{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,28]],"date-time":"2025-03-28T04:33:08Z","timestamp":1743136388451,"version":"3.40.3"},"publisher-location":"Cham","reference-count":54,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031236891"},{"type":"electronic","value":"9783031236907"}],"license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"DOI":"10.1007\/978-3-031-23690-7_1","type":"book-chapter","created":{"date-parts":[[2022,12,10]],"date-time":"2022-12-10T05:02:50Z","timestamp":1670648570000},"page":"1-22","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Ostinato: Cross-host Attack Correlation Through Attack Activity Similarity Detection"],"prefix":"10.1007","author":[{"given":"Sutanu Kumar","family":"Ghosh","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kiavash","family":"Satvat","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rigel","family":"Gjomemo","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"V. N.","family":"Venkatakrishnan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2022,12,11]]},"reference":[{"unstructured":"2021: Year in review. https:\/\/thedfirreport.com\/2022\/03\/07\/2021-year-in-review\/","key":"1_CR1"},{"unstructured":"Adversarial tactics, techniques and common knowledge. https:\/\/attack.mitre.org\/","key":"1_CR2"},{"unstructured":"Apt cybercriminal campagin collections. https:\/\/bit.ly\/364iN8U","key":"1_CR3"},{"unstructured":"Detecting lateral movement with windows event logs. https:\/\/bit.ly\/3hQyF1D","key":"1_CR4"},{"unstructured":"Mandiant (2013). https:\/\/bit.ly\/3MA0N7b","key":"1_CR5"},{"unstructured":"Alert fatigue: 31.9% anaysts ignore alerts. https:\/\/bit.ly\/3MyE9fA (2017)","key":"1_CR6"},{"unstructured":"Automated incident response (2017). https:\/\/bit.ly\/3hPm3Ia","key":"1_CR7"},{"unstructured":"New research from advanced threat analytics finds MSSP incident responders overwhelmed by false-positive security alerts (2018). https:\/\/prn.to\/37hqsS9","key":"1_CR8"},{"unstructured":"Destructive attack \u201cdustman\u201d (2019). https:\/\/bit.ly\/3tHX7YC","key":"1_CR9"},{"unstructured":"Dramatic reductions in alert fatigue with crowdscore (2019). https:\/\/bit.ly\/3IZD9is","key":"1_CR10"},{"unstructured":"Tc engagement-5 (2019). https:\/\/github.com\/darpa-i2o\/Transparent-Computing","key":"1_CR11"},{"unstructured":"Optc dataset (2020). https:\/\/github.com\/FiveDirections\/OpTC-data","key":"1_CR12"},{"unstructured":"Groups (2021). https:\/\/attack.mitre.org\/groups\/","key":"1_CR13"},{"unstructured":"Lateral movement (2021). https:\/\/bit.ly\/3t63ru1","key":"1_CR14"},{"unstructured":"Lateral tool transfer (2021). https:\/\/attack.mitre.org\/techniques\/T1570\/","key":"1_CR15"},{"unstructured":"What makes lateral movement so hard to detect? (2021). https:\/\/bit.ly\/3hUl0qg","key":"1_CR16"},{"unstructured":"Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: 21st $$\\{$$USENIX$$\\}$$ Security Symposium ($$\\{$$USENIX$$\\}$$) (2012)","key":"1_CR17"},{"doi-asserted-by":"crossref","unstructured":"Bai, Y., Ding, H., Bian, S., Chen, T., Sun, Y., Wang, W.: SimGNN: a neural network approach to fast graph similarity computation. In: Proceedings of the Twelfth ACM International Conference on Web Search and Data Mining, pp. 384\u2013392 (2019)","key":"1_CR18","DOI":"10.1145\/3289600.3290967"},{"doi-asserted-by":"crossref","unstructured":"Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference (2012)","key":"1_CR19","DOI":"10.1145\/2420950.2420969"},{"unstructured":"Bowman, B., Laprade, C., Ji, Y., Huang, H.H.: Detecting lateral movement in enterprise computer networks with unsupervised graph $$\\{$$AI$$\\}$$. In: 23rd International Symposium on Research in Attacks, Intrusions and Defenses. RAID (2020)","key":"1_CR20"},{"issue":"3","key":"1_CR21","doi-asserted-by":"publisher","first-page":"630","DOI":"10.1006\/jcss.1999.1690","volume":"60","author":"AZ Broder","year":"2000","unstructured":"Broder, A.Z., Charikar, M., Frieze, A.M., Mitzenmacher, M.: Min-wise independent permutations. J. Comput. Syst. Sci. 60(3), 630\u2013659 (2000)","journal-title":"J. Comput. Syst. Sci."},{"unstructured":"Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings 2002 IEEE Symposium on Security and Privacy (2002)","key":"1_CR22"},{"issue":"7","key":"1_CR23","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pone.0159161","volume":"11","author":"S Emmons","year":"2016","unstructured":"Emmons, S., Kobourov, S., Gallant, M., B\u00f6rner, K.: Analysis of network clustering algorithms and cluster quality metrics at scale. PLoS One 11(7), e0159161 (2016)","journal-title":"PLoS One"},{"doi-asserted-by":"crossref","unstructured":"Gallagher, B.: Matching structure and semantics: a survey on graph-based pattern matching. In: AAAI Fall Symposium: Capturing and Using Patterns for Evidence Detection, pp. 45\u201353 (2006)","key":"1_CR24","DOI":"10.2172\/895418"},{"doi-asserted-by":"crossref","unstructured":"Hajizadeh, M., Phan, T.V., Bauschert, T.: Probability analysis of successful cyber attacks in SDN-based networks. In: 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 1\u20136. IEEE (2018)","key":"1_CR25","DOI":"10.1109\/NFV-SDN.2018.8725664"},{"doi-asserted-by":"crossref","unstructured":"Hassan, W.U., Bates, A., Marino, D.: Tactical provenance analysis for endpoint detection and response systems. In: 2020 IEEE Symposium on Security and Privacy (2020)","key":"1_CR26","DOI":"10.1109\/SP40000.2020.00096"},{"doi-asserted-by":"crossref","unstructured":"Hassan, W.U., et al.: NoDoze: combatting threat alert fatigue with automated provenance triage. In: Network and Distributed Systems Security Symposium (2019)","key":"1_CR27","DOI":"10.14722\/ndss.2019.23349"},{"doi-asserted-by":"crossref","unstructured":"Hossain, M.N., Sheikhi, S., Sekar, R.: Combating dependence explosion in forensic analysis using alternative tag propagation semantics. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1139\u20131155. IEEE (2020)","key":"1_CR28","DOI":"10.1109\/SP40000.2020.00064"},{"doi-asserted-by":"crossref","unstructured":"Jeh, G., Widom, J.: Simrank: A measure of structural-context similarity. In: Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 538\u2013543 (2002). https:\/\/bit.ly\/3HXbqgQ","key":"1_CR29","DOI":"10.1145\/775047.775126"},{"unstructured":"Ji, Y., et al.: Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking. In: 27th $$\\{$$USENIX$$\\}$$ Security Symposium ($$\\{$$USENIX$$\\}$$ Security 18) (2018)","key":"1_CR30"},{"key":"1_CR31","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"137","DOI":"10.1007\/BFb0026683","volume-title":"Machine Learning: ECML-98","author":"T Joachims","year":"1998","unstructured":"Joachims, T.: Text categorization with support vector machines: learning with many relevant features. In: N\u00e9dellec, C., Rouveirol, C. (eds.) ECML 1998. LNCS, vol. 1398, pp. 137\u2013142. Springer, Heidelberg (1998). https:\/\/doi.org\/10.1007\/BFb0026683"},{"unstructured":"Joachims, T.: A probabilistic analysis of the Rocchio algorithm with TFIDF for text categorization. Technical report, Carnegie-Mellon Univ., Pittsburgh, PA, Dept. of CS (1996)","key":"1_CR32"},{"doi-asserted-by":"crossref","unstructured":"Ketchen, D.J., Shook, C.L.: The application of cluster analysis in strategic management research: an analysis and critique. Strateg. Manag. J. 17, 441\u2013458 (1996)","key":"1_CR33","DOI":"10.1002\/(SICI)1097-0266(199606)17:6<441::AID-SMJ819>3.0.CO;2-G"},{"unstructured":"King, D.: Spotting the signs of lateral movement (2018). https:\/\/splk.it\/3vTiQ2C","key":"1_CR34"},{"doi-asserted-by":"crossref","unstructured":"King, S.T., Chen, P.M.: Backtracking intrusions. In: SOSP. ACM (2003)","key":"1_CR35","DOI":"10.1145\/945445.945467"},{"doi-asserted-by":"crossref","unstructured":"Koutra, D., Vogelstein, J.T., Faloutsos, C.: DeltaCon: a principled massive-graph similarity function. In: Proceedings of the 2013 SIAM International Conference on Data Mining. SIAM (2013)","key":"1_CR36","DOI":"10.1137\/1.9781611972832.18"},{"doi-asserted-by":"crossref","unstructured":"Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: efficient support for forensic analysis. In: Proceedings of the 17th ACM CCS, pp. 50\u201360 (2010)","key":"1_CR37","DOI":"10.1145\/1866307.1866314"},{"doi-asserted-by":"publisher","unstructured":"Kruegel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation: Challenges and Solutions, vol. 14. Springer, New York (2004). https:\/\/doi.org\/10.1007\/b101493","key":"1_CR38","DOI":"10.1007\/b101493"},{"doi-asserted-by":"crossref","unstructured":"Lee, K.H., Zhang, X., Xu, D.: LogGC: garbage collecting audit log. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (2013)","key":"1_CR39","DOI":"10.1145\/2508859.2516731"},{"issue":"4","key":"1_CR40","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1023\/B:BTTJ.0000047600.45421.6d","volume":"22","author":"H Liu","year":"2004","unstructured":"Liu, H., Singh, P.: ConceptNet-a practical commonsense reasoning tool-kit. BT Technol. J. 22(4), 211\u2013226 (2004)","journal-title":"BT Technol. J."},{"doi-asserted-by":"crossref","unstructured":"Liu, Y., et al.: Towards a timely causality analysis for enterprise security. In: NDSS (2018)","key":"1_CR41","DOI":"10.14722\/ndss.2018.23254"},{"key":"1_CR42","doi-asserted-by":"publisher","first-page":"94","DOI":"10.1016\/j.jsc.2013.09.003","volume":"60","author":"BD McKay","year":"2014","unstructured":"McKay, B.D., Piperno, A.: Practical graph isomorphism, II. J. Symb. Comput. 60, 94\u2013112 (2014)","journal-title":"J. Symb. Comput."},{"unstructured":"Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013)","key":"1_CR43"},{"doi-asserted-by":"crossref","unstructured":"Milajerdi, S.M., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (2019)","key":"1_CR44","DOI":"10.1145\/3319535.3363217"},{"doi-asserted-by":"crossref","unstructured":"Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137\u20131152. IEEE (2019)","key":"1_CR45","DOI":"10.1109\/SP.2019.00026"},{"unstructured":"Niwattanakul, S., Singthongchai, J., Naenudorn, E., Wanapu, S.: Using of Jaccard coefficient for keywords similarity. In: Proceedings of the International Multiconference of Engineers and Computer Scientists, vol. 1, pp. 380\u2013384 (2013)","key":"1_CR46"},{"doi-asserted-by":"crossref","unstructured":"Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: 2015 45th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks, pp. 45\u201356. IEEE","key":"1_CR47","DOI":"10.1109\/DSN.2015.14"},{"doi-asserted-by":"crossref","unstructured":"Pei, K., et al.: Hercule: attack story reconstruction via community discovery on correlated log graph. In: Proceedings of the 32nd ACSAC, pp. 583\u2013595 (2016)","key":"1_CR48","DOI":"10.1145\/2991079.2991122"},{"doi-asserted-by":"crossref","unstructured":"Romero-Gomez, R., Nadji, Y., Antonakakis, M.: Towards designing effective visualizations for DNS-based network threat analysis. In: 2017 IEEE Symposium on Visualization for Cyber Security (VizSec), pp. 1\u20138. IEEE (2017)","key":"1_CR49","DOI":"10.1109\/VIZSEC.2017.8062201"},{"doi-asserted-by":"crossref","unstructured":"Sadoddin, R., Ghorbani, A.: Alert correlation survey: framework and techniques. In: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, pp. 1\u201310 (2006)","key":"1_CR50","DOI":"10.1145\/1501434.1501479"},{"doi-asserted-by":"crossref","unstructured":"Sahabandu, D., Xiao, B., Clark, A., Lee, S., Lee, W., Poovendran, R.: Dift games: dynamic information flow tracking games for advanced persistent threats. In: 2018 IEEE Conference on Decision and Control (CDC), pp. 1136\u20131143. IEEE (2018)","key":"1_CR51","DOI":"10.1109\/CDC.2018.8619416"},{"doi-asserted-by":"crossref","unstructured":"Satvat, K., Gjomemo, R., Venkatakrishnan, V.: Extractor: extracting attack behavior from threat reports. In: 2021 IEEE European Symposium on Security and Privacy (EuroS P), pp. 598\u2013615 (2021)","key":"1_CR52","DOI":"10.1109\/EuroSP51992.2021.00046"},{"unstructured":"Shrivastava, A., Li, P.: In defense of MinHash over SimHash. In: Artificial Intelligence and Statistics, pp. 886\u2013894. PMLR (2014)","key":"1_CR53"},{"doi-asserted-by":"crossref","unstructured":"Sun, X., Dai, J., Liu, P., Singhal, A., Yen, J.: Using Bayesian networks for probabilistic identification of zero-day attack paths. IEEE Tran. Inf. Forensics Secur. 13, 2506\u20132521 (2018)","key":"1_CR54","DOI":"10.1109\/TIFS.2018.2821095"}],"container-title":["Lecture Notes in Computer Science","Information Systems Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-23690-7_1","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,10]],"date-time":"2022-12-10T05:03:20Z","timestamp":1670648600000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-23690-7_1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"ISBN":["9783031236891","9783031236907"],"references-count":54,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-23690-7_1","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2022]]},"assertion":[{"value":"11 December 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ICISS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Information Systems Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Tirupati","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"India","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16 December 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 December 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"iciss2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.icissconf.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"easychair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"55","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"8","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"5","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"15% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3.5","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}