{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,7]],"date-time":"2026-04-07T16:26:03Z","timestamp":1775579163045,"version":"3.50.1"},"reference-count":40,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2022,4,9]],"date-time":"2022-04-09T00:00:00Z","timestamp":1649462400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/"}],"funder":[{"name":"FFG","award":["INDICAETING (868306), DECEPT (873980)"],"award-info":[{"award-number":["INDICAETING (868306), DECEPT (873980)"]}]},{"name":"EU H2020","award":["GUARD (833456)"],"award-info":[{"award-number":["GUARD (833456)"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2022,8,31]]},"abstract":"<jats:p>\n            <jats:bold>Intrusion Detection Systems (IDS)<\/jats:bold>\n            secure all kinds of IT infrastructures through automatic detection of malicious activities. Unfortunately, they are known to produce large numbers of alerts that often become overwhelming for manual analysis. Therefore, aggregation methods have been developed for filtering, grouping, and correlating alerts. However, existing techniques either rely on manually defined attack scenarios or require specific alert formats, such as IDMEF that include IP addresses. This makes the application of existing aggregation methods infeasible for alerts from host-based or anomaly-based IDSs that frequently lack such network-related data. In this paper, we therefore present a domain-independent alert aggregation technique. We introduce similarity measures and merging strategies for arbitrary semi-structured alerts and alert groups. Based on these metrics and techniques we propose an incremental procedure for the generation of abstract alert patterns that enable continuous classification of incoming alerts. Evaluations show that our approach is capable of reducing the number of alert groups for human review by around\n            <jats:inline-formula content-type=\"math\/tex\">\n              <jats:tex-math notation=\"LaTeX\" version=\"MathJax\">\\( 80\\% \\)<\/jats:tex-math>\n            <\/jats:inline-formula>\n            and assigning attack classifiers to the groups with true positive rates of\n            <jats:inline-formula content-type=\"math\/tex\">\n              <jats:tex-math notation=\"LaTeX\" version=\"MathJax\">\\( 80\\% \\)<\/jats:tex-math>\n            <\/jats:inline-formula>\n            and false positive rates lower than\n            <jats:inline-formula content-type=\"math\/tex\">\n              <jats:tex-math notation=\"LaTeX\" version=\"MathJax\">\\( 5\\% \\)<\/jats:tex-math>\n            <\/jats:inline-formula>\n            .\n          <\/jats:p>","DOI":"10.1145\/3510581","type":"journal-article","created":{"date-parts":[[2022,3,29]],"date-time":"2022-03-29T11:39:29Z","timestamp":1648553969000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":31,"title":["Dealing with Security Alert Flooding: Using Machine Learning for Domain-independent Alert Aggregation"],"prefix":"10.1145","volume":"25","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3813-3151","authenticated-orcid":false,"given":"Max","family":"Landauer","sequence":"first","affiliation":[{"name":"Austrian Institute of Technology, Vienna, Austria"}]},{"given":"Florian","family":"Skopik","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology, Vienna, Austria"}]},{"given":"Markus","family":"Wurzenberger","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology, Vienna, Austria"}]},{"given":"Andreas","family":"Rauber","sequence":"additional","affiliation":[{"name":"Vienna University of Technology, Vienna, Austria"}]}],"member":"320","published-online":{"date-parts":[[2022,4,9]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2008.11.012"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pone.0166017"},{"issue":"2","key":"e_1_3_2_4_2","first-page":"1","article-title":"Alert correlation and aggregation techniques for reduction of security alerts and detection of multistage attack","volume":"5","author":"Alserhani Faeiz","year":"2016","unstructured":"Faeiz Alserhani. 2016. Alert correlation and aggregation techniques for reduction of security alerts and detection of multistage attack. International Journal of Advanced Studies in Computers, Science and Engineering 5, 2 (2016), 1.","journal-title":"International Journal of Advanced Studies in Computers, Science and Engineering"},{"issue":"3","key":"e_1_3_2_5_2","first-page":"190","article-title":"Using artificial immune system and fuzzy logic for alert correlation.","volume":"15","author":"Bateni Mehdi","year":"2013","unstructured":"Mehdi Bateni, Ahmad Baraani, and Ali Ghorbani. 2013. Using artificial immune system and fuzzy logic for alert correlation.International Journey of Network Security 15, 3 (2013), 190\u2013204.","journal-title":"International Journey of Network Security"},{"key":"e_1_3_2_6_2","volume-title":"Modern Multidimensional Scaling: Theory and Applications","author":"Borg Ingwer","year":"2005","unstructured":"Ingwer Borg and Patrick Groenen. 2005. Modern Multidimensional Scaling: Theory and Applications. Springer Science & Business Media."},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2002.1004372"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.11.021"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.asoc.2010.12.004"},{"key":"e_1_3_2_10_2","doi-asserted-by":"crossref","unstructured":"Brian S. Everitt Sabine Landau Morven Leese and Daniel Stahl. 2011. Cluster Analysis 5th ed.","DOI":"10.1002\/9780470977811"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/IPCCC47392.2019.8958734"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2009.36"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.23919\/INM.2017.7987340"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/3339252.3340513"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/950191.950192"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/BigData47090.2019.9006328"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2020.3031317"},{"issue":"08","key":"e_1_3_2_18_2","first-page":"25","article-title":"An alert fusion method based on grey relation and attribute similarity correlation","volume":"12","author":"Liang Wei","year":"2016","unstructured":"Wei Liang, Zuo Chen, Ya Wen, and Weidong Xiao. 2016. An alert fusion method based on grey relation and attribute similarity correlation. International Journal of Online and Biomedical Engineering 12, 08 (2016), 25\u201330.","journal-title":"International Journal of Online and Biomedical Engineering"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1117\/12.665211"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.proeng.2012.01.435"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.5555\/1394399"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISI.2018.8587402"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/375360.375365"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/SSCI.2016.7849902"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2018.03.001"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586144"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/IWCMC.2011.5982725"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991122"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.10.006"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14215-4_9"},{"issue":"2","key":"e_1_3_2_31_2","first-page":"79","article-title":"Heterogeneous multi-sensor IDS alerts aggregation using semantic analysis","volume":"7","author":"Saad Sherif","year":"2012","unstructured":"Sherif Saad and Issa Traore. 2012. Heterogeneous multi-sensor IDS alerts aggregation using semantic analysis. Journal of Information Assurance and Security 7, 2 (2012), 79\u201388.","journal-title":"Journal of Information Assurance and Security"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2008.11.010"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2012.10.022"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.12.003"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.03.005"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.3390\/e22030324"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/CNSM.2010.5691262"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45474-8_4"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.21"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.17706\/IJCCE.2016.5.1.1-10"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.4028\/www.scientific.net\/AMR.219-220.156"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3510581","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3510581","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:12:19Z","timestamp":1750191139000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3510581"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,9]]},"references-count":40,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2022,8,31]]}},"alternative-id":["10.1145\/3510581"],"URL":"https:\/\/doi.org\/10.1145\/3510581","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,4,9]]},"assertion":[{"value":"2020-12-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-01-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-04-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}