{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,18]],"date-time":"2026-04-18T16:41:25Z","timestamp":1776530485666,"version":"3.51.2"},"publisher-location":"Cham","reference-count":34,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032081230","type":"print"},{"value":"9783032081247","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,10,31]],"date-time":"2025-10-31T00:00:00Z","timestamp":1761868800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,10,31]],"date-time":"2025-10-31T00:00:00Z","timestamp":1761868800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-08124-7_24","type":"book-chapter","created":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T08:23:03Z","timestamp":1761812583000},"page":"411-430","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["A Graph-Based Approach to\u00a0Alert Contextualisation in\u00a0Security Operations Centres"],"prefix":"10.1007","author":[{"given":"Magnus Wiik","family":"Eckhoff","sequence":"first","affiliation":[]},{"given":"Peter Marius","family":"Flydal","sequence":"additional","affiliation":[]},{"given":"Siem","family":"Peters","sequence":"additional","affiliation":[]},{"given":"Martin","family":"Eian","sequence":"additional","affiliation":[]},{"given":"Jonas","family":"Halvorsen","sequence":"additional","affiliation":[]},{"given":"Vasileios","family":"Mavroeidis","sequence":"additional","affiliation":[]},{"given":"Gudmund","family":"Grov","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,10,31]]},"reference":[{"key":"24_CR1","unstructured":"Alahmadi, B.A., Axon, L., Martinovic, I.: 99% false positives: a qualitative study of $$\\{$$SOC$$\\}$$ analysts\u2019 perspectives on security alarms. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 2783\u20132800 (2022)"},{"issue":"1","key":"24_CR2","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1162\/evco.1993.1.1.1","volume":"1","author":"T B\u00e4ck","year":"1993","unstructured":"B\u00e4ck, T., Schwefel, H.P.: An overview of evolutionary algorithms for parameter optimization. Evol. Comput. 1(1), 1\u201323 (1993)","journal-title":"Evol. Comput."},{"key":"24_CR3","unstructured":"Bianco, D.: The pyramid of pain. Enterp. Detect. Response 112 (2013)"},{"key":"24_CR4","unstructured":"Carliner, S.: An overview of online learning. Human Resource Development (2004)"},{"key":"24_CR5","unstructured":"Maze, D., Haijun\u00a0Zhai, S.L.: Behind the scenes: the ml approach for detecting advanced multistage attacks with sentinel fusion (2022). https:\/\/techcommunity.microsoft.com\/blog\/microsoftsentinelblog\/behind-the-scenes-the-ml-approach-for-detecting-advanced-multistage-attacks-with\/3239236. Accessed 25 May 2025"},{"key":"24_CR6","unstructured":"Davis, J.C.: (2024). https:\/\/www.msspalert.com\/news\/mssp-market-news-survey-shows-62-of-soc-alerts-are-ignored. Accessed 04 June 2025"},{"key":"24_CR7","unstructured":"Diederik, P., Kingma, J.B.: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014). 1412(6)"},{"key":"24_CR8","doi-asserted-by":"publisher","unstructured":"Eriksson, H.S., Grov, G.: Towards xai in the soc \u2013 a user centric study of explainable alerts with shap and lime. In: 2022 IEEE International Conference on Big Data (Big Data), pp. 2595\u20132600 (2022). https:\/\/doi.org\/10.1109\/BigData55660.2022.10020248","DOI":"10.1109\/BigData55660.2022.10020248"},{"key":"24_CR9","doi-asserted-by":"publisher","unstructured":"Ntalampiras, S., Pascu, C., Barros\u00a0Lourenco, M., Misuraca, G., Rossel, P.: Artificial intelligence and cybersecurity research \u2013 ENISA research and innovation Brief. European Union Agency for Cybersecurity (2023). European Union Agency for Cybersecurity, https:\/\/doi.org\/10.2824\/808362","DOI":"10.2824\/808362"},{"key":"24_CR10","unstructured":"Fleck, A.: Cybercrime expected to skyrocket in coming years (2024). https:\/\/www.statista.com\/chart\/28878\/expected-cost-of-cybercrime-until-2027\/. Accessed 23 May 2025"},{"issue":"15","key":"24_CR11","doi-asserted-by":"publisher","first-page":"2477","DOI":"10.1002\/sec.1190","volume":"8","author":"OB Fredj","year":"2015","unstructured":"Fredj, O.B.: A realistic graph-based alert correlation system. Secur. Commun. Netw. 8(15), 2477\u20132493 (2015)","journal-title":"Secur. Commun. Netw."},{"key":"24_CR12","unstructured":"Gelman, B., Taoufiq, S., V\u00f6r\u00f6s, T., Berlin, K.: That escalated quickly: an ml framework for alert prioritization. arXiv preprint arXiv:2302.06648 (2023)"},{"key":"24_CR13","unstructured":"Google: Configure alert grouping. https:\/\/cloud.google.com\/chronicle\/docs\/soar\/investigate\/working-with-alerts\/alert-grouping-mechanism-admin. Accessed 02 June 2025"},{"issue":"2","key":"24_CR14","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3695462","volume":"57","author":"F Jalalvand","year":"2024","unstructured":"Jalalvand, F., Baruwal Chhetri, M., Nepal, S., Paris, C.: Alert prioritisation in security operations centres: a systematic survey on criteria and methods. ACM Comput. Surv. 57(2), 1\u201336 (2024)","journal-title":"ACM Comput. Surv."},{"issue":"4","key":"24_CR15","doi-asserted-by":"publisher","first-page":"3466","DOI":"10.1109\/TDSC.2022.3201582","volume":"20","author":"M Landauer","year":"2022","unstructured":"Landauer, M., Skopik, F., Frank, M., Hotwagner, W., Wurzenberger, M., Rauber, A.: Maintainable log datasets for evaluation of intrusion detection systems. IEEE Trans. Dependable Secure Comput. 20(4), 3466\u20133482 (2022)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"24_CR16","doi-asserted-by":"crossref","unstructured":"Landauer, M., Skopik, F., Wurzenberger, M.: Introducing a new alert data set for multi-step attack analysis. In: Proceedings of the 17th Cyber Security Experimentation and Test Workshop, pp. 41\u201353 (2024)","DOI":"10.1145\/3675741.3675748"},{"issue":"3","key":"24_CR17","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3510581","volume":"25","author":"M Landauer","year":"2022","unstructured":"Landauer, M., Skopik, F., Wurzenberger, M., Rauber, A.: Dealing with security alert flooding: using machine learning for domain-independent alert aggregation. ACM Trans. Priv. Secur. 25(3), 1\u201336 (2022)","journal-title":"ACM Trans. Priv. Secur."},{"key":"24_CR18","unstructured":"Levin, Y.: Investigate incidents with microsoft sentinel (legacy) (2024). https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/investigate-cases. Accessed 02 June 2025"},{"key":"24_CR19","unstructured":"Li, Y., Gu, C., Dullien, T., Vinyals, O., Kohli, P.: Graph matching networks for learning the similarity of graph structured objects. In: International Conference on Machine Learning, pp. 3835\u20133845. PMLR (2019)"},{"key":"24_CR20","doi-asserted-by":"crossref","unstructured":"Lin, T., Zhong, C., Yen, J., Liu, P.: Retrieval of relevant historical data triage operations in security operation centers. From Database to Cyber Security: Essays Dedicated to Sushil Jajodia on the Occasion of His 70th Birthday, pp. 227\u2013243 (2018)","DOI":"10.1007\/978-3-030-04834-1_12"},{"key":"24_CR21","doi-asserted-by":"crossref","unstructured":"Liu, Y., Shu, X., Sun, Y., Jang, J., Mittal, P.: Rapid: real-time alert investigation with context-aware prioritization for efficient threat discovery. In: Proceedings of the 38th Annual Computer Security Applications Conference, pp. 827\u2013840 (2022)","DOI":"10.1145\/3564625.3567997"},{"key":"24_CR22","series-title":"Advances in Intelligent Systems and Computing","doi-asserted-by":"publisher","first-page":"282","DOI":"10.1007\/978-3-319-63940-6_40","volume-title":"Biologically Inspired Cognitive Architectures (BICA) for Young Scientists","author":"N Miloslavskaya","year":"2018","unstructured":"Miloslavskaya, N.: Analysis of siem systems and their usage in security operations and security intelligence centers. In: Samsonovich, A.V., Klimov, V.V. (eds.) BICA 2017. AISC, vol. 636, pp. 282\u2013288. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-319-63940-6_40"},{"key":"24_CR23","doi-asserted-by":"crossref","unstructured":"Nelson, A., Rekhi, S., Souppaya, M., Scarfone, K.: Incident response recommendations and considerations for cybersecurity risk management. NIST Special Publication (2025)","DOI":"10.6028\/NIST.SP.800-61r3"},{"key":"24_CR24","unstructured":"Norris, J.R.: Markov Chains. Cambridge university press, Cambridge (1998)"},{"key":"24_CR25","doi-asserted-by":"publisher","unstructured":"Olarra Maldonado, I.A., Meeuwissen, E., de Haan, P., van der Mei, R.: Telosian: reducing false positives in real-time cyber anomaly detection by fast adaptation to concept drift. In: Proceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 2: ICISSP, pp. 84\u201397. INSTICC, SciTePress (2025). https:\/\/doi.org\/10.5220\/0013320500003899","DOI":"10.5220\/0013320500003899"},{"key":"24_CR26","doi-asserted-by":"crossref","unstructured":"Reddy, H.V., Agrawal, P., Raju, S.V.: Data labeling method based on cluster purity using relative rough entropy for categorical data clustering. In: 2013 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 500\u2013506. IEEE (2013)","DOI":"10.1109\/ICACCI.2013.6637222"},{"key":"24_CR27","unstructured":"Sela, S.: Smartgrouping - precision ai-driven investigation (2024). https:\/\/www.paloaltonetworks.com\/blog\/security-operations\/smartgrouping-precision-ai-driven-investigation\/. Accessed 02 June 2025"},{"key":"24_CR28","doi-asserted-by":"publisher","unstructured":"Shutaywi, M., Kachouie, N.N.: Silhouette analysis for performance evaluation in machine learning with applications to clustering. Entropy 23(6) (2021). https:\/\/doi.org\/10.3390\/e23060759","DOI":"10.3390\/e23060759"},{"issue":"9","key":"24_CR29","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3723158","volume":"57","author":"S Tariq","year":"2025","unstructured":"Tariq, S., Baruwal Chhetri, M., Nepal, S., Paris, C.: Alert fatigue in security operations centres: research challenges and opportunities. ACM Comput. Surv. 57(9), 1\u201338 (2025)","journal-title":"ACM Comput. Surv."},{"key":"24_CR30","unstructured":"Turcotte, M., Labr\u00e8che, F., Paquette, S.O.: Automated alert classification and triage (aact): an intelligent system for the prioritisation of cybersecurity alerts. arXiv preprint arXiv:2505.09843 (2025)"},{"key":"24_CR31","doi-asserted-by":"publisher","first-page":"227756","DOI":"10.1109\/ACCESS.2020.3045514","volume":"8","author":"M Vielberth","year":"2020","unstructured":"Vielberth, M., B\u00f6hm, F., Fichtinger, I., Pernul, G.: Security operations center: a systematic study and open challenges. IEEE Access 8, 227756\u2013227779 (2020)","journal-title":"IEEE Access"},{"key":"24_CR32","doi-asserted-by":"crossref","unstructured":"Ward, I.R., Joyner, J., Lickfold, C., Guo, Y., Bennamoun, M.: A practical tutorial on graph neural networks. arXiv preprint arXiv:1912.11615 (2021)","DOI":"10.1145\/3503043"},{"issue":"4","key":"24_CR33","doi-asserted-by":"publisher","first-page":"964","DOI":"10.1007\/s10618-015-0448-4","volume":"30","author":"GI Webb","year":"2016","unstructured":"Webb, G.I., Hyde, R., Cao, H., Nguyen, H.L., Petitjean, F.: Characterizing concept drift. Data Min. Knowl. Disc. 30(4), 964\u2013994 (2016). https:\/\/doi.org\/10.1007\/s10618-015-0448-4","journal-title":"Data Min. Knowl. Disc."},{"key":"24_CR34","doi-asserted-by":"crossref","unstructured":"Zhong, C., Yen, J., Liu, P., Erbacher, R.F.: Automate cybersecurity data triage by leveraging human analysts\u2019 cognitive process. In: 2016 IEEE 2nd International Conference on big data security on cloud (BigDataSecurity), IEEE International Conference on high performance and smart computing (HPSC), and IEEE International Conference on intelligent data and security (IDS), pp. 357\u2013363. IEEE (2016)","DOI":"10.1109\/BigDataSecurity-HPSC-IDS.2016.41"}],"container-title":["Lecture Notes in Computer Science","Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-08124-7_24","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T08:23:27Z","timestamp":1761812607000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-08124-7_24"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,31]]},"ISBN":["9783032081230","9783032081247"],"references-count":34,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-08124-7_24","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,31]]},"assertion":[{"value":"31 October 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ISC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Information Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Seoul","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Korea (Republic of)","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 October 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22 October 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"28","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"isw2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/isc25.skku.edu\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}