pith. sign in

arxiv: 2606.18651 · v1 · pith:XZUNUI2Snew · submitted 2026-06-17 · 💻 cs.CR

TGCM: Topic-Guided Generative Disentanglement of Interleaved APT Technique Sequences

Pith reviewed 2026-06-26 20:48 UTC · model grok-4.3

classification 💻 cs.CR
keywords sequence disentanglementgenerative modelingattack campaign separationinterleaved logsconsistency modelstopic guidancecybersecurityunknown-K demixing
0
0 comments X

The pith

A consistency-based generative model learns a direct one-step mapping to separate interleaved attack sequences into coherent single-campaign chains.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper addresses the challenge of recovering multiple unknown attack campaigns from audit logs where their techniques appear mixed together over time. It proposes a framework that trains consistency models to invert this mixing process directly, without iterative refinement. A prior based on high-level tactic descriptions is added to guide the separation toward sequences that form sensible attack progressions. This matters for environments where concurrent threats produce overlapping evidence that defeats methods built for isolated campaigns.

Core claim

Topic-Guided Consistency Modeling learns a direct inverse mapping from interleaved multi-campaign observations to structured single-campaign sequences in a single inference step, with the topic-guided prior supplying high-level tactical constraints that favor semantically coherent attack chains during decomposition.

What carries the argument

Consistency Models trained to perform the inverse mapping from mixed sequences to separate campaign sequences, conditioned on a topic-guided prior.

If this is right

  • The model jointly infers both the number of latent campaigns and their technique assignments from a single mixed input.
  • Separation quality remains higher than pattern-mining, deep-learning, and language-model baselines when interleaving is heavy and techniques are shared.
  • The same trained model can be applied directly to new naturally interleaved traces without additional fine-tuning.
  • The framework handles variable campaign lengths and overlapping execution periods that defeat single-campaign assumptions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the one-step inversion holds, security systems could process live audit streams at higher throughput by avoiding multi-step sampling.
  • The same inverse-mapping idea might apply to other domains that produce interleaved event sequences, such as concurrent user sessions or distributed system traces.
  • Performance would likely degrade on campaigns whose tactic patterns fall outside the distribution used to build the prior, suggesting a need for periodic prior updates.
  • Combining the approach with provenance graphs could further constrain the possible assignments when technique sharing is extreme.

Load-bearing premise

The topic-guided prior derived from attack narratives supplies effective high-level tactical constraints that improve decomposition quality and allow zero-shot generalization to naturally interleaved traces.

What would settle it

Run the trained model on a controlled set of interleaved sequences whose underlying campaigns deliberately violate the tactic distributions encoded in the prior and measure whether separation accuracy falls below that of non-prior baselines.

Figures

Figures reproduced from arXiv: 2606.18651 by Guo-Wei Wong, Meng~Chang Chen, Ming-Chuan Yang, Shou-De Lin, Wang-Chien Lee.

Figure 1
Figure 1. Figure 1: Overview of the TGCM framework. In the (a) forward process, multiple APT campaigns are interleaved to produce a [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Events are ordered from left to right. Case (c) merges techniques from two distinct APT campaigns ( [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Forward mixing and single-step demixing in TGCM. A canonical sequence [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Performance comparison of baselines and TGCM variants. Subplots show (top-left) Accuracy, (top-right) FMI, (bottom [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Example of a manually crafted labeling rule used in [PITH_FULL_IMAGE:figures/full_fig_p026_5.png] view at source ↗
read the original abstract

In enterprise environments, multiple Advanced Persistent Threat (APT) campaigns often unfold concurrently, producing audit logs in which attack techniques across actors (sources) are interleaved over time. This setting naturally gives rise to an Unknown-K Interleaved Sequence Demixing (UKISD) problem: recovering multiple latent campaigns from an interleaved technique sequence while jointly inferring their number and technique-level assignments. Existing approaches, ranging from statistical pattern mining to provenance-based analysis, typically assume single-campaign settings or rely on rigid heuristics, limiting their effectiveness under realistic conditions involving overlapping campaigns, shared techniques, and variable execution lengths. We present Topic-Guided Consistency Modeling (TGCM), a generative disentanglement framework to tackle the UKSID problem. TGCM leverages Consistency Models to learn a direct inverse mapping from interleaved multi-campaign observations to structured single-campaign sequences in a single inference step. To favor semantically coherent attack chains, TGCM incorporates a topic-guided prior derived from MITRE ATT\&CK narratives, providing high-level tactical constraints during decomposition. We evaluate TGCM on synthetic datasets, established mixed datasets, and incident traces from DARPA TC-E3 and TC-E5, comparing against 15 representative baselines spanning pattern mining, deep learning, and LLM-based methods. Results indicate improved separation robustness over baselines under heavy interleaving and technique sharing, and show that TGCM generalizes zero-shot to a naturally interleaved in-the-wild benchmark (DARPA TC-E5) without retraining.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper introduces Topic-Guided Consistency Modeling (TGCM) as a generative disentanglement framework for the Unknown-K Interleaved Sequence Demixing (UKISD) problem arising from concurrent APT campaigns in enterprise audit logs. TGCM employs Consistency Models to learn a direct single-step inverse mapping from interleaved multi-campaign observations to structured single-campaign sequences and incorporates a topic-guided prior derived from MITRE ATT&CK narratives to enforce semantic coherence. The work evaluates the method on synthetic datasets, established mixed datasets, and incident traces from DARPA TC-E3 and TC-E5, reporting improved separation robustness under heavy interleaving and technique sharing relative to 15 baselines spanning pattern mining, deep learning, and LLM-based approaches, along with zero-shot generalization to naturally interleaved in-the-wild data without retraining.

Significance. If the empirical claims hold after full verification, the approach would represent a meaningful advance in handling realistic multi-actor APT scenarios by replacing heuristic or single-campaign assumptions with a generative, topic-constrained model capable of joint inference of campaign count and technique assignments. The integration of consistency-model acceleration with domain-derived priors from ATT&CK narratives offers a potentially scalable route to more robust provenance and attack-chain reconstruction.

major comments (2)
  1. [Abstract] Abstract: The central claims of improved robustness, separation quality, and zero-shot generalization to DARPA TC-E5 are asserted without any quantitative metrics, error bars, dataset cardinalities, ablation results, or statistical significance tests; this absence prevents assessment of whether the reported gains are load-bearing or merely descriptive.
  2. [Abstract] Abstract (and implied methods): No equations, training procedure, loss formulation, or consistency-model architecture details are supplied, so it is impossible to verify whether the single-step inverse mapping is parameter-free, whether the topic prior is applied as a hard constraint or soft regularizer, or whether any performance advantage reduces to the choice of MITRE-derived topics versus the base consistency model.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their thoughtful review and for highlighting areas where the abstract could better support the claims. We address each major comment below and will revise the abstract accordingly.

read point-by-point responses
  1. Referee: [Abstract] Abstract: The central claims of improved robustness, separation quality, and zero-shot generalization to DARPA TC-E5 are asserted without any quantitative metrics, error bars, dataset cardinalities, ablation results, or statistical significance tests; this absence prevents assessment of whether the reported gains are load-bearing or merely descriptive.

    Authors: We agree the abstract would be strengthened by including key quantitative results. In the revision we will add concise statements of the main metrics (e.g., average F1 improvement, dataset sizes for the DARPA traces, and indication of statistical significance) drawn from the experimental sections, while remaining within length limits. revision: yes

  2. Referee: [Abstract] Abstract (and implied methods): No equations, training procedure, loss formulation, or consistency-model architecture details are supplied, so it is impossible to verify whether the single-step inverse mapping is parameter-free, whether the topic prior is applied as a hard constraint or soft regularizer, or whether any performance advantage reduces to the choice of MITRE-derived topics versus the base consistency model.

    Authors: Abstracts conventionally omit equations and full procedural details; these appear in Section 3 of the manuscript (consistency-model architecture, single-step mapping via consistency distillation, and the topic-guided regularizer term in the training objective). To improve verifiability we will add one sentence to the abstract clarifying that the ATT&CK topic prior is used as a soft regularizer and that ablations in the paper isolate its contribution beyond the base consistency model. revision: partial

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The provided abstract and description present TGCM as a generative framework using Consistency Models for single-step inverse mapping from interleaved sequences plus a topic-guided prior from external MITRE ATT&CK narratives. No derivation equations, fitted parameters renamed as predictions, self-citations, or ansatzes are visible in the text. Without access to methods sections containing explicit equations or citations, no load-bearing step can be shown to reduce to its own inputs by construction. The central claims rest on empirical comparisons to 15 baselines and zero-shot generalization, which are externally falsifiable and not self-referential by the given content.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract alone supplies insufficient detail to enumerate free parameters, axioms, or invented entities; no specific modeling choices or background assumptions are stated beyond the high-level use of consistency models and ATT&CK narratives.

pith-pipeline@v0.9.1-grok · 5809 in / 1128 out tokens · 28086 ms · 2026-06-26T20:48:32.371478+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

81 extracted references · 3 linked inside Pith

  1. [1]

    A. D. Keromytis. Transparent computing engagement 3 data release. https://gith ub.com/darpa-i2o/Transparent-Computing/blob/master/README-E3.md, 2018

  2. [2]

    Bears in the midst: Intrusion into the democratic national committee

    Dmitri Alperovitch. Bears in the midst: Intrusion into the democratic national committee. CrowdStrike Blog (From the Front Lines), June 2016. Published June 14, 2016. Accessed: 2025-12-23

  3. [3]

    {ATLAS}: A sequence-based learning approach for attack investigation

    Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, Gregory Walkup, Z Berkay Celik, Xiangyu Zhang, and Dongyan Xu. {ATLAS}: A sequence-based learning approach for attack investigation. In30th USENIX security symposium (USENIX security 21), pages 3005–3022, 2021

  4. [4]

    Provg-searcher: A graph representation learning approach for efficient provenance graph search

    Enes Altinisik, Fatih Deniz, and Hüsrev Taha Sencar. Provg-searcher: A graph representation learning approach for efficient provenance graph search. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023

  5. [5]

    Structured denoising diffusion models in discrete state-spaces.Ad- vances in neural information processing systems, 34:17981–17993, 2021

    Jacob Austin, Daniel D Johnson, Jonathan Ho, Daniel Tarlow, and Rianne Van Den Berg. Structured denoising diffusion models in discrete state-spaces.Ad- vances in neural information processing systems, 34:17981–17993, 2021

  6. [6]

    Layer normalization

    Jimmy Lei Ba, Jamie Ryan Kiros, and Geoffrey E Hinton. Layer normalization. arXiv preprint arXiv:1607.06450, 2016

  7. [7]

    A maximization technique occurring in the statistical analysis of probabilistic functions of markov chains.The annals of mathematical statistics, 41(1):164–171, 1970

    Leonard E Baum, Ted Petrie, George Soules, and Norman Weiss. A maximization technique occurring in the statistical analysis of probabilistic functions of markov chains.The annals of mathematical statistics, 41(1):164–171, 1970

  8. [8]

    A proba- bilistic approach to event-case correlation for process mining

    Dina Bayomie, Claudio Di Ciccio, Marcello La Rosa, and Jan Mendling. A proba- bilistic approach to event-case correlation for process mining. InInternational Conference on Conceptual Modeling, pages 136–152. Springer, 2019

  9. [9]

    Event-case correlation for process mining using probabilistic optimization.Information Systems, 114:102167, 2023

    Dina Bayomie, Claudio Di Ciccio, and Jan Mendling. Event-case correlation for process mining using probabilistic optimization.Information Systems, 114:102167, 2023

  10. [10]

    Latent dirichlet allocation

    David M Blei, Andrew Y Ng, and Michael I Jordan. Latent dirichlet allocation. Journal of machine Learning research, 3(Jan):993–1022, 2003

  11. [11]

    Trace your sources in large-scale data: one ring to find them all.arXiv preprint arXiv:1803.08882, 2018

    Alexander Böttcher, Wieland Brendel, Bernhard Englitz, and Matthias Bethge. Trace your sources in large-scale data: one ring to find them all.arXiv preprint arXiv:1803.08882, 2018

  12. [12]

    Recognizing binary shuffle squares is np-hard.Theoretical Computer Science, 806:116–132, 2020

    Laurent Bulteau and Stéphane Vialette. Recognizing binary shuffle squares is np-hard.Theoretical Computer Science, 806:116–132, 2020

  13. [13]

    Unshuffling a square is np-hard.Journal of Computer and System Sciences, 80(4):766–776, 2014

    Sam Buss and Michael Soltys. Unshuffling a square is np-hard.Journal of Computer and System Sciences, 80(4):766–776, 2014

  14. [14]

    Radar signal deinterleaving with multi-feature semantics and modular network design

    Rouxuan Chen, Jibin Zheng, Chenrui Li, Liangtian Wan, and Hongwei Liu. Radar signal deinterleaving with multi-feature semantics and modular network design. IEEE Transactions on Aerospace and Electronic Systems, 2025

  15. [15]

    Deep attractor network for single- microphone speaker separation

    Zhuo Chen, Yi Luo, and Nima Mesgarani. Deep attractor network for single- microphone speaker separation. InAcoustics, Speech and Signal Processing (ICASSP), 2017 IEEE International Conference on, pages 246–250. IEEE, 2017

  16. [16]

    Kairos: Practical intrusion detection and investigation using whole-system provenance

    Zijun Cheng, Qiujian Lv, Jinyuan Liang, Yan Wang, Degang Sun, Thomas Pasquier, and Xueyuan Han. Kairos: Practical intrusion detection and investigation using whole-system provenance. In2024 IEEE Symposium on Security and Privacy (SP), pages 3533–3551. IEEE, 2024

  17. [17]

    https://www.microsoft.com/security/blog/then-there-were-six

    Microsoft DART. https://www.microsoft.com/security/blog/then-there-were-six. Accessed: 2025-08-13

  18. [18]

    Diffusion models beat gans on image synthesis.Advances in neural information processing systems, 34:8780–8794, 2021

    Prafulla Dhariwal and Alexander Nichol. Diffusion models beat gans on image synthesis.Advances in neural information processing systems, 34:8780–8794, 2021

  19. [19]

    {AIRTAG}: Towards automated attack investigation by unsupervised learning with log texts

    Hailun Ding, Juan Zhai, Yuhong Nan, and Shiqing Ma. {AIRTAG}: Towards automated attack investigation by unsupervised learning with log texts. In32nd USENIX Security Symposium (USENIX Security), 2023

  20. [20]

    Deeplog: Anomaly detection and diagnosis from system logs through deep learning

    Min Du, Feifei Li, Guineng Zheng, and Vivek Srikumar. Deeplog: Anomaly detection and diagnosis from system logs through deep learning. InProceedings of the 2017 ACM SIGSAC conference on computer and communications security, pages 1285–1298, 2017

  21. [21]

    Maxfem: Mining maximal frequent episodes in complex event sequences

    Philippe Fournier-Viger, M Saqib Nawaz, Yulin He, Youxi Wu, Farid Nouioua, and Unil Yun. Maxfem: Mining maximal frequent episodes in complex event sequences. InInternational Conference on Multi-disciplinary Trends in Artificial Intelligence, pages 86–98. Springer, 2022

  22. [22]

    Factorial hidden markov models.Ad- vances in neural information processing systems, 8, 1995

    Zoubin Ghahramani and Michael Jordan. Factorial hidden markov models.Ad- vances in neural information processing systems, 8, 1995

  23. [23]

    Blind source separation of intermittent frequency hopping sources over los and nlos channels.Entropy, 25(9):1292, 2023

    Anushreya Ghosh, Annan Dong, Alexander Haimovich, Osvaldo Simeone, and Jason Dabin. Blind source separation of intermittent frequency hopping sources over los and nlos channels.Entropy, 25(9):1292, 2023

  24. [24]

    Sometimes, you aren’t what you do: Mimicry attacks against provenance graph host intrusion detection systems

    Akul Goyal, Xueyuan Han, Gang Wang, and Adam Bates. Sometimes, you aren’t what you do: Mimicry attacks against provenance graph host intrusion detection systems. In30th Network and Distributed System Security Symposium, 2023

  25. [25]

    Bertopic: Neural topic modeling with a class-based tf-idf procedure.arXiv preprint arXiv:2203.05794, 2022

    Maarten Grootendorst. Bertopic: Neural topic modeling with a class-based tf-idf procedure.arXiv preprint arXiv:2203.05794, 2022

  26. [26]

    Logbert: Log anomaly detection via bert

    Haixuan Guo, Shuhan Yuan, and Xintao Wu. Logbert: Log anomaly detection via bert. In2021 international joint conference on neural networks (IJCNN), pages 1–8. IEEE, 2021

  27. [27]

    Unicorn: Runtime provenance-based detector for advanced persistent threats

    Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. Unicorn: Runtime provenance-based detector for advanced persistent threats. arXiv preprint arXiv:2001.01525, 2020

  28. [28]

    Nodoze: Combatting threat alert fatigue with auto- mated provenance triage

    Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. Nodoze: Combatting threat alert fatigue with auto- mated provenance triage. Innetwork and distributed systems security symposium, 2019

  29. [29]

    Omegalog: High-fidelity attack investigation via transparent multi-layer log analysis

    Wajih Ul Hassan, Mohammad Ali Noureddine, Pubali Datta, and Adam Bates. Omegalog: High-fidelity attack investigation via transparent multi-layer log analysis. InNetwork and distributed system security symposium, 2020

  30. [30]

    Denoising diffusion probabilistic models.Advances in neural information processing systems, 33:6840–6851, 2020

    Jonathan Ho, Ajay Jain, and Pieter Abbeel. Denoising diffusion probabilistic models.Advances in neural information processing systems, 33:6840–6851, 2020

  31. [31]

    {SLEUTH}: Real- time attack scenario reconstruction from {COTS} audit data

    Md Nahid Hossain, Sadegh M Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R Sekar, Scott Stoller, and VN Venkatakrishnan. {SLEUTH}: Real- time attack scenario reconstruction from {COTS} audit data. In26th USENIX Security Symposium (USENIX Security 17), pages 487–504, 2017

  32. [32]

    A cascade approach for apt campaign attribution in system event logs: Technique hunting and subgraph matching

    Yi-Ting Huang, Ying-Ren Guo, Guo-Wei Wong, and Meng Chang Chen. A cascade approach for apt campaign attribution in system event logs: Technique hunting and subgraph matching. InICC 2025-IEEE International Conference on Communications, pages 1073–1078. IEEE, 2025

  33. [33]

    Saga: Synthetic audit log generation for apt campaigns.IEEE Transactions on Dependable and Secure Computing, pages 1–16, 2025

    Yi-Ting Huang, Ying-Ren Guo, Yu-Sheng Yang, Guo-Wei Wong, Yu-Zih Jheng, Yeali Sun, Jessemyn Modini, Timothy Lynar, and Meng Chang Chen. Saga: Synthetic audit log generation for apt campaigns.IEEE Transactions on Dependable and Secure Computing, pages 1–16, 2025

  34. [34]

    Independent component analysis: algorithms and applications.Neural networks, 13(4-5):411–430, 2000

    Aapo Hyvärinen and Erkki Oja. Independent component analysis: algorithms and applications.Neural networks, 13(4-5):411–430, 2000

  35. [35]

    SecBERT: A pretrained language model for cyber security text

    jackaduma. SecBERT: A pretrained language model for cyber security text. https://github.com/jackaduma/SecBERT, 2022. Accessed: 2026-04-30

  36. [36]

    Transparent computing engagement 5 data release

    Jacob Torrey. Transparent computing engagement 5 data release. https://github .com/darpa-i2o/Transparent-Computing/blob/master/README.md, 2020

  37. [37]

    {MAGIC}: Detecting advanced persistent threats via masked graph representa- tion learning

    Zian Jia, Yun Xiong, Yuhong Nan, Yao Zhang, Jinjing Zhao, and Mi Wen. {MAGIC}: Detecting advanced persistent threats via masked graph representa- tion learning. In33rd USENIX Security Symposium (USENIX Security 24), pages 5197–5214, 2024

  38. [38]

    Mitre att&ck applications in cybersecurity and the way forward.arXiv preprint arXiv:2502.10825, 2025

    Yuning Jiang, Qiaoran Meng, Feiyang Shang, Nay Oo, Le Thi Hong Minh, Hoon Wei Lim, and Biplab Sikdar. Mitre att&ck applications in cybersecurity and the way forward.arXiv preprint arXiv:2502.10825, 2025

  39. [39]

    Blind separation of sources, part i: An adaptive algorithm based on neuromimetic architecture.Signal processing, 24(1):1– 10, 1991

    Christian Jutten and Jeanny Herault. Blind separation of sources, part i: An adaptive algorithm based on neuromimetic architecture.Signal processing, 24(1):1– 10, 1991

  40. [40]

    A large-scale corpus for conversation disentanglement

    Jonathan K Kummerfeld, Sai R Gouravajhala, Joseph J Peper, Vignesh Athreya, Chulaka Gunasekara, Jatin Ganhotra, Siva Sankalp Patel, Lazaros C Polymenakos, and Walter Lasecki. A large-scale corpus for conversation disentanglement. InProceedings of the 57th annual meeting of the association for computational linguistics, pages 3846–3856, 2019

  41. [41]

    Mci: Modeling-based causality inference in audit logging for attack investigation

    Yonghwi Kwon, Fei Wang, Weihang Wang, Kyu Hyung Lee, Wen-Chuan Lee, Shiqing Ma, Xiangyu Zhang, Dongyan Xu, Somesh Jha, Gabriela Ciocarlie, et al. Mci: Modeling-based causality inference in audit logging for attack investigation. InNetwork and Distributed Systems Security (NDSS) Symposium, 2018

  42. [42]

    Learning the parts of objects by non- negative matrix factorization.nature, 401(6755):788–791, 1999

    Daniel D Lee and H Sebastian Seung. Learning the parts of objects by non- negative matrix factorization.nature, 401(6755):788–791, 1999

  43. [43]

    Camp2vec: Embedding cyber campaign with att&ck framework for attack group analysis.ICT Express, 9(6):1065–1070, 2023

    Insup Lee and Changhee Choi. Camp2vec: Embedding cyber campaign with att&ck framework for attack group analysis.ICT Express, 9(6):1065–1070, 2023. CCS ’26, November 15–19, 2026, The World Forum, The Hague, The Netherlands Guo-Wei Wong, Ming-Chuan Yang, Shou-De Lin, Wang-Chien Lee, and Meng Chang Chen

  44. [44]

    Nodlink: An online system for fine-grained apt attack detection and investigation

    Shaofei Li, Feng Dong, Xusheng Xiao, Haoyu Wang, Fei Shao, Jiedong Chen, Yao Guo, Xiangqun Chen, and Ding Li. Nodlink: An online system for fine-grained apt attack detection and investigation. InProceedings 2024 Network and Distributed System Security Symposium, NDSS 2024. Internet Society, 2024

  45. [45]

    Diffusion-lm improves controllable text generation.Advances in neural information processing systems, 35:4328–4343, 2022

    Xiang Li, John Thickstun, Ishaan Gulrajani, Percy S Liang, and Tatsunori B Hashimoto. Diffusion-lm improves controllable text generation.Advances in neural information processing systems, 35:4328–4343, 2022

  46. [46]

    Attackg: Constructing technique knowledge graph from cyber threat intelligence reports

    Zhenyuan Li, Jun Zeng, Yan Chen, and Zhenkai Liang. Attackg: Constructing technique knowledge graph from cyber threat intelligence reports. InEuropean Symposium on Research in Computer Security, pages 589–609. Springer, 2022

  47. [47]

    Attribute-driven case notion discovery for unlabeled event logs

    Tom Lichtenstein, Dorina Bano, and Mathias Weske. Attribute-driven case notion discovery for unlabeled event logs. InInternational Conference on Business Process Management, pages 111–122. Springer, 2021

  48. [48]

    Trec: Apt tactic/technique recognition via few-shot provenance subgraph learning

    Mingqi Lv, HongZhe Gao, Xuebo Qiu, Tieming Chen, Tiantian Zhu, Jinyin Chen, and Shouling Ji. Trec: Apt tactic/technique recognition via few-shot provenance subgraph learning. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pages 139–152, 2024

  49. [49]

    Process Monitor v4.01

    Microsoft. Process Monitor v4.01. https://learn.microsoft.com/en-us/sysinternal s/downloads/procmon. Accessed: 2025-08-06

  50. [50]

    Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting

    Sadegh M Milajerdi, Birhanu Eshete, Rigel Gjomemo, and VN Venkatakrish- nan. Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. InProceedings of the 2019 ACM SIGSAC conference on computer and communications security, pages 1795–1812, 2019

  51. [51]

    Holmes: real-time apt detection through correlation of suspicious information flows

    Sadegh M Milajerdi, Rigel Gjomemo, Birhanu Eshete, Ramachandran Sekar, and VN Venkatakrishnan. Holmes: real-time apt detection through correlation of suspicious information flows. In2019 IEEE symposium on security and privacy (SP), pages 1137–1152. IEEE, 2019

  52. [52]

    MITRE CALDERA: Automated adversary emulation platform

    MITRE. MITRE CALDERA: Automated adversary emulation platform. https: //github.com/mitre/caldera. Accessed: 2026-04-19

  53. [53]

    Blind source separation using time-delayed dynamic mode decomposition.Computation, 13(2), 2025

    Gyurhan Nedzhibov. Blind source separation using time-delayed dynamic mode decomposition.Computation, 13(2), 2025

  54. [54]

    Improved denoising diffusion probabilistic models

    Alexander Quinn Nichol and Prafulla Dhariwal. Improved denoising diffusion probabilistic models. InInternational conference on machine learning, pages 8162–8171. PMLR, 2021

  55. [55]

    A pretrained language model for cyber threat intelligence

    Youngja Park and Weiqiu You. A pretrained language model for cyber threat intelligence. InProceedings of the 2023 Conference on Empirical Methods in Natural Language Processing: Industry Track, pages 113–122, 2023

  56. [56]

    Resolving uncertain case identifiers in interaction logs: A user study.arXiv preprint arXiv:2212.00009, 2022

    Marco Pegoraro, Merih Seran Uysal, Tom-Hendrik Hülsmann, and Wil MP van der Aalst. Resolving uncertain case identifiers in interaction logs: A user study.arXiv preprint arXiv:2212.00009, 2022

  57. [57]

    Correlation miner: mining business process models and event correlations without case identifiers.Interna- tional Journal of Cooperative Information Systems, 26(02):1742002, 2017

    Shaya Pourmirza, Remco Dijkman, and Paul Grefen. Correlation miner: mining business process models and event correlations without case identifiers.Interna- tional Journal of Cooperative Information Systems, 26(02):1742002, 2017

  58. [58]

    Zoomer: An apt ttp recognition system via deep & wide provenance graph learning.IEEE Transactions on Dependable and Secure Computing, 2025

    Xuebo Qiu, Mingqi Lv, Tieming Chen, Tiantian Zhu, Qijie Song, and Zhiling Zhu. Zoomer: An apt ttp recognition system via deep & wide provenance graph learning.IEEE Transactions on Dependable and Secure Computing, 2025

  59. [59]

    Cybert: Contex- tualized embeddings for the cybersecurity domain

    Priyanka Ranade, Aritran Piplai, Anupam Joshi, and Tim Finin. Cybert: Contex- tualized embeddings for the cybersecurity domain. In2021 IEEE International Conference on Big Data (Big Data), pages 3334–3342, 2021

  60. [60]

    why should i trust you?

    Marco Tulio Ribeiro, Sameer Singh, and Carlos Guestrin. " why should i trust you?" explaining the predictions of any classifier. InProceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining, pages 1135–1144, 2016

  61. [61]

    A. Saha, J. Mattei, J. Blasco, L. Cavallaro, D. Votipka, and M. Lindorfer. Expert insights into advanced persistent threats: Analysis, challenges, and practitioner perspectives. InUSENIX Security, 2024

  62. [62]

    Cu- dasw++ 4.0: ultra-fast gpu-based smith–waterman protein sequence database search.BMC bioinformatics, 25(1):342, 2024

    Bertil Schmidt, Felix Kallenborn, Alejandro Chacon, and Christian Hundt. Cu- dasw++ 4.0: ultra-fast gpu-based smith–waterman protein sequence database search.BMC bioinformatics, 25(1):342, 2024

  63. [63]

    Thread detection in dynamic text message streams

    Dou Shen, Qiang Yang, Jian-Tao Sun, and Zheng Chen. Thread detection in dynamic text message streams. InProceedings of the 29th annual international ACM SIGIR conference on Research and development in information retrieval, pages 35–42, 2006

  64. [64]

    Identification of common molecular subsequences.Journal of molecular biology, 147(1):195–197, 1981

    Temple F Smith, Michael S Waterman, et al. Identification of common molecular subsequences.Journal of molecular biology, 147(1):195–197, 1981

  65. [65]

    Consistency models.ICML, 2023

    Yang Song, Prafulla Dhariwal, Mark Chen, and Ilya Sutskever. Consistency models.ICML, 2023

  66. [66]

    MITRE ATT&CK: Design and philosophy

    Blake Strom, Andy Applebaum, Doug Miller, Kathryn Nickels, Adam Pennington, and Cody Thomas. MITRE ATT&CK: Design and philosophy. https://www.mitr e.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and- philosophy.pdf, 2018

  67. [67]

    Attention is all you need in speech separation

    Cem Subakan, Mirco Ravanelli, Samuele Cornell, Mirko Bronzi, and Jianyuan Zhong. Attention is all you need in speech separation. InICASSP 2021-2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 21–25. IEEE, 2021

  68. [68]

    Mining local process models.Journal of Intelligent Information Systems, 47(2):183–222, 2016

    Niek Tax, Natalia Sidorova, Reinder Haakma, and Wil M P van der Aalst. Mining local process models.Journal of Intelligent Information Systems, 47(2):183–222, 2016

  69. [69]

    Microsoft exchange server attack timeline: Discoveries and mitigations, March 2021

    Unit 42. Microsoft exchange server attack timeline: Discoveries and mitigations, March 2021. Published March 11, 2021. Accessed: 2025-12-23

  70. [70]

    Object-centric process mining: unraveling the fabric of real processes.Mathematics, 11(12):2691, 2023

    Wil MP van der Aalst. Object-centric process mining: unraveling the fabric of real processes.Mathematics, 11(12):2691, 2023

  71. [71]

    Discovering object-centric petri nets

    Wil MP van der Aalst and Alessandro Berti. Discovering object-centric petri nets. Fundamenta informaticae, 175(1-4):1–40, 2020

  72. [72]

    Fusion and Workstation

    VMware. Fusion and Workstation. https://www.vmware.com/products/desktop- hypervisor/workstation-and-fusion. Accessed: 2026-04-21

  73. [73]

    Fastopic: Pretrained transformer is a fast, adaptive, stable, and transferable topic model.Advances in Neural Information Processing Systems, 37:84447–84481, 2024

    Xiaobao Wu, Thong Nguyen, Delvin Zhang, William Yang Wang, and Anh Tuan Luu. Fastopic: Pretrained transformer is a fast, adaptive, stable, and transferable topic model.Advances in Neural Information Processing Systems, 37:84447–84481, 2024

  74. [74]

    A novel method for deinterleaving radar signals: First-order difference curve based on sorted toa difference sequence.IET Signal Processing, 17(1):e12162, 2023

    Min Xie, Chuang Zhao, Yongjun Zhao, Dexiu Hu, and Zewen Wang. A novel method for deinterleaving radar signals: First-order difference curve based on sorted toa difference sequence.IET Signal Processing, 17(1):e12162, 2023

  75. [75]

    Conan: A practical real-time apt detection system with high accuracy and efficiency.IEEE Transactions on Dependable and Secure Computing, 19(1):551–565, 2020

    Chunlin Xiong, Tiantian Zhu, Weihao Dong, Linqi Ruan, Runqing Yang, Yueqiang Cheng, Yan Chen, Shuai Cheng, and Xutong Chen. Conan: A practical real-time apt detection system with high accuracy and efficiency.IEEE Transactions on Dependable and Secure Computing, 19(1):551–565, 2020

  76. [76]

    Un- derstanding and improving layer normalization.Advances in neural information processing systems, 32, 2019

    Jingjing Xu, Xu Sun, Zhiyuan Zhang, Guangxiang Zhao, and Junyang Lin. Un- derstanding and improving layer normalization.Advances in neural information processing systems, 32, 2019

  77. [77]

    A flexible approach for cyber threat hunting based on kernel audit records.Cybersecurity, 5(1):11, 2022

    Fengyu Yang, Yanni Han, Ying Ding, Qian Tan, and Zhen Xu. A flexible approach for cyber threat hunting based on kernel audit records.Cybersecurity, 5(1):11, 2022

  78. [78]

    From Observations to Insights: Constructing Effective Cyberat- tack Provenance With ProvCon

    Anis Yusof, Shaofei Li, Arshdeep Singh Kawatra, Ding Li, Ee-Chien Chang, and Zhenkai Liang. From Observations to Insights: Constructing Effective Cyberat- tack Provenance With ProvCon. InWorkshop on SOC Operations and Construction (WOSOC) 2025, 2025

  79. [79]

    LockBit, Hive, and BlackCat attack automotive supplier in triple ransomware attack

    Syed Zaidi, Linda Smith, and Rajat Wason. LockBit, Hive, and BlackCat attack automotive supplier in triple ransomware attack. Sophos News, August 2022

  80. [80]

    Watson: Abstracting behaviors from audit logs via aggregation of contextual semantics

    Jun Zeng, Zheng Leong Chua, Yinfang Chen, Kaihang Ji, Zhenkai Liang, and Jian Mao. Watson: Abstracting behaviors from audit logs via aggregation of contextual semantics. InNDSS, 2021

Showing first 80 references.