IEEE, 2021
2021
-
[27]
Unicorn: Runtime provenance-based detector for advanced persistent threats
Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. Unicorn: Runtime provenance-based detector for advanced persistent threats. arXiv preprint arXiv:2001.01525, 2020
arXiv 2001
-
[28]
Nodoze: Combatting threat alert fatigue with auto- mated provenance triage
Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. Nodoze: Combatting threat alert fatigue with auto- mated provenance triage. Innetwork and distributed systems security symposium, 2019
2019
-
[29]
Omegalog: High-fidelity attack investigation via transparent multi-layer log analysis
Wajih Ul Hassan, Mohammad Ali Noureddine, Pubali Datta, and Adam Bates. Omegalog: High-fidelity attack investigation via transparent multi-layer log analysis. InNetwork and distributed system security symposium, 2020
2020
-
[30]
Denoising diffusion probabilistic models.Advances in neural information processing systems, 33:6840–6851, 2020
Jonathan Ho, Ajay Jain, and Pieter Abbeel. Denoising diffusion probabilistic models.Advances in neural information processing systems, 33:6840–6851, 2020
2020
-
[31]
{SLEUTH}: Real- time attack scenario reconstruction from {COTS} audit data
Md Nahid Hossain, Sadegh M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott Stoller, and VN Venkatakrishnan. {SLEUTH}: Real- time attack scenario reconstruction from {COTS} audit data. In26th USENIX Security Symposium (USENIX Security 17), pages 487–504, 2017
2017
-
[32]
A cascade approach for apt campaign attribution in system event logs: Technique hunting and subgraph matching
Yi-Ting Huang, Ying-Ren Guo, Guo-Wei Wong, and Meng Chang Chen. A cascade approach for apt campaign attribution in system event logs: Technique hunting and subgraph matching. InICC 2025-IEEE International Conference on Communications, pages 1073–1078. IEEE, 2025
2025
-
[33]
Saga: Synthetic audit log generation for apt campaigns.IEEE Transactions on Dependable and Secure Computing, pages 1–16, 2025
Yi-Ting Huang, Ying-Ren Guo, Yu-Sheng Yang, Guo-Wei Wong, Yu-Zih Jheng, Yeali Sun, Jessemyn Modini, Timothy Lynar, and Meng Chang Chen. Saga: Synthetic audit log generation for apt campaigns.IEEE Transactions on Dependable and Secure Computing, pages 1–16, 2025
2025
-
[34]
Independent component analysis: algorithms and applications.Neural networks, 13(4-5):411–430, 2000
Aapo Hyvärinen and Erkki Oja. Independent component analysis: algorithms and applications.Neural networks, 13(4-5):411–430, 2000
2000
-
[35]
SecBERT: A pretrained language model for cyber security text
jackaduma. SecBERT: A pretrained language model for cyber security text. https://github.com/jackaduma/SecBERT, 2022. Accessed: 2026-04-30
2022
-
[36]
Transparent computing engagement 5 data release
Jacob Torrey. Transparent computing engagement 5 data release. https://github .com/darpa-i2o/Transparent-Computing/blob/master/README.md, 2020
2020
-
[37]
{MAGIC}: Detecting advanced persistent threats via masked graph representa- tion learning
Zian Jia, Yun Xiong, Yuhong Nan, Yao Zhang, Jinjing Zhao, and Mi Wen. {MAGIC}: Detecting advanced persistent threats via masked graph representa- tion learning. In33rd USENIX Security Symposium (USENIX Security 24), pages 5197–5214, 2024
2024
-
[38]
Mitre att&ck applications in cybersecurity and the way forward.arXiv preprint arXiv:2502.10825, 2025
Yuning Jiang, Qiaoran Meng, Feiyang Shang, Nay Oo, Le Thi Hong Minh, Hoon Wei Lim, and Biplab Sikdar. Mitre att&ck applications in cybersecurity and the way forward.arXiv preprint arXiv:2502.10825, 2025
arXiv 2025
-
[39]
Blind separation of sources, part i: An adaptive algorithm based on neuromimetic architecture.Signal processing, 24(1):1– 10, 1991
Christian Jutten and Jeanny Herault. Blind separation of sources, part i: An adaptive algorithm based on neuromimetic architecture.Signal processing, 24(1):1– 10, 1991
1991
-
[40]
A large-scale corpus for conversation disentanglement
Jonathan K Kummerfeld, Sai R Gouravajhala, Joseph J Peper, Vignesh Athreya, Chulaka Gunasekara, Jatin Ganhotra, Siva Sankalp Patel, Lazaros C Polymenakos, and Walter Lasecki. A large-scale corpus for conversation disentanglement. InProceedings of the 57th annual meeting of the association for computational linguistics, pages 3846–3856, 2019
2019
-
[41]
Mci: Modeling-based causality inference in audit logging for attack investigation
Yonghwi Kwon, Fei Wang, Weihang Wang, Kyu Hyung Lee, Wen-Chuan Lee, Shiqing Ma, Xiangyu Zhang, Dongyan Xu, Somesh Jha, Gabriela Ciocarlie, et al. Mci: Modeling-based causality inference in audit logging for attack investigation. InNetwork and Distributed Systems Security (NDSS) Symposium, 2018
2018
-
[42]
Learning the parts of objects by non- negative matrix factorization.nature, 401(6755):788–791, 1999
Daniel D Lee and H Sebastian Seung. Learning the parts of objects by non- negative matrix factorization.nature, 401(6755):788–791, 1999
1999
-
[43]
Camp2vec: Embedding cyber campaign with att&ck framework for attack group analysis.ICT Express, 9(6):1065–1070, 2023
Insup Lee and Changhee Choi. Camp2vec: Embedding cyber campaign with att&ck framework for attack group analysis.ICT Express, 9(6):1065–1070, 2023. CCS ’26, November 15–19, 2026, The World Forum, The Hague, The Netherlands Guo-Wei Wong, Ming-Chuan Yang, Shou-De Lin, Wang-Chien Lee, and Meng Chang Chen
2023
-
[44]
Nodlink: An online system for fine-grained apt attack detection and investigation
Shaofei Li, Feng Dong, Xusheng Xiao, Haoyu Wang, Fei Shao, Jiedong Chen, Yao Guo, Xiangqun Chen, and Ding Li. Nodlink: An online system for fine-grained apt attack detection and investigation. InProceedings 2024 Network and Distributed System Security Symposium, NDSS 2024. Internet Society, 2024
2024
-
[45]
Diffusion-lm improves controllable text generation.Advances in neural information processing systems, 35:4328–4343, 2022
Xiang Li, John Thickstun, Ishaan Gulrajani, Percy S Liang, and Tatsunori B Hashimoto. Diffusion-lm improves controllable text generation.Advances in neural information processing systems, 35:4328–4343, 2022
2022
-
[46]
Attackg: Constructing technique knowledge graph from cyber threat intelligence reports
Zhenyuan Li, Jun Zeng, Yan Chen, and Zhenkai Liang. Attackg: Constructing technique knowledge graph from cyber threat intelligence reports. InEuropean Symposium on Research in Computer Security, pages 589–609. Springer, 2022
2022
-
[47]
Attribute-driven case notion discovery for unlabeled event logs
Tom Lichtenstein, Dorina Bano, and Mathias Weske. Attribute-driven case notion discovery for unlabeled event logs. InInternational Conference on Business Process Management, pages 111–122. Springer, 2021
2021
-
[48]
Trec: Apt tactic/technique recognition via few-shot provenance subgraph learning
Mingqi Lv, HongZhe Gao, Xuebo Qiu, Tieming Chen, Tiantian Zhu, Jinyin Chen, and Shouling Ji. Trec: Apt tactic/technique recognition via few-shot provenance subgraph learning. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pages 139–152, 2024
2024
-
[49]
Process Monitor v4.01
Microsoft. Process Monitor v4.01. https://learn.microsoft.com/en-us/sysinternal s/downloads/procmon. Accessed: 2025-08-06
2025
-
[50]
Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting
Sadegh M Milajerdi, Birhanu Eshete, Rigel Gjomemo, and VN Venkatakrish- nan. Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. InProceedings of the 2019 ACM SIGSAC conference on computer and communications security, pages 1795–1812, 2019
2019
-
[51]
Holmes: real-time apt detection through correlation of suspicious information flows
Sadegh M Milajerdi, Rigel Gjomemo, Birhanu Eshete, Ramachandran Sekar, and VN Venkatakrishnan. Holmes: real-time apt detection through correlation of suspicious information flows. In2019 IEEE symposium on security and privacy (SP), pages 1137–1152. IEEE, 2019
2019
-
[52]
MITRE CALDERA: Automated adversary emulation platform
MITRE. MITRE CALDERA: Automated adversary emulation platform. https: //github.com/mitre/caldera. Accessed: 2026-04-19
2026
-
[53]
Blind source separation using time-delayed dynamic mode decomposition.Computation, 13(2), 2025
Gyurhan Nedzhibov. Blind source separation using time-delayed dynamic mode decomposition.Computation, 13(2), 2025
2025
-
[54]
Improved denoising diffusion probabilistic models
Alexander Quinn Nichol and Prafulla Dhariwal. Improved denoising diffusion probabilistic models. InInternational conference on machine learning, pages 8162–8171. PMLR, 2021
2021
-
[55]
A pretrained language model for cyber threat intelligence
Youngja Park and Weiqiu You. A pretrained language model for cyber threat intelligence. InProceedings of the 2023 Conference on Empirical Methods in Natural Language Processing: Industry Track, pages 113–122, 2023
2023
-
[56]
Marco Pegoraro, Merih Seran Uysal, Tom-Hendrik Hülsmann, and Wil MP van der Aalst. Resolving uncertain case identifiers in interaction logs: A user study.arXiv preprint arXiv:2212.00009, 2022
arXiv 2022
-
[57]
Correlation miner: mining business process models and event correlations without case identifiers.Interna- tional Journal of Cooperative Information Systems, 26(02):1742002, 2017
Shaya Pourmirza, Remco Dijkman, and Paul Grefen. Correlation miner: mining business process models and event correlations without case identifiers.Interna- tional Journal of Cooperative Information Systems, 26(02):1742002, 2017
2017
-
[58]
Zoomer: An apt ttp recognition system via deep & wide provenance graph learning.IEEE Transactions on Dependable and Secure Computing, 2025
Xuebo Qiu, Mingqi Lv, Tieming Chen, Tiantian Zhu, Qijie Song, and Zhiling Zhu. Zoomer: An apt ttp recognition system via deep & wide provenance graph learning.IEEE Transactions on Dependable and Secure Computing, 2025
2025
-
[59]
Cybert: Contex- tualized embeddings for the cybersecurity domain
Priyanka Ranade, Aritran Piplai, Anupam Joshi, and Tim Finin. Cybert: Contex- tualized embeddings for the cybersecurity domain. In2021 IEEE International Conference on Big Data (Big Data), pages 3334–3342, 2021
2021
-
[60]
why should i trust you?
Marco Tulio Ribeiro, Sameer Singh, and Carlos Guestrin. " why should i trust you?" explaining the predictions of any classifier. InProceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining, pages 1135–1144, 2016
2016
-
[61]
A. Saha, J. Mattei, J. Blasco, L. Cavallaro, D. Votipka, and M. Lindorfer. Expert insights into advanced persistent threats: Analysis, challenges, and practitioner perspectives. InUSENIX Security, 2024
2024
-
[62]
Cu- dasw++ 4.0: ultra-fast gpu-based smith–waterman protein sequence database search.BMC bioinformatics, 25(1):342, 2024
Bertil Schmidt, Felix Kallenborn, Alejandro Chacon, and Christian Hundt. Cu- dasw++ 4.0: ultra-fast gpu-based smith–waterman protein sequence database search.BMC bioinformatics, 25(1):342, 2024
2024
-
[63]
Thread detection in dynamic text message streams
Dou Shen, Qiang Yang, Jian-Tao Sun, and Zheng Chen. Thread detection in dynamic text message streams. InProceedings of the 29th annual international ACM SIGIR conference on Research and development in information retrieval, pages 35–42, 2006
2006
-
[64]
Identification of common molecular subsequences.Journal of molecular biology, 147(1):195–197, 1981
Temple F Smith, Michael S Waterman, et al. Identification of common molecular subsequences.Journal of molecular biology, 147(1):195–197, 1981
1981
-
[65]
Consistency models.ICML, 2023
Yang Song, Prafulla Dhariwal, Mark Chen, and Ilya Sutskever. Consistency models.ICML, 2023
2023
-
[66]
MITRE ATT&CK: Design and philosophy
Blake Strom, Andy Applebaum, Doug Miller, Kathryn Nickels, Adam Pennington, and Cody Thomas. MITRE ATT&CK: Design and philosophy. https://www.mitr e.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and- philosophy.pdf, 2018
2018
-
[67]
Attention is all you need in speech separation
Cem Subakan, Mirco Ravanelli, Samuele Cornell, Mirko Bronzi, and Jianyuan Zhong. Attention is all you need in speech separation. InICASSP 2021-2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 21–25. IEEE, 2021
2021
-
[68]
Mining local process models.Journal of Intelligent Information Systems, 47(2):183–222, 2016
Niek Tax, Natalia Sidorova, Reinder Haakma, and Wil M P van der Aalst. Mining local process models.Journal of Intelligent Information Systems, 47(2):183–222, 2016
2016
-
[69]
Microsoft exchange server attack timeline: Discoveries and mitigations, March 2021
Unit 42. Microsoft exchange server attack timeline: Discoveries and mitigations, March 2021. Published March 11, 2021. Accessed: 2025-12-23
2021
-
[70]
Object-centric process mining: unraveling the fabric of real processes.Mathematics, 11(12):2691, 2023
Wil MP van der Aalst. Object-centric process mining: unraveling the fabric of real processes.Mathematics, 11(12):2691, 2023
2023
-
[71]
Discovering object-centric petri nets
Wil MP van der Aalst and Alessandro Berti. Discovering object-centric petri nets. Fundamenta informaticae, 175(1-4):1–40, 2020
2020
-
[72]
Fusion and Workstation
VMware. Fusion and Workstation. https://www.vmware.com/products/desktop- hypervisor/workstation-and-fusion. Accessed: 2026-04-21
2026
-
[73]
Fastopic: Pretrained transformer is a fast, adaptive, stable, and transferable topic model.Advances in Neural Information Processing Systems, 37:84447–84481, 2024
Xiaobao Wu, Thong Nguyen, Delvin Zhang, William Yang Wang, and Anh Tuan Luu. Fastopic: Pretrained transformer is a fast, adaptive, stable, and transferable topic model.Advances in Neural Information Processing Systems, 37:84447–84481, 2024
2024
-
[74]
A novel method for deinterleaving radar signals: First-order difference curve based on sorted toa difference sequence.IET Signal Processing, 17(1):e12162, 2023
Min Xie, Chuang Zhao, Yongjun Zhao, Dexiu Hu, and Zewen Wang. A novel method for deinterleaving radar signals: First-order difference curve based on sorted toa difference sequence.IET Signal Processing, 17(1):e12162, 2023
2023
-
[75]
Conan: A practical real-time apt detection system with high accuracy and efficiency.IEEE Transactions on Dependable and Secure Computing, 19(1):551–565, 2020
Chunlin Xiong, Tiantian Zhu, Weihao Dong, Linqi Ruan, Runqing Yang, Yueqiang Cheng, Yan Chen, Shuai Cheng, and Xutong Chen. Conan: A practical real-time apt detection system with high accuracy and efficiency.IEEE Transactions on Dependable and Secure Computing, 19(1):551–565, 2020
2020
-
[76]
Un- derstanding and improving layer normalization.Advances in neural information processing systems, 32, 2019
Jingjing Xu, Xu Sun, Zhiyuan Zhang, Guangxiang Zhao, and Junyang Lin. Un- derstanding and improving layer normalization.Advances in neural information processing systems, 32, 2019
2019
-
[77]
A flexible approach for cyber threat hunting based on kernel audit records.Cybersecurity, 5(1):11, 2022
Fengyu Yang, Yanni Han, Ying Ding, Qian Tan, and Zhen Xu. A flexible approach for cyber threat hunting based on kernel audit records.Cybersecurity, 5(1):11, 2022
2022
-
[78]
From Observations to Insights: Constructing Effective Cyberat- tack Provenance With ProvCon
Anis Yusof, Shaofei Li, Arshdeep Singh Kawatra, Ding Li, Ee-Chien Chang, and Zhenkai Liang. From Observations to Insights: Constructing Effective Cyberat- tack Provenance With ProvCon. InWorkshop on SOC Operations and Construction (WOSOC) 2025, 2025
2025
-
[79]
LockBit, Hive, and BlackCat attack automotive supplier in triple ransomware attack
Syed Zaidi, Linda Smith, and Rajat Wason. LockBit, Hive, and BlackCat attack automotive supplier in triple ransomware attack. Sophos News, August 2022
2022
-
[80]
Watson: Abstracting behaviors from audit logs via aggregation of contextual semantics
Jun Zeng, Zheng Leong Chua, Yinfang Chen, Kaihang Ji, Zhenkai Liang, and Jian Mao. Watson: Abstracting behaviors from audit logs via aggregation of contextual semantics. InNDSS, 2021
2021
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.