{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,27]],"date-time":"2025-03-27T02:46:00Z","timestamp":1743043560446,"version":"3.40.3"},"publisher-location":"Singapore","reference-count":75,"publisher":"Springer Nature Singapore","isbn-type":[{"type":"print","value":"9789819635306"},{"type":"electronic","value":"9789819635313"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-981-96-3531-3_14","type":"book-chapter","created":{"date-parts":[[2025,3,13]],"date-time":"2025-03-13T12:10:35Z","timestamp":1741867835000},"page":"277-300","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Every Sherlock Needs a\u00a0Watson: Practical Semi-realtime Attack Elaboration System"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-4863-6636","authenticated-orcid":false,"given":"Zeya","family":"Umayya","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0006-8873-3648","authenticated-orcid":false,"given":"Arpit","family":"Nandi","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0004-3783-2836","authenticated-orcid":false,"given":"Amartyo","family":"Roy","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0005-0955-3378","authenticated-orcid":false,"given":"Sambuddho","family":"Chakravarty","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,3,14]]},"reference":[{"key":"14_CR1","doi-asserted-by":"publisher","DOI":"10.1016\/j.fraope.2023.100010","volume":"2","author":"S Adiwal","year":"2023","unstructured":"Adiwal, S., Rajendran, B., et al.: DNS intrusion detection (did)\u2013a snort-based solution to detect DNS amplification and DNS tunneling attacks. Franklin Open 2, 100010 (2023)","journal-title":"Franklin Open"},{"key":"14_CR2","unstructured":"Alahmadi, B.A.,\u00a0Axon, L., et\u00a0al.: 99% false positives: a qualitative study of SOC analysts\u2019 perspectives on security alarms. In: Proceedings of the 31st USENIX Security Symposium, Boston, MA, USA, pp. 10\u201312 (2022)"},{"key":"14_CR3","unstructured":"Alaidaros, H.,\u00a0Mahmuddin, M., et\u00a0al.: An overview of flow-based and packet-based intrusion detection performance in high speed networks. In: Proceedings of the International Arab Conference on Information Technology, pp. 1\u20139 (2011)"},{"key":"14_CR4","doi-asserted-by":"crossref","unstructured":"Apruzzese, G.,\u00a0Laskov, P., et\u00a0al.: SOK: pragmatic assessment of machine learning for network intrusion detection. In: 2023 IEEE 8th European Symposium on Security and Privacy (EuroS &P), pp. 592\u2013614. IEEE (2023)","DOI":"10.1109\/EuroSP57164.2023.00042"},{"key":"14_CR5","doi-asserted-by":"crossref","unstructured":"Beauchamp, T.L.: The belmont report. The Oxford textbook of clinical research ethics, pp. 149\u2013155 (2008)","DOI":"10.1093\/oso\/9780195168655.003.0015"},{"key":"14_CR6","doi-asserted-by":"crossref","unstructured":"Bhusal, D.,\u00a0Shin, R., et\u00a0al.: SOK: modeling explainability in security analytics for interpretability, trustworthiness, and usability. In: Proceedings of the 18th International Conference on ARES, pp. 1\u201312 (2023)","DOI":"10.1145\/3600160.3600193"},{"key":"14_CR7","doi-asserted-by":"crossref","unstructured":"Cai, Q.,\u00a0Chaudhary, S.: et\u00a0al.: Understanding host network stack overheads. In: Proceedings of the 2021 ACM SIGCOMM 2021 Conference, pp. 65\u201377 (2021)","DOI":"10.1145\/3452296.3472888"},{"key":"14_CR8","doi-asserted-by":"crossref","unstructured":"Cheng, Z.,\u00a0Lv, Q., et\u00a0al.: Kairos: practical intrusion detection and investigation using whole-system provenance. In: 2024 IEEE Symposium on Security and Privacy (SP), pp. 3533\u20133551. IEEE (2024)","DOI":"10.1109\/SP54263.2024.00005"},{"key":"14_CR9","unstructured":"Cloudflare: Cloudflare white paper: DNS and the threat of DDOS. https:\/\/www.cloudflare.com\/static\/c14f1244a3b819345f92da3e4f59846e\/DNS_and_the_Threat_of_DDoS_Whitepaper.pdf"},{"key":"14_CR10","unstructured":"DDOS threat report for 2023 q1 (2023). https:\/\/blog.cloudflare.com\/ddos-threat-report-2023-q1\/"},{"key":"14_CR11","unstructured":"DNS amplification attack (2024). https:\/\/www.cloudflare.com\/learning\/ddos\/dns-amplification-ddos-attack\/"},{"key":"14_CR12","unstructured":"DNS-flood DDOS attack. https:\/\/www.cloudflare.com\/learning\/ddos\/dns-flood-ddos-attack\/, 2024"},{"key":"14_CR13","unstructured":"Datasets, C.: Cidds 2017 dataset. https:\/\/www.hs-coburg.de\/forschung\/forschungsprojekte-oeffentlich\/informationstechnologie\/cidds-coburg-intrusion-detection-data-sets.html#c6121"},{"key":"14_CR14","unstructured":"Datasets, C.-I.: Cic-ids 2017. https:\/\/www.unb.ca\/cic\/datasets\/ids-2017.html"},{"key":"14_CR15","unstructured":"Iscxids-2012 dataset. http:\/\/www.unb.ca\/cic\/datasets\/ids.html"},{"key":"14_CR16","unstructured":"Datasets, K.: Kitsune network attack dataset data set. https:\/\/archive.ics.uci.edu\/ml\/datasets\/Kitsune+Network+Attack+Dataset"},{"key":"14_CR17","unstructured":"Datasets, U.: Unsw-nb15. https:\/\/www.unsw.adfa.edu.au\/unsw-canberra-cyber\/cybersecurity\/ADFA-NB15-Datasets\/"},{"key":"14_CR18","unstructured":"Decipher: Linux botnet targets weak SSH server credentials. https:\/\/duo.com\/decipher\/linux-iot-botnet-targets-weak-ssh-server-credentials"},{"key":"14_CR19","unstructured":"Docs, B.: Bind9. https:\/\/bind9.readthedocs.io\/en\/v9_18_4\/chapter1.html"},{"key":"14_CR20","unstructured":"Docs, P.: Pktgen. https:\/\/pktgen-dpdk.readthedocs.io\/en\/latest\/"},{"key":"14_CR21","doi-asserted-by":"crossref","unstructured":"Engelen, G.,\u00a0Rimmer, V., et\u00a0al.: Troubleshooting an intrusion detection dataset: the cicids2017 case study. In: IEEE Security and Privacy Workshops (SPW), pp. 7\u201312 (2021)","DOI":"10.1109\/SPW53761.2021.00009"},{"key":"14_CR22","doi-asserted-by":"crossref","unstructured":"Fontugne, R.,\u00a0Borgnat, P., et\u00a0al.: MAWIlab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. In: Proceedings of the 6th International COnference, Co-NEXT 2010 (2010)","DOI":"10.1145\/1921168.1921179"},{"key":"14_CR23","unstructured":"Fortinet: What is a port scan? https:\/\/www.fortinet.com\/resources\/cyberglossary\/what-is-port-scan (2024)"},{"key":"14_CR24","unstructured":"Forum, F.A.S.S.: Medusa. http:\/\/foofus.net\/?page_id=51, 2024"},{"key":"14_CR25","doi-asserted-by":"crossref","unstructured":"Fu, C.,\u00a0Li, Q., et\u00a0al.: Realtime robust malicious traffic detection via frequency domain analysis. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 3431\u20133446 (2021)","DOI":"10.1145\/3460120.3484585"},{"key":"14_CR26","doi-asserted-by":"crossref","unstructured":"Garcia-Teodoro, P.,\u00a0Diaz-Verdejo, J., et\u00a0al.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Security 28(1-2), 18\u201328 (2009)","DOI":"10.1016\/j.cose.2008.08.003"},{"key":"14_CR27","unstructured":"George\u00a0Sandford, G.T.N.: SOC burnout is real. https:\/\/www.helpnetsecurity.com\/2021\/06\/23\/soc-burnout-is-real\/"},{"key":"14_CR28","unstructured":"Goodin, D.: After lying low, SSH botnet mushrooms and is harder than ever to take down. https:\/\/arstechnica.com\/information-technology\/2022\/02\/after-lying-low-ssh-botnet-mushrooms-and-is-harder-than-ever-to-take-down\/"},{"key":"14_CR29","doi-asserted-by":"crossref","unstructured":"Goyal, A.,\u00a0Wang, G., et\u00a0al. R-Caid: embedding root cause analysis within provenance-based intrusion detection (2024)","DOI":"10.1109\/SP54263.2024.00253"},{"key":"14_CR30","unstructured":"Graham, R.D.: Masscan. https:\/\/github.com\/robertdavidgraham\/masscan"},{"key":"14_CR31","unstructured":"Group, M.W., et\u00a0al.: Traffic archive. http:\/\/mawi.wide.ad.jp\/mawi\/, 2024"},{"key":"14_CR32","doi-asserted-by":"crossref","unstructured":"Han, D.,\u00a0Wang, Z., et\u00a0al.: Deepaid: interpreting and improving deep learning-based anomaly detection in security applications. In: Proceedings of the 2021 ACM SIGSAC CCS, pp. 3197\u20133217 (2021)","DOI":"10.1145\/3460120.3484589"},{"key":"14_CR33","doi-asserted-by":"crossref","unstructured":"Han, X.,\u00a0Pasquier, T., et\u00a0al.: Unicorn: runtime provenance-based detector for advanced persistent threats. arXiv preprint arXiv:2001.01525 (2020)","DOI":"10.14722\/ndss.2020.24046"},{"key":"14_CR34","doi-asserted-by":"publisher","unstructured":"Hellemons, L., Hendriks, L., Hofstede, R., Sperotto, A., Sadre, R., Pras, A.: SSHCure: A Flow-Based SSH Intrusion Detection System. In: Sadre, R., Novotn\u00fd, J., \u010celeda, P., Waldburger, M., Stiller, B. (eds.) AIMS 2012. LNCS, vol. 7279, pp. 86\u201397. Springer, Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-642-30633-4_11","DOI":"10.1007\/978-3-642-30633-4_11"},{"key":"14_CR35","doi-asserted-by":"crossref","unstructured":"Hsu, Y.-F.,\u00a0He, Z., et\u00a0al.: Toward an online network intrusion detection system based on ensemble learning. In: 2019 IEEE 12th International Conference on Cloud Computing (CLOUD), pp. 174\u2013178. IEEE (2019)","DOI":"10.1109\/CLOUD.2019.00037"},{"key":"14_CR36","unstructured":"IDS, S.: Suricata- open source ids \/ ips \/ nsm engine. https:\/\/suricata-ids.org\/"},{"key":"14_CR37","unstructured":"Imperva: DNS-flood. https:\/\/www.imperva.com\/learn\/ddos\/dns-flood\/"},{"key":"14_CR38","unstructured":"Institute, I.: Anatomy of an apt attack: Step by step approach. https:\/\/resources.infosecinstitute.com\/topic\/anatomy-of-an-apt-attack-step-by-step-approach\/"},{"key":"14_CR39","unstructured":"Intel: Intel data plane development kit. https:\/\/www.dpdk.org\/"},{"key":"14_CR40","doi-asserted-by":"crossref","unstructured":"Kang, J.,\u00a0Yang, H., et\u00a0al.: ActDetector: a sequence-based framework for network attack activity detection. In: 2022 IEEE Symposium on Computers and Communications (ISCC), pp. 1\u20137. IEEE (2022)","DOI":"10.1109\/ISCC55528.2022.9912824"},{"key":"14_CR41","unstructured":"Kaspersky: What is an advanced persistent threat (apt)? https:\/\/www.kaspersky.com\/resource-center\/definitions\/advanced-persistent-threats"},{"key":"14_CR42","unstructured":"Labs, L.: Groundhog botnet rapidly infecting cloud. https:\/\/www.lacework.com\/blog\/groundhog-botnet-rapidly-infecting-cloud\/"},{"key":"14_CR43","doi-asserted-by":"crossref","unstructured":"Lanvin, M., Gimenez, P.-F., et\u00a0al.: Towards understanding alerts raised by unsupervised network intrusion detection systems. In: The 26th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2023) (2023)","DOI":"10.1145\/3607199.3607247"},{"key":"14_CR44","unstructured":"Li, R.,\u00a0Li, Q., et\u00a0al.: Interpreting unsupervised anomaly detection in security via rule extraction. In: Thirty-seventh Conference on Neural Information Processing Systems (NeurIPS) (2023)"},{"key":"14_CR45","doi-asserted-by":"publisher","first-page":"332","DOI":"10.1016\/j.knosys.2018.08.036","volume":"163","author":"H Liu","year":"2019","unstructured":"Liu, H., Lang, B., et al.: CNN and RNN based payload classification methods for attack detection. Knowl. Based Syst. 163, 332\u2013341 (2019)","journal-title":"Knowl. Based Syst."},{"key":"14_CR46","unstructured":"LogRhythm. https:\/\/logrhythm.com\/"},{"key":"14_CR47","doi-asserted-by":"publisher","first-page":"22351","DOI":"10.1109\/ACCESS.2021.3056614","volume":"9","author":"ZK Maseer","year":"2021","unstructured":"Maseer, Z.K., Yusof, R., et al.: Benchmarking of machine learning for anomaly based intrusion detection systems in the CICIDS2017 dataset. IEEE Access 9, 22351\u201322370 (2021)","journal-title":"IEEE Access"},{"key":"14_CR48","doi-asserted-by":"crossref","unstructured":"Milajerdi, S.M.,\u00a0Gjomemo, R., et\u00a0al.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137\u20131152. IEEE (2019)","DOI":"10.1109\/SP.2019.00026"},{"key":"14_CR49","doi-asserted-by":"crossref","unstructured":"Mink, J.,\u00a0Benkraouda, H., et\u00a0al.: Everybody\u2019s got ml, tell me what else you have: Practitioners\u2019 perception of ml-based security tools and explanations. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 2068\u20132085 (2023)","DOI":"10.1109\/SP46215.2023.10179321"},{"key":"14_CR50","doi-asserted-by":"crossref","unstructured":"Mirsky, Y.,\u00a0Doitshman, T., et\u00a0al.: Kitsune: an ensemble of autoencoders for online network intrusion detection. In: NDSS (2018)","DOI":"10.14722\/ndss.2018.23204"},{"key":"14_CR51","unstructured":"MITRE: Brute force. https:\/\/attack.mitre.org\/techniques\/T1110\/001\/"},{"key":"14_CR52","unstructured":"Nadeem, A.,\u00a0Vos, D., et\u00a0al.: SOK: explainable machine learning for computer security applications. arXiv preprint arXiv:2208.10605 (2022)"},{"key":"14_CR53","unstructured":"NDSec: Ndsec-1 dataset. https:\/\/www2.hs-fulda.de\/NDSec\/NDSec-1\/Files\/"},{"key":"14_CR54","unstructured":"NMAP: Ncat. https:\/\/nmap.org\/ncat\/"},{"key":"14_CR55","unstructured":"Ncrack. https:\/\/nmap.org\/ncrack\/"},{"key":"14_CR56","unstructured":"NMap-the network mapper. https:\/\/nmap.org\/"},{"key":"14_CR57","unstructured":"Org, S.: A sans 2021 survey: Security operations center (SOC) (2021)"},{"key":"14_CR58","unstructured":"PcapPlusPlus. https:\/\/pcapplusplus.github.io\/"},{"key":"14_CR59","doi-asserted-by":"crossref","unstructured":"Rajadurai, H., Gandhi, U.D.: A stacked ensemble learning model for intrusion detection in wireless network. In: Neural Computing and Applications, pp. 1\u20139 (2020)","DOI":"10.1007\/s00521-020-04986-5"},{"key":"14_CR60","doi-asserted-by":"crossref","unstructured":"Ramanathan, S.,\u00a0Hossain, A., et\u00a0al.: Quantifying the impact of blocklisting in the age of address reuse. In: Proceedings of the ACM Internet Measurement Conference (IMC), pp. 360\u2013369 (2020)","DOI":"10.1145\/3419394.3423657"},{"key":"14_CR61","unstructured":"Report, I.: 2021 global DNS threat report. https:\/\/www.efficientip.com\/wp-content\/uploads\/2021\/06\/2021-IDC-DNS-Threat-Report-Infobrief-final_compressed.pdf"},{"key":"14_CR62","first-page":"229","volume":"99","author":"M Roesch","year":"1999","unstructured":"Roesch, M., et al.: Snort: lightweight intrusion detection for networks. Lisa 99, 229\u2013238 (1999)","journal-title":"Lisa"},{"key":"14_CR63","unstructured":"M.T.D. Science: Dynamic time warping. https:\/\/towardsdatascience.com\/dynamic-time-warping-3933f25fcdd"},{"key":"14_CR64","unstructured":"Secureworks: How to decrease alert fatigue while increasing SOC efficiency. https:\/\/www.secureworks.com\/blog\/how-to-reduce-alert-fatigue"},{"key":"14_CR65","first-page":"108","volume":"1","author":"I Sharafaldin","year":"2018","unstructured":"Sharafaldin, I., Lashkari, A.H., et al.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp 1, 108\u2013116 (2018)","journal-title":"ICISSp"},{"key":"14_CR66","doi-asserted-by":"crossref","unstructured":"Shiravi, A.,\u00a0Shiravi, H., et\u00a0al.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Computers & Security 31(3), 357\u2013374 (2012)","DOI":"10.1016\/j.cose.2011.12.012"},{"key":"14_CR67","doi-asserted-by":"crossref","unstructured":"Sommer, R.,\u00a0Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305\u2013316. IEEE (2010)","DOI":"10.1109\/SP.2010.25"},{"key":"14_CR68","unstructured":"Splunk: Siem, Aiops, application management, log management, machine learning, and compliance. https:\/\/www.splunk.com\/"},{"key":"14_CR69","unstructured":"Turner, A.: Tcpreplay (2011). http:\/\/tcpreplay.synfin.net\/trac\/"},{"key":"14_CR70","unstructured":"Umayya, Z.,\u00a0Nandi, A.: Watson. https:\/\/github.com\/zeya2u9\/Watson\/"},{"key":"14_CR71","doi-asserted-by":"crossref","unstructured":"van Ede, T.,\u00a0Aghakhani, H., et\u00a0al.: DeepCase: semi-supervised contextual analysis of security events. In: IEEE Security and Privacy (2022)","DOI":"10.1109\/SP46214.2022.9833671"},{"key":"14_CR72","unstructured":"van Hauser: Hydra. https:\/\/github.com\/vanhauser-thc\/thc-hydra"},{"key":"14_CR73","doi-asserted-by":"crossref","unstructured":"Wang, X.: ENIDrift: a fast and adaptive ensemble system for network intrusion detection under real-world drift. In: Annual Computer Security Applications Conference (ACSAC), pp. 785\u2013798 (2022)","DOI":"10.1145\/3564625.3567992"},{"key":"14_CR74","unstructured":"Wei, F.,\u00a0Li, H., et\u00a0al.: XNIDS: explaining deep learning-based network intrusion detection systems for active intrusion responses. In: 32nd USENIX Security Symposium (USENIX Security 23), Anaheim, CA, USA (2023)"},{"key":"14_CR75","unstructured":"Zissman, M.: Darpa intrusion detection scenario specific data sets (2000)"}],"container-title":["Lecture Notes in Computer Science","Network and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-96-3531-3_14","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,13]],"date-time":"2025-03-13T12:11:17Z","timestamp":1741867877000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-981-96-3531-3_14"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9789819635306","9789819635313"],"references-count":75,"URL":"https:\/\/doi.org\/10.1007\/978-981-96-3531-3_14","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"14 March 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"NSS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Network and System Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Abu Dhabi","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"United Arab Emirates","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"21 November 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"23 November 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"nss2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/nsclab.org\/nss-socialsec2024\/index.html","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}