{"id":"https://openalex.org/W7123337820","doi":"https://doi.org/10.1109/tifs.2026.3653175","title":"TraceCluster: A Lightweight and Adaptive Clustering-Based Subgraph Attention Network for APT Detection in Provenance Graphs","display_name":"TraceCluster: A Lightweight and Adaptive Clustering-Based Subgraph Attention Network for APT Detection in Provenance Graphs","publication_year":2026,"publication_date":"2026-01-01","ids":{"openalex":"https://openalex.org/W7123337820","doi":"https://doi.org/10.1109/tifs.2026.3653175"},"language":null,"primary_location":{"id":"doi:10.1109/tifs.2026.3653175","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2026.3653175","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5122872428","display_name":"Lijuan Xu","orcid":null},"institutions":[{"id":"https://openalex.org/I152269853","display_name":"Qilu University of Technology","ror":"https://ror.org/04hyzq608","country_code":"CN","type":"education","lineage":["https://openalex.org/I152269853"]},{"id":"https://openalex.org/I4210142748","display_name":"Shandong Academy of Sciences","ror":"https://ror.org/04y8d6y55","country_code":"CN","type":"education","lineage":["https://openalex.org/I4210142748"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Lijuan Xu","raw_affiliation_strings":["Key Laboratory of Computing Power Network and Information Security, Ministry of Education, Shandong Computer Science Center (National Supercomputer Center in Jinan), Qilu University of Technology (Shandong Academy of Sciences), Jinan, China"],"raw_orcid":"https://orcid.org/0000-0003-3386-4756","affiliations":[{"raw_affiliation_string":"Key Laboratory of Computing Power Network and Information Security, Ministry of Education, Shandong Computer Science Center (National Supercomputer Center in Jinan), Qilu University of Technology (Shandong Academy of Sciences), Jinan, China","institution_ids":["https://openalex.org/I152269853","https://openalex.org/I4210142748"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102665104","display_name":"ZiCheng Zhao","orcid":null},"institutions":[{"id":"https://openalex.org/I152269853","display_name":"Qilu University of Technology","ror":"https://ror.org/04hyzq608","country_code":"CN","type":"education","lineage":["https://openalex.org/I152269853"]},{"id":"https://openalex.org/I4210142748","display_name":"Shandong Academy of Sciences","ror":"https://ror.org/04y8d6y55","country_code":"CN","type":"education","lineage":["https://openalex.org/I4210142748"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zicheng Zhao","raw_affiliation_strings":["Key Laboratory of Computing Power Network and Information Security, Ministry of Education, Shandong Computer Science Center (National Supercomputer Center in Jinan), Qilu University of Technology (Shandong Academy of Sciences), Jinan, China"],"raw_orcid":"https://orcid.org/0009-0000-0538-8217","affiliations":[{"raw_affiliation_string":"Key Laboratory of Computing Power Network and Information Security, Ministry of Education, Shandong Computer Science Center (National Supercomputer Center in Jinan), Qilu University of Technology (Shandong Academy of Sciences), Jinan, China","institution_ids":["https://openalex.org/I152269853","https://openalex.org/I4210142748"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5122861086","display_name":"Dawei Zhao","orcid":null},"institutions":[{"id":"https://openalex.org/I152269853","display_name":"Qilu University of Technology","ror":"https://ror.org/04hyzq608","country_code":"CN","type":"education","lineage":["https://openalex.org/I152269853"]},{"id":"https://openalex.org/I4210142748","display_name":"Shandong Academy of Sciences","ror":"https://ror.org/04y8d6y55","country_code":"CN","type":"education","lineage":["https://openalex.org/I4210142748"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Dawei Zhao","raw_affiliation_strings":["Key Laboratory of Computing Power Network and Information Security, Ministry of Education, Shandong Computer Science Center (National Supercomputer Center in Jinan), Qilu University of Technology (Shandong Academy of Sciences), Jinan, China"],"raw_orcid":"https://orcid.org/0000-0002-1812-1316","affiliations":[{"raw_affiliation_string":"Key Laboratory of Computing Power Network and Information Security, Ministry of Education, Shandong Computer Science Center (National Supercomputer Center in Jinan), Qilu University of Technology (Shandong Academy of Sciences), Jinan, China","institution_ids":["https://openalex.org/I152269853","https://openalex.org/I4210142748"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Zhen Wang","orcid":"https://orcid.org/0000-0002-8182-2852"},"institutions":[{"id":"https://openalex.org/I17145004","display_name":"Northwestern Polytechnical University","ror":"https://ror.org/01y0j0j86","country_code":"CN","type":"education","lineage":["https://openalex.org/I17145004"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhen Wang","raw_affiliation_strings":["School of Artificial Intelligence, Optics and Electronics (iOPEN) and the School of Mechanical Engineering, Northwestern Polytechnical University, Xi&#x2019;an, Shaanxi, China"],"raw_orcid":"https://orcid.org/0000-0002-8182-2852","affiliations":[{"raw_affiliation_string":"School of Artificial Intelligence, Optics and Electronics (iOPEN) and the School of Mechanical Engineering, Northwestern Polytechnical University, Xi&#x2019;an, Shaanxi, China","institution_ids":["https://openalex.org/I17145004"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5052951255","display_name":"Chunpeng Ge","orcid":"https://orcid.org/0000-0002-9274-7325"},"institutions":[{"id":"https://openalex.org/I154099455","display_name":"Shandong University","ror":"https://ror.org/0207yh398","country_code":"CN","type":"education","lineage":["https://openalex.org/I154099455"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chunpeng Ge","raw_affiliation_strings":["Joint SDU-NTU Centre for Artificial Intelligence Research (C-FAIR) and the School of Software, Shandong University, Jinan, China"],"raw_orcid":"https://orcid.org/0000-0002-9274-7325","affiliations":[{"raw_affiliation_string":"Joint SDU-NTU Centre for Artificial Intelligence Research (C-FAIR) and the School of Software, Shandong University, Jinan, China","institution_ids":["https://openalex.org/I154099455"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5122872428"],"corresponding_institution_ids":["https://openalex.org/I152269853","https://openalex.org/I4210142748"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.08555046,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"21","issue":null,"first_page":"1065","last_page":"1080"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.8075000047683716,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.8075000047683716,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11273","display_name":"Advanced Graph Neural Networks","score":0.023099999874830246,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11937","display_name":"Research Data Management Practices","score":0.015599999576807022,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.597000002861023},{"id":"https://openalex.org/keywords/cluster-analysis","display_name":"Cluster analysis","score":0.5708000063896179},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.531000018119812},{"id":"https://openalex.org/keywords/partition","display_name":"Partition (number theory)","score":0.4948999881744385},{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.4869000017642975},{"id":"https://openalex.org/keywords/computational-complexity-theory","display_name":"Computational complexity theory","score":0.4334000051021576},{"id":"https://openalex.org/keywords/node","display_name":"Node (physics)","score":0.38119998574256897},{"id":"https://openalex.org/keywords/feature","display_name":"Feature (linguistics)","score":0.35109999775886536}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.857200026512146},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.597000002861023},{"id":"https://openalex.org/C73555534","wikidata":"https://www.wikidata.org/wiki/Q622825","display_name":"Cluster analysis","level":2,"score":0.5708000063896179},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.531000018119812},{"id":"https://openalex.org/C42812","wikidata":"https://www.wikidata.org/wiki/Q1082910","display_name":"Partition (number theory)","level":2,"score":0.4948999881744385},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.492900013923645},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.4869000017642975},{"id":"https://openalex.org/C179799912","wikidata":"https://www.wikidata.org/wiki/Q205084","display_name":"Computational complexity theory","level":2,"score":0.4334000051021576},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.38940000534057617},{"id":"https://openalex.org/C62611344","wikidata":"https://www.wikidata.org/wiki/Q1062658","display_name":"Node (physics)","level":2,"score":0.38119998574256897},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.35109999775886536},{"id":"https://openalex.org/C75684735","wikidata":"https://www.wikidata.org/wiki/Q858810","display_name":"Big data","level":2,"score":0.33149999380111694},{"id":"https://openalex.org/C48903430","wikidata":"https://www.wikidata.org/wiki/Q491370","display_name":"Graph partition","level":3,"score":0.3188999891281128},{"id":"https://openalex.org/C2993807640","wikidata":"https://www.wikidata.org/wiki/Q103709453","display_name":"Attention network","level":2,"score":0.3140999972820282},{"id":"https://openalex.org/C311688","wikidata":"https://www.wikidata.org/wiki/Q2393193","display_name":"Time complexity","level":2,"score":0.3012000024318695},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.29429998993873596},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.26499998569488525},{"id":"https://openalex.org/C182365436","wikidata":"https://www.wikidata.org/wiki/Q50701","display_name":"Variable (mathematics)","level":2,"score":0.2648000121116638},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.26460000872612},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.2583000063896179},{"id":"https://openalex.org/C14036430","wikidata":"https://www.wikidata.org/wiki/Q3736076","display_name":"Function (biology)","level":2,"score":0.25429999828338623},{"id":"https://openalex.org/C2988416141","wikidata":"https://www.wikidata.org/wiki/Q6031139","display_name":"Information loss","level":2,"score":0.25130000710487366},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.2506999969482422}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2026.3653175","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2026.3653175","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1900487944","display_name":null,"funder_award_id":"62572285","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G3260039398","display_name":null,"funder_award_id":"2023YFB3107303","funder_id":"https://openalex.org/F4320335777","funder_display_name":"National Key Research and Development Program of China"},{"id":"https://openalex.org/G3443986154","display_name":null,"funder_award_id":"62172244","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G4746263011","display_name":null,"funder_award_id":"ZR2024MF050","funder_id":"https://openalex.org/F4320324174","funder_display_name":"Natural Science Foundation of Shandong Province"},{"id":"https://openalex.org/G5034201783","display_name":null,"funder_award_id":"2023YFB3107300","funder_id":"https://openalex.org/F4320335777","funder_display_name":"National Key Research and Development Program of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320324174","display_name":"Natural Science Foundation of Shandong Province","ror":null},{"id":"https://openalex.org/F4320335777","display_name":"National Key Research and Development Program of China","ror":null}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":30,"referenced_works":["https://openalex.org/W2034078727","https://openalex.org/W2116341502","https://openalex.org/W2148143831","https://openalex.org/W2161455936","https://openalex.org/W2284900416","https://openalex.org/W2747669027","https://openalex.org/W2767094836","https://openalex.org/W2875475762","https://openalex.org/W2884561390","https://openalex.org/W2891432086","https://openalex.org/W2944851425","https://openalex.org/W2945827377","https://openalex.org/W2947815220","https://openalex.org/W2962703433","https://openalex.org/W2978956219","https://openalex.org/W2986944522","https://openalex.org/W2993658339","https://openalex.org/W2998038410","https://openalex.org/W3099104041","https://openalex.org/W3137027499","https://openalex.org/W3212868562","https://openalex.org/W4255909290","https://openalex.org/W4288057803","https://openalex.org/W4288079704","https://openalex.org/W4375928927","https://openalex.org/W4388481469","https://openalex.org/W4390277958","https://openalex.org/W4396574997","https://openalex.org/W4402265033","https://openalex.org/W4402288718"],"related_works":[],"abstract_inverted_index":{"Provenance":[0],"graph-based":[1],"anomaly":[2],"detection,":[3,10],"particularly":[4],"for":[5,52],"Advanced":[6],"Persistent":[7],"Threat":[8],"(APT)":[9],"addresses":[11],"the":[12,36,60,75,84,101,122,144,156,159,179],"issues":[13],"of":[14,126,146,173,183,194],"large-scale":[15,69],"graphs":[16],"and":[17,30,45,109,120,148,165],"data":[18],"imbalance.":[19],"However,":[20],"existing":[21],"methods":[22],"struggle":[23],"with":[24],"information":[25],"loss,":[26],"high":[27,123],"computational":[28,124],"complexity,":[29],"low":[31],"detection":[32,54,145,201],"accuracy.":[33],"To":[34],"address":[35],"above":[37],"challenges,":[38],"this":[39],"paper":[40],"proposes":[41],"TraceCluster,":[42],"a":[43],"lightweight":[44],"adaptive":[46,133],"clustering-based":[47],"Subgraph":[48],"Attention":[49],"Network":[50],"(SAN)":[51],"APT":[53,200],"in":[55,171,178,192,198],"provenance":[56],"graph.":[57],"TraceCluster":[58,187],"mitigates":[59],"neighborhood":[61,81],"explosion":[62],"problem":[63],"by":[64],"clustering":[65],"nodes":[66],"to":[67,98,140],"partition":[68],"graphs,":[70],"thus":[71],"reducing":[72],"reliance":[73],"on":[74,155],"global":[76,127],"graph":[77,128],"while":[78],"preserving":[79],"local":[80],"information.":[82],"Furthermore,":[83,177],"method":[85,162],"dynamically":[86],"models":[87],"complex":[88],"inter-node":[89],"dependencies":[90],"within":[91],"subgraphs.":[92],"It":[93],"employs":[94],"an":[95,132],"attention":[96],"mechanism":[97],"adaptively":[99],"highlight":[100],"most":[102],"relevant":[103],"connections.":[104],"This":[105,114],"enhances":[106],"node":[107],"representations":[108],"improves":[110],"overall":[111,195],"feature":[112],"extraction.":[113],"design":[115],"substantially":[116],"reduces":[117],"memory":[118],"consumption":[119],"avoids":[121],"complexity":[125],"processing.":[129],"In":[130],"addition,":[131],"category-weighting":[134],"loss":[135],"function":[136],"assigns":[137],"variable":[138],"weights":[139],"different":[141],"classes,":[142],"improving":[143],"rare":[147],"anomalous":[149],"behaviors.":[150],"Experimental":[151],"results":[152],"show":[153],"that":[154],"OpTC":[157],"dataset,":[158],"currently":[160],"faster":[161],"is":[163],"37-fold":[164],"3-fold":[166],"slower":[167],"than":[168],"our":[169],"approach":[170],"terms":[172,193],"inference":[174],"time":[175],"respectively.":[176],"nine":[180],"real-world":[181],"scenarios":[182],"four":[184],"evaluated":[185],"datasets,":[186],"outperforms":[188],"state-of-the-art":[189],"(SOTA)":[190],"approaches":[191],"performance,":[196],"especially":[197],"node-level":[199],"tasks.":[202]},"counts_by_year":[],"updated_date":"2026-01-29T23:13:10.619473","created_date":"2026-01-14T00:00:00"}