{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,5]],"date-time":"2026-05-05T08:22:58Z","timestamp":1777969378455,"version":"3.51.4"},"reference-count":45,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2020,9,23]],"date-time":"2020-09-23T00:00:00Z","timestamp":1600819200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100008530","name":"ERDF","doi-asserted-by":"crossref","award":["No.CZ.02.1.01\/0.0\/0.0\/16_019\/0000822"],"award-info":[{"award-number":["No.CZ.02.1.01\/0.0\/0.0\/16_019\/0000822"]}],"id":[{"id":"10.13039\/501100008530","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100007515","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1907821"],"award-info":[{"award-number":["1907821"]}],"id":[{"id":"10.13039\/100007515","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Manage. Inf. Syst."],"published-print":{"date-parts":[[2020,12,31]]},"abstract":"<jats:p>Cybersecurity adopts data mining for its ability to extract concealed and indistinct patterns in the data, such as for the needs of alert correlation. Inferring common attack patterns and rules from the alerts helps in understanding the threat landscape for the defenders and allows for the realization of cyber situational awareness, including the projection of ongoing attacks. In this article, we explore the use of data mining, namely sequential rule mining, in the analysis of intrusion detection alerts. We employed a dataset of 12 million alerts from 34 intrusion detection systems in 3 organizations gathered in an alert sharing platform, and processed it using our analytical framework. We execute the mining of sequential rules that we use to predict security events, which we utilize to create a predictive blacklist. Thus, the recipients of the data from the sharing platform will receive only a small number of alerts of events that are likely to occur instead of a large number of alerts of past events. The predictive blacklist has the size of only 3% of the raw data, and more than 60% of its entries are shown to be successful in performing accurate predictions in operational, real-world settings.<\/jats:p>","DOI":"10.1145\/3386250","type":"journal-article","created":{"date-parts":[[2020,8,15]],"date-time":"2020-08-15T13:08:08Z","timestamp":1597496888000},"page":"1-16","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":31,"title":["Predictive Cyber Situational Awareness and Personalized Blacklisting"],"prefix":"10.1145","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7249-9881","authenticated-orcid":false,"given":"Martin","family":"Hus\u00e1k","sequence":"first","affiliation":[{"name":"Masaryk University, Brno, Czech Republic"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tom\u00e1\u0161","family":"Bajto\u0161","sequence":"additional","affiliation":[{"name":"Pavol Jozef \u0160af\u00e1rik University in Ko\u0161ice, Slovakia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jaroslav","family":"Ka\u0161par","sequence":"additional","affiliation":[{"name":"Masaryk University, Czech Republic"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Elias","family":"Bou-Harb","sequence":"additional","affiliation":[{"name":"University of Texas at San Antonio, San Antonio"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Pavel","family":"\u010celeda","sequence":"additional","affiliation":[{"name":"Masaryk University, Czech Republic"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,9,23]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/170035.170072"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2019.03.016"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2015.2494502"},{"key":"e_1_2_1_4_1","volume-title":"Retrieved","author":"CESNET.","year":"2016"},{"key":"e_1_2_1_5_1","volume-title":"Retrieved","author":"CESNET.","year":"2017"},{"key":"e_1_2_1_6_1","volume-title":"Retrieved","author":"CESNET and Masaryk University","year":"2016"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2002.1004372"},{"key":"e_1_2_1_8_1","doi-asserted-by":"crossref","unstructured":"H. Debar D. Curry and B. Feinstein. 2007. The Intrusion Detection Message Exchange Format (IDMEF). RFC 4765 (Experimental). http:\/\/www.ietf.org\/rfc\/rfc4765.txt.  H. Debar D. Curry and B. Feinstein. 2007. The Intrusion Detection Message Exchange Format (IDMEF). RFC 4765 (Experimental). http:\/\/www.ietf.org\/rfc\/rfc4765.txt.","DOI":"10.17487\/rfc4765"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45474-8_6"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.asoc.2010.12.004"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1518\/001872095779049543"},{"key":"e_1_2_1_12_1","unstructured":"EsperTech Inc.2019. Esper. Retrieved November 15 2019 from http:\/\/www.espertech.com\/esper\/.  EsperTech Inc.2019. Esper. Retrieved November 15 2019 from http:\/\/www.espertech.com\/esper\/."},{"key":"e_1_2_1_13_1","volume-title":"Alert correlation and prediction using data mining and HMM. ISeCure 3, 2","author":"Farhadi Hamid","year":"2011"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46131-1_8"},{"key":"e_1_2_1_15_1","first-page":"54","article-title":"A survey of sequential pattern mining","volume":"1","author":"Fournier-Viger Philippe","year":"2017","journal-title":"Data Science and Pattern Recognition"},{"key":"e_1_2_1_16_1","volume-title":"Tseng","author":"Fournier-Viger Philippe","year":"2011"},{"key":"e_1_2_1_17_1","volume-title":"Emiliano De Cristofaro, and Alejandro E. Brito","author":"Freudiger Julien","year":"2015"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/IWCMC.2018.8450512"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3339252.3340513"},{"key":"e_1_2_1_20_1","first-page":"1","article-title":"On the sequential pattern and rule mining in the analysis of cyber security alerts. In Proceedings of the 12th International Conference on Availability, Reliability and Security. ACM","volume":"22","author":"Hus\u00e1k Martin","year":"2017","journal-title":"Reggio Calabria"},{"key":"e_1_2_1_21_1","doi-asserted-by":"crossref","unstructured":"Martin Hus\u00e1k Jaroslav Ka\u0161par and Milan \u017diaran. 2019. AIDA Framework. Retrieved February 5 2020 from https:\/\/github.com\/CSIRT-MU\/AIDA-Framework.  Martin Hus\u00e1k Jaroslav Ka\u0161par and Milan \u017diaran. 2019. AIDA Framework. Retrieved February 5 2020 from https:\/\/github.com\/CSIRT-MU\/AIDA-Framework.","DOI":"10.1145\/3339252.3340513"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2018.2871866"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.23919\/INM.2017.7987340"},{"key":"e_1_2_1_24_1","volume-title":"Retrieved","author":"Hus\u00e1k Martin","year":"2019"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1002\/nem.1923"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11042-012-1275-x"},{"key":"e_1_2_1_27_1","volume-title":"Erbacher","author":"Kott Alexander","year":"2015"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/CHINACOM.2007.4469413"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/FSKD.2007.15"},{"key":"e_1_2_1_30_1","volume-title":"Proceedings of the 2010 8th World Congress on Intelligent Control and Automation. 1283--1288","author":"Ma Xiaobo","year":"2010"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1009748302351"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3310165.3310168"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2017.2781126"},{"key":"e_1_2_1_34_1","volume-title":"RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection. Computers 8 Security 49","author":"Ramaki Ali Ahmadian","year":"2015"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1002\/sec.1647"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCISC.2015.7387905"},{"key":"e_1_2_1_37_1","volume-title":"Collaborative Cyber Threat Intelligence: Detecting and Responding to Advanced Cyber Attacks at the National Level","author":"Skopik Florian"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFCOM.2010.5461982"},{"key":"e_1_2_1_39_1","volume-title":"USENIX Security Symposium. 625--640","author":"Soska Kyle","year":"2014"},{"key":"e_1_2_1_40_1","volume-title":"Retrieved","author":"Software Foundation The Apache","year":"2017"},{"key":"e_1_2_1_41_1","volume-title":"Retrieved","author":"Software Foundation The Apache","year":"2018"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.21"},{"key":"e_1_2_1_43_1","volume-title":"Article 55 (May","author":"Vasilomanolakis Emmanouil","year":"2015"},{"key":"e_1_2_1_44_1","volume-title":"AI: Training a big data machine to defend. In Proceedings of the 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity)","author":"Veeramachaneni Kalyan","year":"2016"},{"key":"e_1_2_1_45_1","volume-title":"USENIX Security Symposium. 107--122","author":"Zhang Jian","year":"2008"}],"container-title":["ACM Transactions on Management Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3386250","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3386250","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:13:13Z","timestamp":1750201993000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3386250"}},"subtitle":["A Sequential Rule Mining Approach"],"short-title":[],"issued":{"date-parts":[[2020,9,23]]},"references-count":45,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,12,31]]}},"alternative-id":["10.1145\/3386250"],"URL":"https:\/\/doi.org\/10.1145\/3386250","relation":{},"ISSN":["2158-656X","2158-6578"],"issn-type":[{"value":"2158-656X","type":"print"},{"value":"2158-6578","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,9,23]]},"assertion":[{"value":"2019-11-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-09-23","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}