{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T20:35:09Z","timestamp":1776112509605,"version":"3.50.1"},"publisher-location":"Cham","reference-count":53,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319035833","type":"print"},{"value":"9783319035840","type":"electronic"}],"license":[{"start":{"date-parts":[[2013,1,1]],"date-time":"2013-01-01T00:00:00Z","timestamp":1356998400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013]]},"DOI":"10.1007\/978-3-319-03584-0_14","type":"book-chapter","created":{"date-parts":[[2013,11,7]],"date-time":"2013-11-07T15:17:57Z","timestamp":1383837477000},"page":"183-197","source":"Crossref","is-referenced-by-count":46,"title":["Alert Correlation Algorithms: A Survey and Taxonomy"],"prefix":"10.1007","author":[{"given":"Seyed Ali","family":"Mirheidari","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sajjad","family":"Arshad","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rasool","family":"Jalili","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","reference":[{"key":"14_CR1","doi-asserted-by":"crossref","unstructured":"Tjhai, G.C., Papadaki, M., Furnell, S.M., Clarke, N.L.: Investigating the Problem of IDS False Alarms: An Experimental Study Using Snort. In: Proceedings of the IFIP TC 11 23rd International Information Security Conference, pp. 253\u2013267 (2008)","DOI":"10.1007\/978-0-387-09699-5_17"},{"key":"14_CR2","unstructured":"Pouget, F., Dacier, M.: Alert Correlation: Review of the state of the art. EURECOM, Technical Report (2003)"},{"key":"14_CR3","doi-asserted-by":"crossref","unstructured":"Sadoddin, R., Ghorbani, A.: Alert correlation survey: Framework and techniques. In: Proceedings of ACM International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (2006)","DOI":"10.1145\/1501434.1501479"},{"key":"14_CR4","unstructured":"Al-Mamory, S.O., Zhang, H.: A survey on IDS alerts processing techniques. In: Proceeding of the 6th WSEAS International Conference on Information Security and Privacy (ISP), pp. 69\u201378 (2007)"},{"key":"14_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/3-540-45474-8_4","volume-title":"Recent Advances in Intrusion Detection","author":"A. Valdes","year":"2001","unstructured":"Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., M\u00e9, L., Wespi, A. (eds.) RAID 2001. LNCS, vol.\u00a02212, pp. 54\u201368. Springer, Heidelberg (2001)"},{"key":"14_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1007\/3-540-45474-8_6","volume-title":"Recent Advances in Intrusion Detection","author":"H. Debar","year":"2001","unstructured":"Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., M\u00e9, L., Wespi, A. (eds.) RAID 2001. LNCS, vol.\u00a02212, pp. 85\u2013103. Springer, Heidelberg (2001)"},{"key":"14_CR7","unstructured":"Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, ACSAC (2001)"},{"key":"14_CR8","doi-asserted-by":"crossref","unstructured":"Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: Comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing, 146\u2013169 (2004)","DOI":"10.1109\/TDSC.2004.21"},{"key":"14_CR9","doi-asserted-by":"crossref","unstructured":"Elshoush, H.T., Osman, I.M.: Intrusion Alert Correlation Framework: An Innovative Approach. In: IAENG Transactions on Engineering Technologies, pp. 405\u2013420 (2013)","DOI":"10.1007\/978-94-007-6190-2_31"},{"key":"14_CR10","doi-asserted-by":"crossref","unstructured":"Julisch, K.: Mining alarm clusters to improve alarm handling efficiency. In: Proceedings of 17th Annual Computer Security Applications Conference (ACSAC), pp. 12\u201321 (2001)","DOI":"10.1109\/ACSAC.2001.991517"},{"issue":"3","key":"14_CR11","first-page":"111","volume":"2","author":"K. Julisch","year":"2002","unstructured":"Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Journal Name\u00a02(3), 111\u2013138 (2002)","journal-title":"ACM Journal Name"},{"issue":"4","key":"14_CR12","doi-asserted-by":"publisher","first-page":"271","DOI":"10.1007\/s11416-008-0103-3","volume":"5","author":"S.O. Al-Mamory","year":"2009","unstructured":"Al-Mamory, S.O., Zhang, H.: IDS alerts correlation using grammar-based approach. Journal of Computer Virology\u00a05(4), 271\u2013282 (2009)","journal-title":"Journal of Computer Virology"},{"key":"14_CR13","doi-asserted-by":"crossref","unstructured":"Dain, O.M., Cunningham, R.K.: Building scenarios from a heterogeneous alert stream. In: Proceedings of IEEE Workshop on Information Assurance and Security (2001)","DOI":"10.1007\/978-1-4615-0953-0_5"},{"key":"14_CR14","doi-asserted-by":"crossref","unstructured":"Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of ACM Workshop on Data Mining for Security Applications, pp. 1\u201313 (2001)","DOI":"10.1007\/978-1-4615-0953-0_5"},{"key":"14_CR15","doi-asserted-by":"crossref","unstructured":"Smith, R., Japkowicz, N., Dondo, M., Mason, P.: Using unsupervised learning for network alert correlation. In: Advances in Artificial Intelligence, pp. 308\u2013319 (2008)","DOI":"10.1007\/978-3-540-68825-9_29"},{"key":"14_CR16","unstructured":"Smith, R., Japkowicz, N., Dondo, M.: Clustering using an autoassociator: A case study in network event correlation. In: Proceedings of the 17th IASTED International Conference on Parallel and Distributed Computing and Systems (2008)"},{"issue":"3","key":"14_CR17","first-page":"169","volume":"10","author":"T. Pietraszek","year":"2005","unstructured":"Pietraszek, T., Tanner, A.: Data mining and machine learning towards reducing false positives in intrusion detection. Information Security\u00a010(3), 169\u2013183 (2005)","journal-title":"Information Security"},{"key":"14_CR18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"102","DOI":"10.1007\/978-3-540-30143-1_6","volume-title":"Recent Advances in Intrusion Detection","author":"T. Pietraszek","year":"2004","unstructured":"Pietraszek, T.: Using adaptive alert classification to reduce false positives in intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol.\u00a03224, pp. 102\u2013124. Springer, Heidelberg (2004)"},{"key":"14_CR19","doi-asserted-by":"crossref","unstructured":"Templeton, S.J., Levitt, K.: A requires\/provides model for computer attacks. In: Proceedings of the Workshop on New Security Paradigms, pp. 31\u201338 (2001)","DOI":"10.1145\/366173.366187"},{"key":"14_CR20","unstructured":"Ning, P., Cui, Y.: An intrusion alert correlator based on pre-requisites of intrusions (2002)"},{"key":"14_CR21","doi-asserted-by":"crossref","unstructured":"Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM on Computer and Communications Security, pp. 245\u2013254 (2002)","DOI":"10.1145\/586143.586144"},{"issue":"2","key":"14_CR22","doi-asserted-by":"publisher","first-page":"274","DOI":"10.1145\/996943.996947","volume":"7","author":"P. Ning","year":"2004","unstructured":"Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security (TISSEC)\u00a07(2), 274\u2013318 (2004)","journal-title":"ACM Transactions on Information and System Security (TISSEC)"},{"key":"14_CR23","unstructured":"Cuppens, F., Autrel, F., Miege, A., Benferhat, S.: Correlation in an intrusion detection process. In: Proceedings SEcurite des Communications sur Internet (SECI), pp. 153\u2013171 (2002)"},{"key":"14_CR24","doi-asserted-by":"crossref","unstructured":"Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pp. 200\u2013209 (2003)","DOI":"10.1145\/948109.948137"},{"key":"14_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"74","DOI":"10.1007\/3-540-36084-0_5","volume-title":"Recent Advances in Intrusion Detection","author":"P. Ning","year":"2002","unstructured":"Ning, P., Cui, Y., Reeves, D.S.: Analyzing intensive intrusion alerts via correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol.\u00a02516, pp. 74\u201394. Springer, Heidelberg (2002)"},{"key":"14_CR26","unstructured":"Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Towards automating intrusion alert analysis. In: Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection (2003)"},{"issue":"4","key":"14_CR27","doi-asserted-by":"publisher","first-page":"591","DOI":"10.1145\/1042031.1042036","volume":"7","author":"P. Ning","year":"2004","unstructured":"Ning, P., Xu, D.: Hypothesizing and reasoning about attacks missed by intrusion detection systems. ACM Transactions on Information and System Security (TISSEC)\u00a07(4), 591\u2013627 (2004)","journal-title":"ACM Transactions on Information and System Security (TISSEC)"},{"key":"14_CR28","unstructured":"Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium, NDSS (2004)"},{"key":"14_CR29","unstructured":"Zhai, Y., Ning, P., Iyer, P., Reeves, D.S.: Reasoning about complementary intrusion evidence. In: 20th Annual IEEE Computer Security Applications Conference (ACSAC), pp. 39\u201348 (2004)"},{"key":"14_CR30","doi-asserted-by":"crossref","unstructured":"Wang, L., Liu, A., Jajodia, S.: An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts. In: De Capitani di Vimercati, S.,Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol.\u00a03679, pp. 247\u2013266. Springer, Heidelberg (2005)","DOI":"10.1007\/11555827_15"},{"issue":"15","key":"14_CR31","doi-asserted-by":"publisher","first-page":"2917","DOI":"10.1016\/j.comcom.2006.04.001","volume":"29","author":"L. Wang","year":"2006","unstructured":"Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications\u00a029(15), 2917\u20132933 (2006)","journal-title":"Computer Communications"},{"key":"14_CR32","unstructured":"Zali, Z., Hashemi, M.R., Saidi, H.: Real-Time Intrusion Detection Alert Correlation and Attack Scenario Extraction Based on the Prerequisite-Consequence Approach. The ISC International Journal of Information Security\u00a04(2) (2013)"},{"key":"14_CR33","doi-asserted-by":"crossref","unstructured":"Cheung, S., Lindqvist, U., Fong, M.W.: Modelling multistep cyber-attacks for scenario recognition. In: DARPA Information Survivability Conference and Exposition, pp. 284\u2013292 (2003)","DOI":"10.1109\/DISCEX.2003.1194892"},{"issue":"1\/2","key":"14_CR34","doi-asserted-by":"publisher","first-page":"71","DOI":"10.3233\/JCS-2002-101-204","volume":"10","author":"S.T. Eckmann","year":"2002","unstructured":"Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An attack language for state-based intrusion detection. Journal of Computer Security\u00a010(1\/2), 71\u2013104 (2002)","journal-title":"Journal of Computer Security"},{"key":"14_CR35","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"197","DOI":"10.1007\/3-540-39945-3_13","volume-title":"Recent Advances in Intrusion Detection","author":"F. Cuppens","year":"2000","unstructured":"Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Debar, H., M\u00e9, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol.\u00a01907, pp. 197\u2013216. Springer, Heidelberg (2000)"},{"key":"14_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"115","DOI":"10.1007\/3-540-36084-0_7","volume-title":"Recent Advances in Intrusion Detection","author":"B. Morin","year":"2002","unstructured":"Morin, B., M\u00e9, L., Debar, H., Ducass\u00e9, M.: M2D2: A formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol.\u00a02516, pp. 115\u2013137. Springer, Heidelberg (2002)"},{"issue":"4","key":"14_CR37","doi-asserted-by":"publisher","first-page":"285","DOI":"10.1016\/j.inffus.2009.01.005","volume":"10","author":"B. Morin","year":"2009","unstructured":"Morin, B., M\u00e9, L., Debar, H., Ducass\u00e9, M.: A logic-based model to support alert correlation in intrusion detection. Information Fusion\u00a010(4), 285\u2013299 (2009)","journal-title":"Information Fusion"},{"issue":"2","key":"14_CR38","doi-asserted-by":"publisher","first-page":"419","DOI":"10.1016\/j.comcom.2008.11.012","volume":"32","author":"S.O. Al-Mamory","year":"2009","unstructured":"Al-Mamory, S.O., Zhang, H.: Intrusion detection alarms reduction using root cause Analysis and clustering. Computer Communications\u00a032(2), 419\u2013430 (2009)","journal-title":"Computer Communications"},{"issue":"1","key":"14_CR39","first-page":"66","volume":"5","author":"P. Kabiri","year":"2007","unstructured":"Kabiri, P., Ghorbani, A.A.: A rule-based temporal alert correlation system. International Journal of Network Security\u00a05(1), 66\u201372 (2007)","journal-title":"International Journal of Network Security"},{"key":"14_CR40","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"166","DOI":"10.1007\/978-3-540-30143-1_9","volume-title":"Recent Advances in Intrusion Detection","author":"J. Viinikka","year":"2004","unstructured":"Viinikka, J., Debar, H.: Monitoring IDS background noise using EWMA control charts and alert information. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol.\u00a03224, pp. 166\u2013187. Springer, Heidelberg (2004)"},{"key":"14_CR41","doi-asserted-by":"crossref","unstructured":"Viinikka, J., Debar, H., M\u00e9, L., S\u00e9guier, R.: Time series modelling for IDS alert management. In: Proceedings of Information, Computer and Communications Security, pp. 102\u2013113 (2006)","DOI":"10.1145\/1128817.1128835"},{"issue":"4","key":"14_CR42","doi-asserted-by":"publisher","first-page":"312","DOI":"10.1016\/j.inffus.2009.01.003","volume":"10","author":"J. Viinikka","year":"2009","unstructured":"Viinikka, J., Debar, H., M\u00e9, L., Lehikoinen, A., Tarvainen, M.: Processing intrusion detection alert aggregates with time series modelling. Information Fusion\u00a010(4), 312\u2013324 (2009)","journal-title":"Information Fusion"},{"issue":"4","key":"14_CR43","doi-asserted-by":"publisher","first-page":"571","DOI":"10.1016\/S1389-1286(00)00138-9","volume":"34","author":"S. Manganaris","year":"2000","unstructured":"Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining Analysis of RTID alarms. Computer Networks\u00a034(4), 571\u2013577 (2000)","journal-title":"Computer Networks"},{"key":"14_CR44","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/11856214_1","volume-title":"Recent Advances in Intrusion Detection","author":"J.J. Treinen","year":"2006","unstructured":"Treinen, J.J., Thurimella, R.: A framework for the application of association rule mining in large intrusion detection infrastructures. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol.\u00a04219, pp. 1\u201318. Springer, Heidelberg (2006)"},{"key":"14_CR45","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"153","DOI":"10.1007\/978-3-642-14215-4_9","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"H. Ren","year":"2010","unstructured":"Ren, H., Stakhanova, N., Ghorbani, A.A.: An online adaptive approach to alert correlation. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol.\u00a06201, pp. 153\u2013172. Springer, Heidelberg (2010)"},{"key":"14_CR46","doi-asserted-by":"crossref","unstructured":"Lee, W., Qin, X.: Statistical causality Analysis of INFOSEC alert data. In: Managing Cyber Threats, pp. 101\u2013127 (2003)","DOI":"10.1007\/0-387-24230-9_4"},{"key":"14_CR47","unstructured":"Qin, X., Lee, W.: Attack plan recognition and prediction using causal networks. In: 20th Annual Computer Security Applications Conference (ACSAC), pp. 370\u2013379 (2004)"},{"key":"14_CR48","doi-asserted-by":"crossref","unstructured":"Qin, X., Lee, W.: Discovering novel attack strategies from INFOSEC alerts. In: Data Warehousing and Data Mining Techniques for Cyber Security, pp. 109\u2013157 (2007)","DOI":"10.1007\/978-0-387-47653-7_7"},{"key":"14_CR49","doi-asserted-by":"crossref","unstructured":"Geib, C.W., Goldman, R.P.: Plan recognition in intrusion detection systems. In: DARPA Information Survivability Conference and Exposition, pp. 46\u201355 (2001)","DOI":"10.1109\/DISCEX.2001.932191"},{"issue":"1","key":"14_CR50","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1109\/3477.484436","volume":"26","author":"M. Dorigo","year":"1996","unstructured":"Dorigo, M., Maniezzo, V., Colorni, A.: Ant system: Optimization by a colony of cooperating agents. IEEE Transactions on Systems, Man, and Cybernetics\u00a026(1), 29\u201341 (1996)","journal-title":"IEEE Transactions on Systems, Man, and Cybernetics"},{"key":"14_CR51","doi-asserted-by":"crossref","unstructured":"Ourston, D., Matzner, S., Stump, W., Hopkins, B.: Applications of hidden markov models to detecting multi-stage network attacks. In: Proceedings of the 36th Annual IEEE Hawaii International Conference on System Sciences (2003)","DOI":"10.1109\/HICSS.2003.1174909"},{"key":"14_CR52","doi-asserted-by":"crossref","unstructured":"Gu, G., Cardenas, A.A., Lee, W.: Principled reasoning and practical applications of alert fusion in intrusion detection systems. In: Proceedings of ACM Symposium on Information, Computer and Communications Security, pp. 136\u2013147 (2008)","DOI":"10.1145\/1368310.1368332"},{"key":"14_CR53","doi-asserted-by":"crossref","unstructured":"Siraj, A., Vaughn, R.B.: Multi-level alert clustering for intrusion detection sensor data. In: Annual Meeting of the North American on Fuzzy Information Processing Society, pp. 748\u2013753 (2005)","DOI":"10.1109\/NAFIPS.2005.1548632"}],"container-title":["Lecture Notes in Computer Science","Cyberspace Safety and Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-03584-0_14","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,4,30]],"date-time":"2025-04-30T19:50:01Z","timestamp":1746042601000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-03584-0_14"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013]]},"ISBN":["9783319035833","9783319035840"],"references-count":53,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-03584-0_14","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2013]]}}}