I. Introduction
Cyber attacks on enterprises and organizations have been on the rise in recent years. To fight against these attacks, enter-prises and organizations have deployed endpoint monitoring systems on their hosts. System audit logs are a critical data source for endpoint monitoring systems that track operating system activities [1]. The system audit logs process runs in the privileged mode of the operating system [1], making it difficult for attackers to manipulate or avoid. Moreover, any benign or malicious application inevitably interacts with the operating system to function, and these interactions will be captured by system audit logs. In general, system audit logs provide a secure and comprehensive perspective for analyzing user behavior and are widely used in forensic investigation and behavior identification [2]–[5].