{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,5,24]],"date-time":"2025-05-24T08:05:44Z","timestamp":1748073944232,"version":"3.40.3"},"publisher-location":"Cham","reference-count":47,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030657253"},{"type":"electronic","value":"9783030657260"}],"license":[{"start":{"date-parts":[[2020,1,1]],"date-time":"2020-01-01T00:00:00Z","timestamp":1577836800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2020,1,1]],"date-time":"2020-01-01T00:00:00Z","timestamp":1577836800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020]]},"DOI":"10.1007\/978-3-030-65726-0_4","type":"book-chapter","created":{"date-parts":[[2020,12,22]],"date-time":"2020-12-22T15:03:34Z","timestamp":1608649414000},"page":"32-42","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Analysis of IDS Alert Correlation Techniques for Attacker Group Recognition in Distributed Systems"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8567-5469","authenticated-orcid":false,"given":"Artem","family":"Pavlov","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9435-9580","authenticated-orcid":false,"given":"Natalia","family":"Voloshina","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2020,12,22]]},"reference":[{"key":"4_CR1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"183","DOI":"10.1007\/978-3-319-03584-0_14","volume-title":"Cyberspace Safety and Security","author":"SA Mirheidari","year":"2013","unstructured":"Mirheidari, S.A., Arshad, S., Jalili, R.: Alert correlation algorithms: a survey and taxonomy. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 183\u2013197. Springer, Cham (2013). https:\/\/doi.org\/10.1007\/978-3-319-03584-0_14"},{"key":"4_CR2","series-title":"IFIP \u2013 The International Federation for Information Processing","doi-asserted-by":"publisher","first-page":"253","DOI":"10.1007\/978-0-387-09699-5_17","volume-title":"Proceedings of The Ifip Tc 11 23rdInternational Information Security Conference","author":"GC Tjhai","year":"2008","unstructured":"Tjhai, G.C., Papadaki, M., Furnell, S.M., Clarke, N.L.: Investigating the problem of IDS false alarms: an experimental study using Snort. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) SEC 2008. ITIFIP, vol. 278, pp. 253\u2013267. Springer, Boston, MA (2008). https:\/\/doi.org\/10.1007\/978-0-387-09699-5_17"},{"key":"4_CR3","unstructured":"International Cyber Benchmarks IndexTM, January 2020. https:\/\/www.niscicb.com\/"},{"key":"4_CR4","unstructured":"The Numbers Game: How Many Alerts are too Many to Handle? https:\/\/www.fireeye.com\/offers\/rpt-idc-the-numbers-game.html"},{"key":"4_CR5","unstructured":"Xu, D.: Correlation analysis of intrusion alerts. Ph.D. Thesis, North Carolina State University, North Carolina, USA (2006)"},{"key":"4_CR6","unstructured":"International Cyber Benchmarks IndexTM, May 2020. https:\/\/www.niscicb.com\/"},{"key":"4_CR7","doi-asserted-by":"crossref","unstructured":"Hus\u00e1k, M., Kaspar, J.: AIDA framework: real-time correlation and prediction of intrusion detection alerts. In: Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES 2019), New York, NY, USA, pp. 1\u20138. Association for Computing Machinery (2019). Article 81","DOI":"10.1145\/3339252.3340513"},{"issue":"3","key":"4_CR8","doi-asserted-by":"publisher","first-page":"146","DOI":"10.1109\/TDSC.2004.21","volume":"1","author":"F Valeur","year":"2004","unstructured":"Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.: Comprehensive approach to intrusion detection alert correlation. IEEE Trans. Depend. Secure Comput. 1(3), 146\u2013169 (2004)","journal-title":"IEEE Trans. Depend. Secure Comput."},{"key":"4_CR9","doi-asserted-by":"crossref","unstructured":"Sadoddin, R., Ghorbani, A.: Alert correlation survey: framework and techniques. In: Proceedings of ACM International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (2006)","DOI":"10.1145\/1501434.1501479"},{"key":"4_CR10","doi-asserted-by":"crossref","unstructured":"Xuena, P., Hong, Z.: A framework of attacker centric cyber attack behavior analysis. In: IEEE International Conference on Communications, Glasgow, 2007, pp. 1449\u20131454 (2007)","DOI":"10.1109\/ICACT.2007.358789"},{"key":"4_CR11","doi-asserted-by":"crossref","unstructured":"Xuena, P., Hong, Z.: An \u201cattacker centric\u201d cyber attack behavior analysis technique. In: The 9th International Conference on Advanced Communication Technology, Okamoto, Kobe, 2007, pp. 2113\u20132117 (2007)","DOI":"10.1109\/ICACT.2007.358789"},{"key":"4_CR12","unstructured":"Burroughs, D., Wilson, L., Cybenko, G.: Analysis of distributed intrusion detection systems using bayesian methods. In: 2002 Conference Proceedings of the IEEE International Performance, Computing, and Communications Conference, Phoenix, AZ, USA, pp. 329\u2013334 (2002)"},{"key":"4_CR13","unstructured":"Pouget, F., Dacier, M.: Alert Correlation: Review of the state of the art. EURECOM, Technical report (2003)"},{"key":"4_CR14","unstructured":"Siraj, M.: Survey and comparative analysis of alert correlation systems in information security. In: The 3rd Brunei International Conference on Engineering and Technology 2008 (BICET 2008) (2008)"},{"key":"4_CR15","first-page":"226","volume":"5","author":"J Chahira","year":"2016","unstructured":"Chahira, J., Kiruki, J., Kemei, P.: A review of intrusion alerts correlation frameworks. Int. J. Comput. Appl. Technol. Res. 5, 226\u2013233 (2016)","journal-title":"Int. J. Comput. Appl. Technol. Res."},{"issue":"1","key":"4_CR16","doi-asserted-by":"publisher","first-page":"226","DOI":"10.1016\/j.cose.2009.06.008","volume":"29","author":"C Zhou","year":"2010","unstructured":"Zhou, C., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29(1), 226\u2013233 (2010)","journal-title":"Comput. Secur."},{"key":"4_CR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/3-540-45474-8_4","volume-title":"Recent Advances in Intrusion Detection","author":"A Valdes","year":"2001","unstructured":"Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., M\u00e9, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54\u201368. Springer, Heidelberg (2001). https:\/\/doi.org\/10.1007\/3-540-45474-8_4"},{"key":"4_CR18","unstructured":"Porras, P., Neumann, P.: Emerald: event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference, pp. 353\u2013365 (1997)"},{"key":"4_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1007\/3-540-45474-8_6","volume-title":"Recent Advances in Intrusion Detection","author":"H Debar","year":"2001","unstructured":"Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., M\u00e9, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85\u2013103. Springer, Heidelberg (2001). https:\/\/doi.org\/10.1007\/3-540-45474-8_6"},{"key":"4_CR20","unstructured":"Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, LA, USA, pp. 22\u201331 (2001)"},{"key":"4_CR21","doi-asserted-by":"crossref","unstructured":"Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans. Inf. Syst. Secur. 6(4), 443\u2013471 (2003)","DOI":"10.1145\/950191.950192"},{"issue":"4","key":"4_CR22","first-page":"40","volume":"58","author":"H Al-Saedi","year":"2012","unstructured":"Al-Saedi, H., Ramadass, S., Almomani, A., Manickam, S.: Collection mechanism and reduction of IDS alert. Int. J. Comput. Appl. 58(4), 40\u201348 (2012)","journal-title":"Int. J. Comput. Appl."},{"issue":"4","key":"4_CR23","doi-asserted-by":"publisher","first-page":"300","DOI":"10.1016\/j.inffus.2009.01.004","volume":"10","author":"F Maggi","year":"2009","unstructured":"Maggi, F., Matteucci, M., Zanero, S.: Reducing false positives in anomaly detectors through fuzzy alert aggregation. Inf. Fus. 10(4), 300\u2013311 (2009)","journal-title":"Inf. Fus."},{"key":"4_CR24","doi-asserted-by":"crossref","unstructured":"Viinikka, J., Debar, H., M\u00e9, L., S\u00e9guier, R.: Time series modeling for IDS alert management. In: ASIACCS 2006: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, New York, NY, USA, pp. 102\u2013113. ACM Press (2006)","DOI":"10.1145\/1128817.1128835"},{"key":"4_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"73","DOI":"10.1007\/978-3-540-45248-5_5","volume-title":"Recent Advances in Intrusion Detection","author":"X Qin","year":"2003","unstructured":"Qin, X., Lee, W.: Statistical causality analysis of INFOSEC alert data. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73\u201393. Springer, Heidelberg (2003). https:\/\/doi.org\/10.1007\/978-3-540-45248-5_5"},{"key":"4_CR26","doi-asserted-by":"crossref","unstructured":"Hassan, W.U., et al.: NoDoze: combatting threat alert fatigue with automated provenance triage. In: Network and Distributed Systems Security (NDSS) Symposium (2019)","DOI":"10.14722\/ndss.2019.23349"},{"key":"4_CR27","unstructured":"Gula, R.: Correlating IDS alerts with vulnerability information. Technical Report. Tenable Network Security, p. 10 (2002)"},{"key":"4_CR28","unstructured":"Desai, N.: IDS Correlation of VA Data and IDS Alerts. Security Focus (2003)"},{"key":"4_CR29","unstructured":"Real-Time Network Awareness white paper. Sourcefire (2003)"},{"key":"4_CR30","doi-asserted-by":"crossref","unstructured":"Kruegel, C., Robertson, W.: Alert verification: determining the success of intrusion attempts. In: Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2004)","DOI":"10.1515\/PIKO.2004.219"},{"key":"4_CR31","doi-asserted-by":"crossref","unstructured":"Porras, P., Fong, M., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Proceedings of Recent Advances in Intrusion Detection (RAID), pp. 95\u2013114 (2002)","DOI":"10.1007\/3-540-36084-0_6"},{"key":"4_CR32","doi-asserted-by":"crossref","unstructured":"Dain, O., Cunningham, R.: Building scenarios from a heterogeneous alert stream. In: Proceedings of IEEE Workshop on Information Assurance and Security (2001)","DOI":"10.1007\/978-1-4615-0953-0_5"},{"key":"4_CR33","unstructured":"Dain, O., Cunningham, R.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of ACM Workshop on Data Mining for Security Applications, vol. 6, pp. 1\u201313 (2001)"},{"key":"4_CR34","doi-asserted-by":"crossref","unstructured":"Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of SIGKDD 2002, The 8th International Conference on Knowledge Discovery and Data Mining, Edmonton, Alberta, Canada, pp. 366\u2013375. ACM Press (2002)","DOI":"10.1145\/775047.775101"},{"key":"4_CR35","doi-asserted-by":"crossref","unstructured":"Zanero, S., Savaresi, S.: Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM Symposium on Applied Computing, Nicosia, Cyprus, pp. 412\u2013419. ACM (2004)","DOI":"10.1145\/967900.967988"},{"key":"4_CR36","series-title":"Lecture Notes in Computer Science (Lecture Notes in Artificial Intelligence)","doi-asserted-by":"publisher","first-page":"308","DOI":"10.1007\/978-3-540-68825-9_29","volume-title":"Advances in Artificial Intelligence","author":"R Smith","year":"2008","unstructured":"Smith, R., Japkowicz, N., Dondo, M., Mason, P.: Using unsupervised learning for network alert correlation. In: Bergler, S. (ed.) AI 2008. LNCS (LNAI), vol. 5032, pp. 308\u2013319. Springer, Heidelberg (2008). https:\/\/doi.org\/10.1007\/978-3-540-68825-9_29"},{"key":"4_CR37","doi-asserted-by":"crossref","unstructured":"Aminanto, M.E., Zhu, L., Ban, T., Isawa, R., Takahashi, T., Inoue, D.: Automated threat-alert screening for battling alert fatigue with temporal isolation forest. In: 17th International Conference on Privacy, Security and Trust (PST), pp. 1\u20133 (2019)","DOI":"10.1109\/PST47121.2019.8949029"},{"key":"4_CR38","unstructured":"Cuppens. F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP), pp. 202\u2013215 (2002)"},{"key":"4_CR39","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"197","DOI":"10.1007\/3-540-39945-3_13","volume-title":"Recent Advances in Intrusion Detection","author":"F Cuppens","year":"2000","unstructured":"Cuppens, F., Ortalo, R.: LAMBDA: a language to model a database for detection of attacks. In: Debar, H., M\u00e9, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197\u2013216. Springer, Heidelberg (2000). https:\/\/doi.org\/10.1007\/3-540-39945-3_13"},{"issue":"1\u20132","key":"4_CR40","doi-asserted-by":"publisher","first-page":"71","DOI":"10.3233\/JCS-2002-101-204","volume":"10","author":"S Eckmann","year":"2002","unstructured":"Eckmann, S., Vigna, G., Kemmerer, R.: STATL: an attack language for state-based intrusion detection. J. Comput. Secur. 10(1\u20132), 71\u2013103 (2002)","journal-title":"J. Comput. Secur."},{"key":"4_CR41","doi-asserted-by":"crossref","unstructured":"Totel, E., Vivinis, B., M\u00e9, L.: A language-driven IDS for event and alert correlation. InSEC, pp. 209\u2013224 (2004)","DOI":"10.1007\/1-4020-8143-X_14"},{"key":"4_CR42","unstructured":"Cheung, S., Lindqvist, U., Fong, M.: Modeling multistep cyberattacks for scenario recognition. In: Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX), pp. 284\u2013292 (2003)"},{"key":"4_CR43","doi-asserted-by":"crossref","unstructured":"Templeton, S., Levitt, K.: A requires\/provides model for computer attacks. In: Proceedings of the Workshop on New Security Paradigms, pp. 31\u201338 (2001)","DOI":"10.1145\/366173.366187"},{"key":"4_CR44","doi-asserted-by":"crossref","unstructured":"Ning, P., Cui, Y., Reeves, D.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 245\u2013254 (2002)","DOI":"10.1145\/586110.586144"},{"issue":"2","key":"4_CR45","doi-asserted-by":"publisher","first-page":"274","DOI":"10.1145\/996943.996947","volume":"7","author":"P Ning","year":"2004","unstructured":"Ning, P., Cui, Y., Reeves, D., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(2), 274\u2013318 (2004)","journal-title":"ACM Trans. Inf. Syst. Secur. (TISSEC)"},{"key":"4_CR46","doi-asserted-by":"crossref","unstructured":"Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pp. 200\u2013209 (2003)","DOI":"10.1145\/948109.948137"},{"key":"4_CR47","doi-asserted-by":"crossref","unstructured":"Ning, P., Cui, Y., Reeves, D.: Analyzing intensive intrusion alerts via correlation. In: Recent Advances in Intrusion Detection (RAID), pp. 74\u201394 (2002)","DOI":"10.1007\/3-540-36084-0_5"}],"container-title":["Lecture Notes in Computer Science","Internet of Things, Smart Spaces, and Next Generation Networks and Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-65726-0_4","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,3,7]],"date-time":"2024-03-07T17:55:27Z","timestamp":1709834127000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-030-65726-0_4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020]]},"ISBN":["9783030657253","9783030657260"],"references-count":47,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-65726-0_4","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2020]]},"assertion":[{"value":"22 December 2020","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ruSMART","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Conference on Internet of Things and Smart Spaces","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"St. Petersburg","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Russia","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2020","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26 August 2020","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"28 August 2020","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"13","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"rusmart2020","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.new2an.org\/#\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EDAS","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"225","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"5","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"4,6","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"The conference was held virtually due to the COVID-19 pandemic.","order":10,"name":"additional_info_on_review_process","label":"Additional Info on Review Process","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}