{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,7]],"date-time":"2026-01-07T07:36:39Z","timestamp":1767771399145},"reference-count":44,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2023,5,28]],"date-time":"2023-05-28T00:00:00Z","timestamp":1685232000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,5,28]],"date-time":"2023-05-28T00:00:00Z","timestamp":1685232000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2023,10]]},"DOI":"10.1007\/s10207-023-00701-2","type":"journal-article","created":{"date-parts":[[2023,5,28]],"date-time":"2023-05-28T16:01:38Z","timestamp":1685289698000},"page":"1481-1496","update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["An effective attack scenario construction model based on identification of attack steps and stages"],"prefix":"10.1007","volume":"22","author":[{"given":"Taqwa Ahmed","family":"Alhaj","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Maheyzah Md","family":"Siraj","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Anazida","family":"Zainal","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Inshirah","family":"Idris","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Anjum","family":"Nazir","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Fatin","family":"Elhaj","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tasneem","family":"Darwish","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,5,28]]},"reference":[{"key":"701_CR1","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1016\/j.neucom.2015.12.127","volume":"208","author":"Y Yao","year":"2016","unstructured":"Yao, Y., Wang, Z., Gan, C., Kang, Q., Liu, X., Xia, Y., Zhang, L.: Multi-source alert data understanding for security semantic discovery based on rough set theory. Neurocomputing 208, 39\u201345 (2016). https:\/\/doi.org\/10.1016\/j.neucom.2015.12.127","journal-title":"Neurocomputing"},{"key":"701_CR2","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.cose.2014.12.003","volume":"50","author":"R Shittu","year":"2015","unstructured":"Shittu, R., Healing, A., Ghanea-Hercock, R., Bloomfield, R., Rajarajan, M.: Intrusion alert prioritisation and attack detection using post-correlation analysis. Comput. Secur. 50, 1\u201315 (2015). https:\/\/doi.org\/10.1016\/j.cose.2014.12.003","journal-title":"Comput. Secur."},{"key":"701_CR3","doi-asserted-by":"publisher","first-page":"214","DOI":"10.1016\/j.cose.2018.03.001","volume":"76","author":"J Navarro","year":"2018","unstructured":"Navarro, J., Deruyver, A., Parrend, P.: A systematic survey on multi-step attack detection. Comput. Secur. 76, 214\u2013249 (2018). https:\/\/doi.org\/10.1016\/j.cose.2018.03.001","journal-title":"Comput. Secur."},{"key":"701_CR4","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1016\/j.neucom.2015.12.127","volume":"208","author":"Y Yao","year":"2016","unstructured":"Yao, Y., Wang, Z., Gan, C., Kang, Q., Liu, X., Xia, Y., Zhang, L.: Multi-source alert data understanding for security semantic discovery based on rough set theory. Neurocomputing 208, 39\u201345 (2016). https:\/\/doi.org\/10.1016\/j.neucom.2015.12.127","journal-title":"Neurocomputing"},{"key":"701_CR5","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.101661","volume":"89","author":"E Mahdavi","year":"2020","unstructured":"Mahdavi, E., Fanian, A., Amini, F.: A real-time alert correlation method based on code-books for intrusion detection systems. Comput. Secur. 89, 101661 (2020)","journal-title":"Comput. Secur."},{"key":"701_CR6","doi-asserted-by":"publisher","first-page":"83","DOI":"10.1016\/j.cose.2015.11.005","volume":"58","author":"M GhasemiGol","year":"2016","unstructured":"GhasemiGol, M., Ghaemi-Bafghi, A., Takabi, H.: A comprehensive approach for network attack forecasting. Comput. Secur. 58, 83\u2013105 (2016). https:\/\/doi.org\/10.1016\/j.cose.2015.11.005","journal-title":"Comput. Secur."},{"key":"701_CR7","doi-asserted-by":"crossref","unstructured":"Alhakami, W.: Alerts clustering for intrusion detection systems: overview and machine learning perspectives. Int. J. Adv. Comput. Sci. Appl. (IJACSA) 10(5) (2019)","DOI":"10.14569\/IJACSA.2019.0100574"},{"key":"701_CR8","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101974","volume":"97","author":"T Li","year":"2020","unstructured":"Li, T., Liu, Y., Liu, Y., Xiao, Y., Nguyen, N.A.: Attack plan recognition using hidden Markov and probabilistic inference. Comput. Secur. 97, 101974 (2020)","journal-title":"Comput. Secur."},{"issue":"4","key":"701_CR9","first-page":"73","volume":"5","author":"M Marchetti","year":"2011","unstructured":"Marchetti, M., Colajanni, M., Manganiello, F.: Framework and models for multistep attack detection. Int. J. Secur. Appl. 5(4), 73\u201390 (2011)","journal-title":"Int. J. Secur. Appl."},{"issue":"11","key":"701_CR10","doi-asserted-by":"publisher","first-page":"1368","DOI":"10.1016\/j.comcom.2012.04.001","volume":"35","author":"M Soleimani","year":"2012","unstructured":"Soleimani, M., Ghorbani, A.A.: Multi-layer episode filtering for the multi-step attack detection. Comput. Commun. 35(11), 1368\u20131379 (2012). https:\/\/doi.org\/10.1016\/j.comcom.2012.04.001","journal-title":"Comput. Commun."},{"issue":"4","key":"701_CR11","first-page":"2865","volume":"8","author":"C-J Huang","year":"2012","unstructured":"Huang, C.-J., Hu, K.-W., Cheng, H., Chang, T.-K., Luo, Y.-C., Lien, Y.-J.: Application of type-2 fuzzy logic to rule-based intrusion alert correlation detection. Int. J. Innov. Comput. Inf. Control 8(4), 2865\u20132874 (2012)","journal-title":"Int. J. Innov. Comput. Inf. Control"},{"issue":"1","key":"701_CR12","doi-asserted-by":"publisher","first-page":"53","DOI":"10.1016\/j.jisa.2013.08.002","volume":"18","author":"S Saad","year":"2013","unstructured":"Saad, S., Traore, I.: Semantic aware attack scenarios reconstruction. J. Inf. Secur. Appl. 18(1), 53\u201367 (2013). https:\/\/doi.org\/10.1016\/j.jisa.2013.08.002","journal-title":"J. Inf. Secur. Appl."},{"key":"701_CR13","doi-asserted-by":"publisher","first-page":"206","DOI":"10.1016\/j.cose.2014.10.006","volume":"49","author":"AA Ramaki","year":"2015","unstructured":"Ramaki, A.A., Amini, M., Atani, R.E.: RTECA: real time episode correlation algorithm for multi-step attack scenarios detection. Comput. Secur. 49, 206\u2013219 (2015). https:\/\/doi.org\/10.1016\/j.cose.2014.10.006","journal-title":"Comput. Secur."},{"key":"701_CR14","doi-asserted-by":"publisher","first-page":"119","DOI":"10.1016\/j.eswa.2018.04.030","volume":"108","author":"M Barzegar","year":"2018","unstructured":"Barzegar, M., Shajari, M.: Attack scenario reconstruction using intrusion semantics. Expert Syst. Appl. 108, 119\u2013133 (2018)","journal-title":"Expert Syst. Appl."},{"issue":"5","key":"701_CR15","doi-asserted-by":"publisher","first-page":"1289","DOI":"10.1016\/j.comnet.2012.10.022","volume":"57","author":"S Salah","year":"2013","unstructured":"Salah, S., Maci\u00e1-Fern\u00e1ndez, G., D\u00edaz-Verdejo, J.E.: A model-based survey of alert correlation techniques. Comput. Netw. 57(5), 1289\u20131317 (2013). https:\/\/doi.org\/10.1016\/j.comnet.2012.10.022","journal-title":"Comput. Netw."},{"key":"701_CR16","doi-asserted-by":"publisher","unstructured":"Ussath, M., Cheng, F., Meinel, C.: Automatic multi-step signature derivation from taint graphs. In: IEEE Symposium Series on Computational Intelligence (SSCI), pp. 1\u20138 (2016). https:\/\/doi.org\/10.1109\/SSCI.2016.7850076","DOI":"10.1109\/SSCI.2016.7850076"},{"key":"701_CR17","doi-asserted-by":"publisher","unstructured":"Li, W., Zhi-Tang, L., Dong, L., Jie, L.: Attack scenario construction with a new sequential mining technique. In: Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel\/Distributed Computing, pp. 872\u2013877 (2007). https:\/\/doi.org\/10.1109\/SNPD.2007.395","DOI":"10.1109\/SNPD.2007.395"},{"key":"701_CR18","doi-asserted-by":"publisher","unstructured":"Zhang, A.-F., Li, Z.-T., Li, D., Wang, L.: Discovering novel multistage attack patterns in alert streams. In: International Conference on Networking, Architecture, and Storage, pp. 115\u2013121 (2007). https:\/\/doi.org\/10.1109\/NAS.2007.20","DOI":"10.1109\/NAS.2007.20"},{"issue":"2","key":"701_CR19","doi-asserted-by":"publisher","first-page":"274","DOI":"10.1145\/996943.996947","volume":"7","author":"P Ning","year":"2004","unstructured":"Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and tools for analyzing intrusion alerts. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(2), 274\u2013318 (2004). https:\/\/doi.org\/10.1145\/996943.996947","journal-title":"ACM Trans. Inf. Syst. Secur. (TISSEC)"},{"key":"701_CR20","doi-asserted-by":"publisher","unstructured":"Saad, S., Traore, I.: Extracting attack scenarios using intrusion semantics. In: International Symposium on Foundations and Practice of Security, pp. 278\u2013292 (2012). https:\/\/doi.org\/10.1007\/978-3-642-37119-6-18","DOI":"10.1007\/978-3-642-37119-6-18"},{"key":"701_CR21","doi-asserted-by":"publisher","unstructured":"Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 245\u2013254 (2002). https:\/\/doi.org\/10.1145\/586110.586144","DOI":"10.1145\/586110.586144"},{"key":"701_CR22","unstructured":"Ning, P., Peng, P., Hu, Y., Xu, D.: TIAA: a visual toolkit for intrusion alert analysis. North Carolina State University, Center for Advanced Computing and Communication (2003)"},{"key":"701_CR23","doi-asserted-by":"publisher","unstructured":"Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 200\u2013209 (2003). https:\/\/doi.org\/10.1145\/948109.948137","DOI":"10.1145\/948109.948137"},{"key":"701_CR24","doi-asserted-by":"publisher","unstructured":"Xu, D., Ning, P.: Correlation analysis of intrusion alerts. In: Intrusion Detection Systems. Advances in Information Security, vol. 38. Springer, Boston (2006). https:\/\/doi.org\/10.1007\/978-0-387-77265-3_4","DOI":"10.1007\/978-0-387-77265-3_4"},{"key":"701_CR25","doi-asserted-by":"publisher","unstructured":"Ning, P., Xu, D.: Toward automated intrusion alert analysis. In: Network Security, pp. 175\u2013205(2010). https:\/\/doi.org\/10.1007\/978-0-387-73821-5-8","DOI":"10.1007\/978-0-387-73821-5-8"},{"key":"701_CR26","doi-asserted-by":"crossref","unstructured":"Lanoe, D., Hurfin, M., Totel, E.: A scalable and efficient correlation engine to detect multi-step attacks in distributed systems. In: 2018 IEEE 37th Symposium on Reliable Distributed Systems (SRDS), pp. 31\u201340. IEEE (2018, October)","DOI":"10.1109\/SRDS.2018.00014"},{"key":"701_CR27","doi-asserted-by":"crossref","unstructured":"Wang, Q., Jiang, J., Shi, Z., Wang, W., Lv, B., Qi, B., Yin, Q.: A novel multi-source fusion model for known and unknown attack scenarios. In: 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications\/12th IEEE International Conference on Big Data Science and Engineering (Trust-Com\/BigDataSE), pp. 727\u2013736. IEEE (2018, August)","DOI":"10.1109\/TrustCom\/BigDataSE.2018.00106"},{"issue":"3","key":"701_CR28","first-page":"244","volume":"3","author":"B Zhu","year":"2006","unstructured":"Zhu, B., Ghorbani, A.A.: Alert correlation for extracting attack strategies. Int. J. Netw. Secur. 3(3), 244\u2013258 (2006)","journal-title":"Int. J. Netw. Secur."},{"issue":"15","key":"701_CR29","doi-asserted-by":"publisher","first-page":"2917","DOI":"10.1016\/j.comcom.2006.04.001","volume":"29","author":"L Wang","year":"2006","unstructured":"Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29(15), 2917\u20132933 (2006). https:\/\/doi.org\/10.1016\/j.comcom.2006.04.001","journal-title":"Comput. Commun."},{"issue":"2","key":"701_CR30","doi-asserted-by":"publisher","first-page":"77","DOI":"10.22042\/isecure.2015.3.2.3","volume":"3","author":"H Farhadi","year":"2015","unstructured":"Farhadi, H., Amirhaeri, M., Khansari, M.: Alert correlation and prediction using data mining and HMM. ISC Int. J. Inf. Secur. 3(2), 77\u2013101 (2015). https:\/\/doi.org\/10.22042\/isecure.2015.3.2.3","journal-title":"ISC Int. J. Inf. Secur."},{"issue":"4","key":"701_CR31","first-page":"73","volume":"5","author":"M Marchetti","year":"2011","unstructured":"Marchetti, M., Colajanni, M., Manganiello, F.: Framework and models for multistep attack detection. Int. J. Secur. Appl. 5(4), 73\u201390 (2011)","journal-title":"Int. J. Secur. Appl."},{"key":"701_CR32","doi-asserted-by":"publisher","unstructured":"Soleimani, M., Ghorbani, A.A.: Multi-layer episode filtering for the multi-step attack detection. Comput. Commun. 35(11), 1368\u20131379 (2012). https:\/\/doi.org\/10.1016\/j.comcom.2012.04.001","DOI":"10.1016\/j.comcom.2012.04.001"},{"key":"701_CR33","doi-asserted-by":"publisher","unstructured":"Anbarestani, R., Akbari, B., Fathi, F.: An iterative alert correlation method for extracting network intrusion scenarios. In: 20th Iranian Conference on Electrical Engineering (ICEE), pp. 684\u2013689 (2012). https:\/\/doi.org\/10.1109\/IranianCEE.2012.6292441","DOI":"10.1109\/IranianCEE.2012.6292441"},{"key":"701_CR34","doi-asserted-by":"publisher","unstructured":"Man, D.-P., Li, X.-Z., Yang, W., Wang, W., Xuan, S.-C.: A multi-step attack recognition and prediction method via mining attacks conversion frequencies. Int. J. Wirel. Microw. Technol. 2, 20\u201325 (2012). https:\/\/doi.org\/10.5815\/ijwmt.2012.02.04","DOI":"10.5815\/ijwmt.2012.02.04"},{"issue":"1","key":"701_CR35","first-page":"160","volume":"15","author":"M Bateni","year":"2013","unstructured":"Bateni, M., Baraani, A., Ghorbani, A.: Using artificial immune system and fuzzy logic for alert correlation. Int. J. Netw. Secur. 15(1), 160\u2013174 (2013)","journal-title":"Int. J. Netw. Secur."},{"issue":"2","key":"701_CR36","doi-asserted-by":"publisher","first-page":"685","DOI":"10.1007\/s11042-012-1275-x","volume":"71","author":"Y-H Kim","year":"2014","unstructured":"Kim, Y.-H., Park, W.H.: A study on cyber threat prediction based on intrusion detection event for APT attack detection. Multimedia Tools Appl. 71(2), 685\u2013698 (2014). https:\/\/doi.org\/10.1007\/s11042-012-1275-x","journal-title":"Multimedia Tools Appl."},{"key":"701_CR37","doi-asserted-by":"publisher","unstructured":"Xian, M., Zhang, Y.: A privacy-preserving multi-step attack correlation algorithm. In: IEEE Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC), pp. 1389\u20131393 (2016). https:\/\/doi.org\/10.1109\/IMCEC.2016.7867441","DOI":"10.1109\/IMCEC.2016.7867441"},{"issue":"4","key":"701_CR38","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1007\/BF03391586","volume":"1","author":"Y Zhang","year":"2016","unstructured":"Zhang, Y., Luo, X., Luo, H.: A multi-step attack-correlation method with privacy protection. J. Commun. Inf. Netw. 1(4), 133\u2013142 (2016). https:\/\/doi.org\/10.1007\/BF03391586","journal-title":"J. Commun. Inf. Netw."},{"key":"701_CR39","doi-asserted-by":"publisher","unstructured":"Qin, X., Lee, W.: Discovering novel attack strategies from INFOSEC alerts. In: Data Warehousing and Data Mining Techniques for Cyber Security, pp. 109\u2013157 (2007). https:\/\/doi.org\/10.1007\/978-0-387-47653-7_7","DOI":"10.1007\/978-0-387-47653-7_7"},{"key":"701_CR40","doi-asserted-by":"publisher","DOI":"10.1155\/2018\/5787102","author":"H Hu","year":"2018","unstructured":"Hu, H., Liu, Y., Zhang, H., Zhang, Y.: Security metric methods for network multistep attacks using AMC and big data correlation analysis. Secur. Commun. Netw. (2018). https:\/\/doi.org\/10.1155\/2018\/5787102","journal-title":"Secur. Commun. Netw."},{"issue":"11","key":"701_CR41","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pone.0166017","volume":"11","author":"TA Alhaj","year":"2016","unstructured":"Alhaj, T.A., Siraj, M.M., Zainal, A., Elshoush, H.T., Elhaj, F.: Feature selection using information gain for improved structural-based alert correlation. PloS One 11(11), e016601 (2016)","journal-title":"PloS One"},{"key":"701_CR42","unstructured":"Alhaj, T.A., Siraj, M.B.M., Zainal, A.: An Effective Attack Scenario Construction Model based on Two-tier Feature Selection and Coarse Grain Cleaning. Ph.D. Thesis, Universiti Teknologi Malaysia, Malaysia (2018)"},{"key":"701_CR43","doi-asserted-by":"publisher","unstructured":"Zhang, Y., Xiao, S., Zhuang, X., Peng, X.: Using cluster and correlation to construct attack scenarios. In: International Conference on Cyberworlds, pp. 471\u2013476 (2008). https:\/\/doi.org\/10.1109\/CW.2008.94","DOI":"10.1109\/CW.2008.94"},{"key":"701_CR44","unstructured":"Ahmed, S.S.: Intrusion alert analysis framework using semantic correlation (Doctoral dissertation) (2014)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-023-00701-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-023-00701-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-023-00701-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,9,26]],"date-time":"2023-09-26T02:10:37Z","timestamp":1695694237000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-023-00701-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5,28]]},"references-count":44,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2023,10]]}},"alternative-id":["701"],"URL":"https:\/\/doi.org\/10.1007\/s10207-023-00701-2","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,5,28]]},"assertion":[{"value":"28 May 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors certify that they have no affiliation or interest in the subject matter or materials discussed in this manuscript.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}