{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,15]],"date-time":"2026-01-15T03:47:28Z","timestamp":1768448848359,"version":"3.49.0"},"reference-count":32,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2023,10,20]],"date-time":"2023-10-20T00:00:00Z","timestamp":1697760000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"ERDF \u201cCyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence","award":["CZ.02.1.01\/0.0\/0.0\/16_019\/0000822"],"award-info":[{"award-number":["CZ.02.1.01\/0.0\/0.0\/16_019\/0000822"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,12,31]]},"abstract":"<jats:p>Sharing the alerts from intrusion detection systems among multiple computer networks and organizations allows for seeing the \u201cbig picture\u201d of the network security situation and improves the capabilities of cyber incident response. However, such a task requires a number of technical and non-technical issues to be resolved, from data collection and distribution to proper categorization, data quality management, and issues of trust and privacy. In this field note, we illustrate the concepts and provide lessons learned on the example of SABU, an alert sharing and analysis platform used by academia and partner organizations in the Czech Republic. We discuss the initial willingness to share the data that was later weakened by the uncertainties around personal data protection, the issues of high volume and low quality of the data that prevented their straightforward use, and that the management of the community is a more severe issue than the technical implementation of alert sharing.<\/jats:p>","DOI":"10.1145\/3611391","type":"journal-article","created":{"date-parts":[[2023,7,29]],"date-time":"2023-07-29T08:51:04Z","timestamp":1690620664000},"page":"1-11","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Lessons Learned from Automated Sharing of Intrusion Detection Alerts: The Case of the SABU Platform"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7249-9881","authenticated-orcid":false,"given":"Martin","family":"Hus\u00e1k","sequence":"first","affiliation":[{"name":"Masaryk University, Czech Republic"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1967-8802","authenticated-orcid":false,"given":"Pavol","family":"Sokol","sequence":"additional","affiliation":[{"name":"Pavol Jozef \u0160af\u00e1rik University, Slovakia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2099-2348","authenticated-orcid":false,"given":"Martin","family":"\u017d\u00e1dn\u00edk","sequence":"additional","affiliation":[{"name":"CESNET, Czech Republic"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4334-3559","authenticated-orcid":false,"given":"V\u00e1clav","family":"Barto\u0161","sequence":"additional","affiliation":[{"name":"CESNET, Czech Republic"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1835-6465","authenticated-orcid":false,"given":"Martin","family":"Hor\u00e1k","sequence":"additional","affiliation":[{"name":"Masaryk University, Czech Republic"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,10,20]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2021.09.040"},{"key":"e_1_3_2_3_2","first-page":"7","volume-title":"Proceedings of the 14th International Conference on Availability, Reliability, and Security (ARES\u201919)","author":"Barto\u0161 V\u00e1clav","year":"2019","unstructured":"V\u00e1clav Barto\u0161. 2019. NERD: Network entity reputation database. In Proceedings of the 14th International Conference on Availability, Reliability, and Security (ARES\u201919). ACM, 7 pages."},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2019.03.016"},{"key":"e_1_3_2_5_2","doi-asserted-by":"crossref","first-page":"195","DOI":"10.1109\/CNSM.2016.7818417","volume-title":"Proceedings of the 2016 12th International Conference on Network and Service Management (CNSM\u201916)","author":"Cejka Tomas","year":"2016","unstructured":"Tomas Cejka, Vaclav Bartos, Marek Svepes, Zdenek Rosa, and Hana Kubatova. 2016. NEMEA: A framework for network traffic analysis. In Proceedings of the 2016 12th International Conference on Network and Service Management (CNSM\u201916). IEEE, 195\u2013201."},{"key":"e_1_3_2_6_2","unstructured":"European Commission. 2013. COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union. (2013). Retrieved on April 11 2023 from https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=celex%3A52013SC0032"},{"key":"e_1_3_2_7_2","doi-asserted-by":"crossref","DOI":"10.2966\/scrip.180121.83","article-title":"NISD2: A common framework for information sharing among network defenders","author":"Cormack Andrew","year":"2021","unstructured":"Andrew Cormack. 2021. NISD2: A common framework for information sharing among network defenders. SCRIPTed 18, 1 (2021), 16 Pages.","journal-title":"SCRIPTed"},{"key":"e_1_3_2_8_2","article-title":"The Intrusion Detection Message Exchange Format (IDMEF)","author":"Debar H.","year":"2007","unstructured":"H. Debar, D. Curry, and B. Feinstein. 2007. The Intrusion Detection Message Exchange Format (IDMEF). RFC 4765 (Experimental). (2007). Retrieved April 11, 2023 from http:\/\/www.ietf.org\/rfc\/rfc4765.txt","journal-title":"RFC 4765 (Experimental)"},{"key":"e_1_3_2_9_2","unstructured":"ENISA. 2014. Standards and tools for exchange and processing of actionable information. (2014). Retrieved April 11 2023 from https:\/\/www.enisa.europa.eu\/publications\/standards-and-tools-for-exchange-and-processing-of-actionable-information\/at_download\/fullReport"},{"key":"e_1_3_2_10_2","doi-asserted-by":"crossref","DOI":"10.1201\/b16048","volume-title":"Intrusion Detection Networks: A Key to Collaborative Security","author":"Fung Carol","year":"2013","unstructured":"Carol Fung and Raouf Boutaba. 2013. Intrusion Detection Networks: A Key to Collaborative Security. CRC Press, Boca Raton, FL."},{"key":"e_1_3_2_11_2","first-page":"8","volume-title":"Proceedings of the 14th International Conference on Availability, Reliability, and Security (ARES\u201919)","author":"Hor\u00e1k Martin","year":"2019","unstructured":"Martin Hor\u00e1k, V\u00e1clav Stupka, and Martin Hus\u00e1k. 2019. GDPR compliance in cybersecurity software: A case study of DPIA in information sharing platform. In Proceedings of the 14th International Conference on Availability, Reliability, and Security (ARES\u201919). ACM, 8 pages."},{"key":"e_1_3_2_12_2","doi-asserted-by":"crossref","unstructured":"Martin Hus\u00e1k Tom\u00e1\u0161 Bajto\u0161 Jaroslav Ka\u0161par Elias Bou-Harb and Pavel \u010celeda. 2020. Predictive cyber situational awareness and personalized blacklisting: A sequential rule mining approach. ACM Transactions on Management Information Systems 11 4 (2020) 16 pages.","DOI":"10.1145\/3386250"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2020.10.006"},{"key":"e_1_3_2_14_2","first-page":"536","volume-title":"Proceedings of the 2018 14th International Wireless Communications Mobile Computing Conference (IWCMC\u201918)","author":"Hus\u00e1k Martin","year":"2018","unstructured":"Martin Hus\u00e1k and Jaroslav Ka\u0161par. 2018. Towards predicting cyber attacks using information exchange and data mining. In Proceedings of the 2018 14th International Wireless Communications Mobile Computing Conference (IWCMC\u201918). IEEE, 536\u2013541."},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/3339252.3340513"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/3098954.3098981"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.23919\/INM.2017.7987399"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.23919\/INM.2017.7987340"},{"key":"e_1_3_2_19_2","unstructured":"Martin Hus\u00e1k Martin \u017d\u00e1dn\u00edk V\u00e1clav Barto\u0161 and Pavol Sokol. 2019. Dataset of intrusion detection alerts from a sharing platform. (2019). Retrieved April 11 2023 from https:\/\/data.mendeley.com\/datasets\/p6tym3fghz\/1"},{"key":"e_1_3_2_20_2","first-page":"0476","volume-title":"Proceedings of the 2023 IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC\u201923)","author":"Imeri Arbnor","year":"2023","unstructured":"Arbnor Imeri and Ondrej Rysavy. 2023. Deep learning for predictive alerting and cyber-attack mitigation. In Proceedings of the 2023 IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC\u201923). IEEE, 0476\u20130481."},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-61705-9_45"},{"issue":"5","key":"e_1_3_2_22_2","article-title":"A comparative analysis of cyber-threat intelligence sources, formats, and languages","volume":"9","author":"Ramsdale Andrew","year":"2020","unstructured":"Andrew Ramsdale, Stavros Shiaeles, and Nicholas Kolokotronis. 2020. A comparative analysis of cyber-threat intelligence sources, formats, and languages. Electronics 9, 5 (2020), 22.","journal-title":"Electronics"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/2663876.2663882"},{"key":"e_1_3_2_24_2","doi-asserted-by":"crossref","first-page":"352","DOI":"10.1093\/jigpal\/jzac024","article-title":"Network security situation awareness forecasting based on statistical approach and neural networks","volume":"31","author":"Sokol Pavol","year":"2023","unstructured":"Pavol Sokol, Richard Sta\u0148a, Andrej Gajdo\u0161, and Patrik Pekar\u010d\u00edk. 2023. Network security situation awareness forecasting based on statistical approach and neural networks. Logic Journal of the IGPL 31, 2 (2023), 352\u2013374.","journal-title":"Logic Journal of the IGPL"},{"key":"e_1_3_2_25_2","first-page":"261","volume-title":"Proceedings of the 2015 IFIP\/IEEE International Symposium on Integrated Network Management (IM)","author":"Steinberger Jessica","year":"2015","unstructured":"Jessica Steinberger, Anna Sperotto, Mario Golling, and Harald Baier. 2015. How to exchange security events? Overview and evaluation of formats and protocols. In Proceedings of the 2015 IFIP\/IEEE International Symposium on Integrated Network Management (IM). IEEE, 261\u2013269."},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3098954.3105822"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.21"},{"issue":"4","key":"e_1_3_2_28_2","first-page":"33","article-title":"Taxonomy and survey of collaborative intrusion detection","volume":"47","author":"Vasilomanolakis Emmanouil","year":"2015","unstructured":"Emmanouil Vasilomanolakis, Shankar Karuppayah, Max M\u00fchlh\u00e4user, and Mathias Fischer. 2015. Taxonomy and survey of collaborative intrusion detection. ACM Computing Surveys 47, 4(2015), 33 pages.","journal-title":"ACM Computing Surveys"},{"key":"e_1_3_2_29_2","first-page":"6","volume-title":"Proceedings of the 17th International Conference on Availability, Reliability, and Security (ARES\u201922)","author":"\u0160ulan Samuel","year":"2022","unstructured":"Samuel \u0160ulan and Martin Hus\u00e1k. 2022. Limiting the size of a predictive blacklist while maintaining sufficient accuracy. In Proceedings of the 17th International Conference on Availability, Reliability, and Security (ARES\u201922). ACM, 6 pages."},{"key":"e_1_3_2_30_2","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1145\/2994539.2994542","volume-title":"Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security (WISCS\u201916)","author":"Wagner Cynthia","year":"2016","unstructured":"Cynthia Wagner, Alexandre Dulaunoy, G\u00e9rard Wagener, and Andras Iklody. 2016. MISP: The design and implementation of a collaborative threat intelligence sharing platform. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security (WISCS\u201916). ACM, 49\u201356."},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.101589"},{"key":"e_1_3_2_32_2","unstructured":"Jan Wrona. 2021. A Week-Long Capture Of 8 Million Intrusion Detection Alerts Obtained Via an Alert Sharing Platform Warden. (2021). Retrieved April 11 2023 from https:\/\/zenodo.org\/record\/4683701"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2022.3196362"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611391","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3611391","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:09Z","timestamp":1750178229000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611391"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,20]]},"references-count":32,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2023,12,31]]}},"alternative-id":["10.1145\/3611391"],"URL":"https:\/\/doi.org\/10.1145\/3611391","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,10,20]]},"assertion":[{"value":"2022-07-15","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-07-24","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-10-20","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}