{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,29]],"date-time":"2025-09-29T07:46:41Z","timestamp":1759132001286,"version":"3.41.0"},"reference-count":34,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2007,2,1]],"date-time":"2007-02-01T00:00:00Z","timestamp":1170288000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2007,2]]},"abstract":"<jats:p>\n            Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a\n            <jats:italic>capability<\/jats:italic>\n            . We use\n            <jats:italic>capability<\/jats:italic>\n            to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator. The experimental results of the correlator using several intrusion datasets demonstrate that the approach is effective in both alert fusion and alert correlation and has the ability to correlate alerts of complex multistage intrusions. In several instances, the alert correlator successfully correlated more than two thousand Snort alerts involved in massive scanning incidents. It also helped us find two multistage intrusions that were missed in auditing by the security officers.\n          <\/jats:p>","DOI":"10.1145\/1210263.1210267","type":"journal-article","created":{"date-parts":[[2007,4,9]],"date-time":"2007-04-09T19:07:12Z","timestamp":1176145632000},"page":"4","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":59,"title":["Modeling network intrusion detection alerts for correlation"],"prefix":"10.1145","volume":"10","author":[{"given":"Jingmin","family":"Zhou","sequence":"first","affiliation":[{"name":"University of California, Davis, CA"}]},{"given":"Mark","family":"Heckman","sequence":"additional","affiliation":[{"name":"Promia, Inc., Davis, CA"}]},{"given":"Brennen","family":"Reynolds","sequence":"additional","affiliation":[{"name":"Promia, Inc., Davis, CA"}]},{"given":"Adam","family":"Carlson","sequence":"additional","affiliation":[{"name":"University of California, Davis, CA"}]},{"given":"Matt","family":"Bishop","sequence":"additional","affiliation":[{"name":"University of California, Davis, CA"}]}],"member":"320","published-online":{"date-parts":[[2007,2]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Tech. Rep. CMU\/SEI-99-TR-028","author":"Allen J.","year":"1999","unstructured":"Allen , J. , Christie , A. , Fithen , W. , McHugh , J. , Pickel , J. , and Stoner , E . 1999 . State of the Practice of Intrusion Detection Technologies . Tech. Rep. CMU\/SEI-99-TR-028 , Software Engineering Institute, Carnegie Mellon University. Jan .) Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E. 1999. State of the Practice of Intrusion Detection Technologies. Tech. Rep. CMU\/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon University. Jan.)"},{"volume-title":"Computer Security Threat Monitoring and Surveillance","author":"Anderson J. P.","key":"e_1_2_1_2_1","unstructured":"Anderson , J. P. 1980. Computer Security Threat Monitoring and Surveillance . James P. Anderson Co. Anderson, J. P. 1980. Computer Security Threat Monitoring and Surveillance. James P. Anderson Co."},{"key":"e_1_2_1_3_1","volume-title":"Proceedings of the IRIS National Symposium on Sensor and Data Fusion.","author":"Bass T.","year":"1999","unstructured":"Bass , T. 1999 . Multisensor data fusion for next generation distributed intrusion detection systems . In Proceedings of the IRIS National Symposium on Sensor and Data Fusion. Bass, T. 1999. Multisensor data fusion for next generation distributed intrusion detection systems. In Proceedings of the IRIS National Symposium on Sensor and Data Fusion."},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/332051.332079"},{"key":"e_1_2_1_5_1","unstructured":"CERT. 2001. Advisory CA-2001-19 Code Red worm exploiting buffer overflow in IIS indexing service DLL.  CERT. 2001. Advisory CA-2001-19 Code Red worm exploiting buffer overflow in IIS indexing service DLL."},{"volume-title":"Proceedings of the DARPA Information Survivability Conference and Exposition. Washington, D.C.","author":"Cheung S.","key":"e_1_2_1_6_1","unstructured":"Cheung , S. , Lindqvist , U. , and Fong , M. W . 2003. Modeling multistep cyber attacks for scenario recognition . In Proceedings of the DARPA Information Survivability Conference and Exposition. Washington, D.C. Cheung, S., Lindqvist, U., and Fong, M. W. 2003. Modeling multistep cyber attacks for scenario recognition. In Proceedings of the DARPA Information Survivability Conference and Exposition. Washington, D.C."},{"key":"e_1_2_1_7_1","unstructured":"Cisco Systems Inc. Cisco intrusion prevention alert center http:\/\/www.cisco.com\/pcgi-bin\/front.x\/ipsalerts\/ipsalertsHome.pl.  Cisco Systems Inc. Cisco intrusion prevention alert center http:\/\/www.cisco.com\/pcgi-bin\/front.x\/ipsalerts\/ipsalertsHome.pl."},{"key":"e_1_2_1_8_1","unstructured":"Cormen T. H. Leiserson C. E. Rivest R. L. and Stein C. 2001. Introduction to Algorithms 2nd ed. The MIT Press. Cambridge MA.   Cormen T. H. Leiserson C. E. Rivest R. L. and Stein C. 2001. Introduction to Algorithms 2nd ed. The MIT Press. Cambridge MA."},{"volume-title":"A toolkit for intrusion alerts correlation based on prerequisites and consequences of attacks. M. S. thesis","author":"Cui Y.","key":"e_1_2_1_9_1","unstructured":"Cui , Y. 2002. A toolkit for intrusion alerts correlation based on prerequisites and consequences of attacks. M. S. thesis , North Carolina State University , Department of Computer Science. Cui, Y. 2002. A toolkit for intrusion alerts correlation based on prerequisites and consequences of attacks. M. S. thesis, North Carolina State University, Department of Computer Science."},{"volume-title":"Proceedings of the IEEE Symposium of Security and Privacy. 202","author":"Cuppens F.","key":"e_1_2_1_10_1","unstructured":"Cuppens , F. and Mi\u00e8ge , A . 2002. Alert correlation in a cooperative intrusion detection framework . In Proceedings of the IEEE Symposium of Security and Privacy. 202 . Cuppens, F. and Mi\u00e8ge, A. 2002. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the IEEE Symposium of Security and Privacy. 202."},{"volume-title":"Proceedings of the SECI02 Workshop.","author":"Cuppens F.","key":"e_1_2_1_11_1","unstructured":"Cuppens , F. , Autrel , F. , Mi\u00e8ge , A. , and Benherfat , S . 2002. Correlation in an intrusion detection process . In Proceedings of the SECI02 Workshop. Cuppens, F., Autrel, F., Mi\u00e8ge, A., and Benherfat, S. 2002. Correlation in an intrusion detection process. In Proceedings of the SECI02 Workshop."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.5555\/645839.670735"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1987.232894"},{"key":"e_1_2_1_14_1","unstructured":"Dittrich D. Weaver G. Dietrich S. and Long N. 2000. The mstream distributed denial of service attack tool. http:\/\/staff.washington.edu\/dittrich\/misc\/mstream.analysis.txt.  Dittrich D. Weaver G. Dietrich S. and Long N. 2000. The mstream distributed denial of service attack tool. http:\/\/staff.washington.edu\/dittrich\/misc\/mstream.analysis.txt."},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.5555\/597917.597921"},{"key":"e_1_2_1_17_1","unstructured":"Internet Security Systems (ISS). X-force database http:\/\/xforce.iss.net\/xforce\/search.php.  Internet Security Systems (ISS). X-force database http:\/\/xforce.iss.net\/xforce\/search.php."},{"volume-title":"Proceedings of the Computer Security Foundation Workshop.","author":"Lin J.-L.","key":"e_1_2_1_18_1","unstructured":"Lin , J.-L. , Wang , X. S. , and Jajodia , S . 1998. Abstraction-based misuse detection: High-level specifications and adaptable strategies . In Proceedings of the Computer Security Foundation Workshop. Lin, J.-L., Wang, X. S., and Jajodia, S. 1998. Abstraction-based misuse detection: High-level specifications and adaptable strategies. In Proceedings of the Computer Security Foundation Workshop."},{"volume-title":"Proceedings of the International Symposium on Recent Advances in Intrusion Detection.","author":"Lippmann R. P.","key":"e_1_2_1_19_1","unstructured":"Lippmann , R. P. , Webster , S. E. , and Stetson , D . 2002. The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection . In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Lippmann, R. P., Webster, S. E., and Stetson, D. 2002. The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection."},{"key":"e_1_2_1_20_1","volume-title":"DARPA 2000 intrusion detection evaluation datasets. http:\/\/ideval.ll.mit.edu\/IST\/ideval\/data\/2000\/2000_data_index.html.","author":"Lincoln Lab","year":"2000","unstructured":"MIT Lincoln Lab . 2000 . DARPA 2000 intrusion detection evaluation datasets. http:\/\/ideval.ll.mit.edu\/IST\/ideval\/data\/2000\/2000_data_index.html. MIT Lincoln Lab. 2000. DARPA 2000 intrusion detection evaluation datasets. http:\/\/ideval.ll.mit.edu\/IST\/ideval\/data\/2000\/2000_data_index.html."},{"volume-title":"Proceedings of the International Symposium on Recent Advances in Intrusion Detection","author":"Morin B.","key":"e_1_2_1_21_1","unstructured":"Morin , B. , M\u00e9 , L. , Debar , H. , and Ducasse , M . 2002. M2d2: a formal data model for ids alert correlation . In Proceedings of the International Symposium on Recent Advances in Intrusion Detection , Zurich, Switzerland. Morin, B., M\u00e9, L., Debar, H., and Ducasse, M. 2002. M2d2: a formal data model for ids alert correlation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/996943.996947"},{"volume-title":"Proceedings of the Computer Security Foundation Workshop.","author":"Pouzol J.-P.","key":"e_1_2_1_23_1","unstructured":"Pouzol , J.-P. and Ducass\u00e9 , M . 2002. Formal specifications of intrusion signatures and detection rules . In Proceedings of the Computer Security Foundation Workshop. Pouzol, J.-P. and Ducass\u00e9, M. 2002. Formal specifications of intrusion signatures and detection rules. In Proceedings of the Computer Security Foundation Workshop."},{"key":"e_1_2_1_24_1","unstructured":"Purczynski W. and Niewiadomski J. 2003. wu-ftpd fb_realpath() off-by-one bug. http:\/\/isec.pl\/vulnerabilities\/isec-0011-wu-ftpd.txt.  Purczynski W. and Niewiadomski J. 2003. wu-ftpd fb_realpath() off-by-one bug. http:\/\/isec.pl\/vulnerabilities\/isec-0011-wu-ftpd.txt."},{"volume-title":"Proceedings of the Student Workshop on Computing, Department of Computer Science","author":"Ristenpart T.","key":"e_1_2_1_25_1","unstructured":"Ristenpart , T. , Templeton , S. , and Bishop , M . 2004. Time synchronization of aggregated heterogeneous logs . In Proceedings of the Student Workshop on Computing, Department of Computer Science , University of California, Davis, CA. Ristenpart, T., Templeton, S., and Bishop, M. 2004. Time synchronization of aggregated heterogeneous logs. In Proceedings of the Student Workshop on Computing, Department of Computer Science, University of California, Davis, CA."},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the USENIX Lisa Conference","author":"Roesch M.","year":"1999","unstructured":"Roesch , M. 1999 . Snort---lightweight intrusion detection for networks . In Proceedings of the USENIX Lisa Conference , Berkeley, CA. Roesch, M. 1999. Snort---lightweight intrusion detection for networks. In Proceedings of the USENIX Lisa Conference, Berkeley, CA."},{"key":"e_1_2_1_27_1","unstructured":"SecurityFocus. 2004. Vulnerability database. http:\/\/www.securityfocus.com\/bid.  SecurityFocus. 2004. Vulnerability database. http:\/\/www.securityfocus.com\/bid."},{"volume-title":"Proceedings of the IEEE Symposium of Security and Privacy","author":"Sheyner O.","key":"e_1_2_1_28_1","unstructured":"Sheyner , O. , Haines , J. , Jha , S. , Lippmann , R. , and Wing , J. M . 2002. Automated generation and analysis of attack graphs . In Proceedings of the IEEE Symposium of Security and Privacy . Berkeley, CA. Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. M. 2002. Automated generation and analysis of attack graphs. In Proceedings of the IEEE Symposium of Security and Privacy. Berkeley, CA."},{"key":"e_1_2_1_29_1","unstructured":"Snort Inline. http:\/\/snort-inline.sourceforge.net\/.  Snort Inline. http:\/\/snort-inline.sourceforge.net\/."},{"key":"e_1_2_1_30_1","unstructured":"Tcpdump and Libpcap. http:\/\/www.tcpdump.org\/.  Tcpdump and Libpcap. http:\/\/www.tcpdump.org\/."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/366173.366187"},{"key":"e_1_2_1_32_1","unstructured":"The Honeypot Project. 2001. Know your enemy: Revealing the security tools tactics and motives of the blackhat community. http:\/\/www.honeynet.org.  The Honeypot Project. 2001. Know your enemy: Revealing the security tools tactics and motives of the blackhat community. http:\/\/www.honeynet.org."},{"key":"e_1_2_1_33_1","volume-title":"OpenSSL security advisory {30","author":"The Open SSL","year":"2002","unstructured":"The Open SSL Project . 2002. OpenSSL security advisory {30 July 2002 }. http:\/\/www.openssl.org\/news\/secadv_20020730.txt. The OpenSSL Project. 2002. OpenSSL security advisory {30 July 2002}. http:\/\/www.openssl.org\/news\/secadv_20020730.txt."},{"key":"e_1_2_1_34_1","doi-asserted-by":"crossref","unstructured":"Valdes A.\n     and \n      Skinner K\n  . \n  2001\n  . Probabilistic alert correlation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Number 2212 in \n  Lecture Notes in Computer Science\n  . \n  Springer-Verlag New York.   Valdes A. and Skinner K. 2001. Probabilistic alert correlation. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Number 2212 in Lecture Notes in Computer Science. Springer-Verlag New York.","DOI":"10.1007\/3-540-45474-8_4"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.62"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1210263.1210267","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1210263.1210267","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T20:22:21Z","timestamp":1750278141000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1210263.1210267"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2007,2]]},"references-count":34,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2007,2]]}},"alternative-id":["10.1145\/1210263.1210267"],"URL":"https:\/\/doi.org\/10.1145\/1210263.1210267","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"type":"print","value":"1094-9224"},{"type":"electronic","value":"1557-7406"}],"subject":[],"published":{"date-parts":[[2007,2]]},"assertion":[{"value":"2007-02-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}