{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2023:CERW5O7FGAWCLVJUSFDDVJ2YAI","short_pith_number":"pith:CERW5O7F","schema_version":"1.0","canonical_sha256":"11236ebbe5302c25d53491463aa7580215e5536df1de1551bd60a41010a304a6","source":{"kind":"arxiv","id":"2308.05034","version":3},"attestation_state":"computed","paper":{"title":"Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.LG"],"primary_cat":"cs.CR","authors_text":"Degang Sun, Jinyuan Liang, Qiujian Lv, Thomas Pasquier, Xueyuan Han, Yan Wang, Zijun Cheng","submitted_at":"2023-08-09T16:04:55Z","abstract_excerpt":"Provenance graphs are structured audit logs that describe the history of a system's execution. Recent studies have explored a variety of techniques to analyze provenance graphs for automated host intrusion detection, focusing particularly on advanced persistent threats. Sifting through their design documents, we identify four common dimensions that drive the development of provenance-based intrusion detection systems (PIDSes): scope (can PIDSes detect modern attacks that infiltrate across application boundaries?), attack agnosticity (can PIDSes detect novel attacks without a priori knowledge o"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"2308.05034","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2023-08-09T16:04:55Z","cross_cats_sorted":["cs.LG"],"title_canon_sha256":"7a357825f2ad0a9fb2ec6816b65cb54be8a9ade91540b1e54b00058ebf6f4b79","abstract_canon_sha256":"e40d1349dffa8deecd89b47fa0626c09839a788da0834385c2f0e7ebfa1c8848"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-07-05T06:55:05.315043Z","signature_b64":"07e8ZBIGaHZtKQNdxXW/ElyIId3WNhxFfm2EzW37cteSKGzH87SBtUeVLf+wGdc7yQUIzRVF1aWreqfi94reAg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"11236ebbe5302c25d53491463aa7580215e5536df1de1551bd60a41010a304a6","last_reissued_at":"2026-07-05T06:55:05.314510Z","signature_status":"signed_v1","first_computed_at":"2026-07-05T06:55:05.314510Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.LG"],"primary_cat":"cs.CR","authors_text":"Degang Sun, Jinyuan Liang, Qiujian Lv, Thomas Pasquier, Xueyuan Han, Yan Wang, Zijun Cheng","submitted_at":"2023-08-09T16:04:55Z","abstract_excerpt":"Provenance graphs are structured audit logs that describe the history of a system's execution. Recent studies have explored a variety of techniques to analyze provenance graphs for automated host intrusion detection, focusing particularly on advanced persistent threats. Sifting through their design documents, we identify four common dimensions that drive the development of provenance-based intrusion detection systems (PIDSes): scope (can PIDSes detect modern attacks that infiltrate across application boundaries?), attack agnosticity (can PIDSes detect novel attacks without a priori knowledge o"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2308.05034","kind":"arxiv","version":3},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2308.05034/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2308.05034","created_at":"2026-07-05T06:55:05.314583+00:00"},{"alias_kind":"arxiv_version","alias_value":"2308.05034v3","created_at":"2026-07-05T06:55:05.314583+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2308.05034","created_at":"2026-07-05T06:55:05.314583+00:00"},{"alias_kind":"pith_short_12","alias_value":"CERW5O7FGAWC","created_at":"2026-07-05T06:55:05.314583+00:00"},{"alias_kind":"pith_short_16","alias_value":"CERW5O7FGAWCLVJU","created_at":"2026-07-05T06:55:05.314583+00:00"},{"alias_kind":"pith_short_8","alias_value":"CERW5O7F","created_at":"2026-07-05T06:55:05.314583+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":2,"internal_anchor_count":0,"sample":[{"citing_arxiv_id":"2605.21773","citing_title":"HIDBench: Benchmarking Large Language Models for Host-Based Intrusion Detection","ref_index":26,"is_internal_anchor":false},{"citing_arxiv_id":"2604.06762","citing_title":"ARuleCon: Agentic Security Rule Conversion","ref_index":7,"is_internal_anchor":false}]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/CERW5O7FGAWCLVJUSFDDVJ2YAI","json":"https://pith.science/pith/CERW5O7FGAWCLVJUSFDDVJ2YAI.json","graph_json":"https://pith.science/api/pith-number/CERW5O7FGAWCLVJUSFDDVJ2YAI/graph.json","events_json":"https://pith.science/api/pith-number/CERW5O7FGAWCLVJUSFDDVJ2YAI/events.json","paper":"https://pith.science/paper/CERW5O7F"},"agent_actions":{"view_html":"https://pith.science/pith/CERW5O7FGAWCLVJUSFDDVJ2YAI","download_json":"https://pith.science/pith/CERW5O7FGAWCLVJUSFDDVJ2YAI.json","view_paper":"https://pith.science/paper/CERW5O7F","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2308.05034&json=true","fetch_graph":"https://pith.science/api/pith-number/CERW5O7FGAWCLVJUSFDDVJ2YAI/graph.json","fetch_events":"https://pith.science/api/pith-number/CERW5O7FGAWCLVJUSFDDVJ2YAI/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/CERW5O7FGAWCLVJUSFDDVJ2YAI/action/timestamp_anchor","attest_storage":"https://pith.science/pith/CERW5O7FGAWCLVJUSFDDVJ2YAI/action/storage_attestation","attest_author":"https://pith.science/pith/CERW5O7FGAWCLVJUSFDDVJ2YAI/action/author_attestation","sign_citation":"https://pith.science/pith/CERW5O7FGAWCLVJUSFDDVJ2YAI/action/citation_signature","submit_replication":"https://pith.science/pith/CERW5O7FGAWCLVJUSFDDVJ2YAI/action/replication_record"}},"created_at":"2026-07-05T06:55:05.314583+00:00","updated_at":"2026-07-05T06:55:05.314583+00:00"}