{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,14]],"date-time":"2025-06-14T23:40:17Z","timestamp":1749944417136,"version":"3.28.0"},"reference-count":28,"publisher":"IEEE Comput. Soc","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"DOI":"10.1109\/discex.2003.1194892","type":"proceedings-article","created":{"date-parts":[[2004,3,1]],"date-time":"2004-03-01T21:26:50Z","timestamp":1078176410000},"page":"284-292","source":"Crossref","is-referenced-by-count":123,"title":["Modeling multistep cyber attacks for scenario recognition"],"prefix":"10.1109","author":[{"given":"S.","family":"Cheung","sequence":"first","affiliation":[]},{"given":"U.","family":"Lindqvist","sequence":"additional","affiliation":[]},{"given":"M.W.","family":"Fong","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref10","doi-asserted-by":"crossref","first-page":"71","DOI":"10.3233\/JCS-2002-101-204","article-title":"STATL: An attack language for state-based intrusion detection","volume":"10","author":"eckmann","year":"2002","journal-title":"Journal of Computer Security"},{"journal-title":"Design Patterns Elements of Reusable Object-Oriented Software","year":"1995","author":"gamma","key":"ref11"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/DISCEX.2001.932228"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2001.991517"},{"key":"ref14","first-page":"-14c","article-title":"The inquisitive sensor: A tactical tool for system survivability","author":"lindqvist","year":"2001","journal-title":"Supplement of the 2001 International Conference on Dependable Systems and Networks"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1999.766911"},{"key":"ref16","first-page":"353","article-title":"ADeLe: An attack description language for knowledge-based intrusion detection","author":"michel","year":"2001","journal-title":"Trusted Information The New Decade Challenge IFIP TC11 16th International Conference on Information Security (IFIP\/SEC'01)"},{"key":"ref17","article-title":"Experience with EMERALD to date","author":"neumann","year":"1999","journal-title":"Proceedings of the Workshop on Intrusion Detection and Network Monitoring"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/503339.503342"},{"key":"ref19","doi-asserted-by":"crossref","first-page":"95","DOI":"10.1007\/3-540-36084-0_6","article-title":"A mission-impact-based approach to INFOSEC alarm correlation","volume":"2516","author":"porras","year":"2002","journal-title":"Proc Recent Advances in Intrusion Detection (RAID 2001)"},{"key":"ref28","first-page":"195","article-title":"NetKuang-a multi-host configuration vulnerability checker","author":"zerkle","year":"1996","journal-title":"Proc Sixth Usenix Security Symp"},{"journal-title":"CERT Incident Note IN-99-07","article-title":"Distributed Denial of Service Tools","year":"1999","key":"ref4"},{"journal-title":"Artificial Intelligence","year":"1977","author":"winston","key":"ref27"},{"journal-title":"CERT Advisory CA-1998-01","article-title":"Smurf IP Denial-of-Service Attacks","year":"1998","key":"ref3"},{"journal-title":"CERT Advisory CA-2001-13","article-title":"Buffer Overflow In IIS Indexing Service DLL","year":"2001","key":"ref6"},{"journal-title":"CERT Incident Note IN-2000-05","article-title":"mstream&#x201D; Distributed Denial of Service Tool","year":"2000","key":"ref5"},{"key":"ref8","article-title":"Intrusion Detection Message Exchange Format: Data Model and Extensible Markup Language (XML) Document Type Definition","author":"curry","year":"2002","journal-title":"Intrusion Detection Working Group"},{"key":"ref7","doi-asserted-by":"crossref","first-page":"197","DOI":"10.1007\/3-540-39945-3_13","article-title":"LAMBDA: A language to model a database for detection of attacks","volume":"1907","author":"cuppens","year":"2000","journal-title":"Proc Recent Advances in Intrusion Detection (RAID 2001)"},{"journal-title":"AusCERT Advisory AL-1999 004","article-title":"Denial of Service (DoS) attacks using the Domain Name System (DNS)","year":"1999","key":"ref2"},{"key":"ref9","doi-asserted-by":"crossref","first-page":"85","DOI":"10.1007\/3-540-45474-8_6","article-title":"Aggregation and correlation of intrusion-detection alerts","volume":"2212","author":"debar","year":"2001","journal-title":"Proc Recent Advances in Intrusion Detection (RAID 2001)"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/182.358434"},{"key":"ref20","first-page":"353","article-title":"EMERALD: Event monitoring enabling responses to anomalous live disturbances","author":"porras","year":"1997","journal-title":"Proceedings of the 20th National Information Systems Security Conference"},{"key":"ref22","first-page":"156","article-title":"Using model checking to analyze network vulnerabilities","author":"ritchey","year":"2001","journal-title":"Proceedings of the 2001 IEEE Symposium on Security and Privacy"},{"key":"ref21","doi-asserted-by":"crossref","first-page":"189","DOI":"10.3233\/JCS-2002-101-209","article-title":"Model-based analysis of configuration vulnerabilities","volume":"10","author":"ramakrishnan","year":"2002","journal-title":"Journal of Computer Security"},{"key":"ref24","doi-asserted-by":"crossref","first-page":"105","DOI":"10.3233\/JCS-2002-101-205","article-title":"Practical automated detection of stealthy portscans","volume":"10","author":"staniford","year":"2002","journal-title":"Journal of Computer Security"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2002.1004377"},{"key":"ref26","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1007\/3-540-45474-8_4","article-title":"Probabilistic alert correlation","volume":"2212","author":"valdes","year":"2001","journal-title":"Proc Recent Advances in Intrusion Detection (RAID 2001)"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/366173.366187"}],"event":{"name":"DARPA Information Survivability Conference and Exposition","acronym":"DISCEX-03","location":"Washington, DC, USA"},"container-title":["Proceedings DARPA Information Survivability Conference and Exposition"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx5\/8503\/26875\/01194892.pdf?arnumber=1194892","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2018,4,21]],"date-time":"2018-04-21T10:13:08Z","timestamp":1524305588000},"score":1,"resource":{"primary":{"URL":"http:\/\/ieeexplore.ieee.org\/document\/1194892\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[null]]},"references-count":28,"URL":"https:\/\/doi.org\/10.1109\/discex.2003.1194892","relation":{},"subject":[]}}