{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T10:54:59Z","timestamp":1778151299629,"version":"3.51.4"},"reference-count":110,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2025,2,14]],"date-time":"2025-02-14T00:00:00Z","timestamp":1739491200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100010669","name":"H2020 LEIT Information and Communication Technologies","doi-asserted-by":"crossref","award":["833418"],"award-info":[{"award-number":["833418"]}],"id":[{"id":"10.13039\/100010669","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2025,3,31]]},"abstract":"<jats:p>Organizations and their security operation centers often struggle to detect and respond effectively to an extensive quantity of ever-evolving cyberattacks. While collaboration, such as threat intelligence sharing between security teams, and response automation are often discussed in the cybersecurity community, issues like data sensitivity and confidence in detection may hinder their adoption. This work investigates the potentials and challenges of collaboration and automation to enhance incident response processes. We propose a reference architecture for data sharing in threat detection and response, aiming to boost collaborative and automated efforts across organizations while also considering privacy-preserving features. To address these challenges and potentials, we discuss how such a framework could enhance current response processes within and between organizations, validated with results in local attack detection, incident response, and data sharing.<\/jats:p>","DOI":"10.1145\/3707651","type":"journal-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T11:42:41Z","timestamp":1733744561000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["On Collaboration and Automation in the Context of Threat Detection and Response with Privacy-Preserving Features"],"prefix":"10.1145","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3131-7444","authenticated-orcid":false,"given":"Lasse","family":"Nitz","sequence":"first","affiliation":[{"name":"Fraunhofer FIT, Sankt Augustin, Germany and RWTH Aachen University, Aachen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1734-8367","authenticated-orcid":false,"given":"Mehdi","family":"Akbari Gurabi","sequence":"additional","affiliation":[{"name":"Fraunhofer FIT, Sankt Augustin, Germany and RWTH Aachen University, Aachen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0212-6593","authenticated-orcid":false,"given":"Milan","family":"Cermak","sequence":"additional","affiliation":[{"name":"Masaryk University, Brno, Czech Republic"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2099-2348","authenticated-orcid":false,"given":"Martin","family":"Zadnik","sequence":"additional","affiliation":[{"name":"CESNET, Prague, Czech Republic"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3621-9752","authenticated-orcid":false,"given":"David","family":"Karpuk","sequence":"additional","affiliation":[{"name":"W\/Intelligence, WithSecure Corporation, Helsinki, Finland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7326-7273","authenticated-orcid":false,"given":"Arthur","family":"Drichel","sequence":"additional","affiliation":[{"name":"RWTH Aachen University, Aachen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-0330-9142","authenticated-orcid":false,"given":"Sebastian","family":"Sch\u00e4fer","sequence":"additional","affiliation":[{"name":"RWTH Aachen University, Aachen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-6662-1514","authenticated-orcid":false,"given":"Benedikt","family":"Holmes","sequence":"additional","affiliation":[{"name":"RWTH Aachen University, Aachen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8641-7207","authenticated-orcid":false,"given":"Avikarsha","family":"Mandal","sequence":"additional","affiliation":[{"name":"Fraunhofer FIT, Sankt Augustin, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,2,14]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.11591\/ijeecs.v10.i1.pp371-379"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3214303"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/3538969.3544478"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/3688810"},{"key":"e_1_3_2_6_2","first-page":"44","article-title":"Strengthening cyber defence through cooperative development and shared expertise in incident response playbooks","volume":"139","author":"Gurabi Mehdi Akbari","year":"2024","unstructured":"Mehdi Akbari Gurabi, Lasse Nitz, Charukeshi Mayuresh Joglekar, and Avikarsha Mandal. 2024. Strengthening cyber defence through cooperative development and shared expertise in incident response playbooks. ERCIM NEWS 139 (2024), 44\u201346.","journal-title":"ERCIM NEWS"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/HORA49412.2020.9152899"},{"key":"e_1_3_2_8_2","first-page":"2783","volume-title":"Proceedings of 31st USENIX Security Symposium (USENIX Security \u201922)","author":"Alahmadi Bushra A.","year":"2022","unstructured":"Bushra A. Alahmadi, Louise Axon, and Ivan Martinovic. 2022. 99% False positives: A qualitative study of SOC analysts\u2019 perspectives on security alarms. In Proceedings of 31st USENIX Security Symposium (USENIX Security \u201922). USENIX Association, Boston, MA, 2783\u20132800. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/alahmadi"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-21752-5_3"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2019.2891891"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-11890-7_59"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2023-0054"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.3390\/app13116610"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2019.03.016"},{"key":"e_1_3_2_15_2","unstructured":"Franziska Becker. 2021. D3.9 Demonstrator of Visual Support for Designing Detection Models (Final Version). Technical Report. SAPPAN Consortium. Retrieved from https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/11\/D3.9-Demonstrator-of-Visual-Support-for-Designing-Detection-Models-Final-version-M30.pdf"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/VizSec51108.2020.00010"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/3407023.3407045"},{"key":"e_1_3_2_18_2","article-title":"Practical secure aggregation for federated learning on user-held data","author":"Bonawitz K. A.","year":"2016","unstructured":"K. A. Bonawitz, Vladimir Ivanov, Ben Kreuter, Antonio Marcedone, H. Brendan McMahan, Sarvar Patel, Daniel Ramage, Aaron Segal, and Karn Seth. 2016. Practical secure aggregation for federated learning on user-held data. In Proceedings of NIPS Workshop on Private Multi-Party Machine Learning, 5 pages. Retrieved from https:\/\/pmpml.github.io\/PMPML16\/papers\/PMPML16_paper_8.pdf","journal-title":"Proceedings of NIPS Workshop on Private Multi-Party Machine Learning"},{"key":"e_1_3_2_19_2","first-page":"433","article-title":"A different cup of TI? The added value of commercial threat intelligence","author":"Bouwman Xander","year":"2020","unstructured":"Xander Bouwman, Harm Griffioen, Jelle Egbers, Christian Doerr, Bram Klievink, and Michel van Eeten. 2020. A different cup of TI? The added value of commercial threat intelligence. In Proceedings of 29th USENIX Security Symposium (USENIX Security \u201920). USENIX Association, 433\u2013450. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/bouwman","journal-title":"Proceedings of 29th USENIX Security Symposium (USENIX Security \u201920)"},{"key":"e_1_3_2_20_2","first-page":"1149","volume-title":"Proceedings of 31st USENIX Security Symposium (USENIX Security \u201922)","author":"Bouwman Xander","year":"2022","unstructured":"Xander Bouwman, Victor Le Pochat, Pawel Foremski, Tom Van Goethem, Carlos H. Ganan, Giovane C. M. Moura, Samaneh Tajalizadehkhoob, Wouter Joosen, and Michel van Eeten. 2022. Helping hands: Measuring the impact of a large threat intelligence sharing community. In Proceedings of 31st USENIX Security Symposium (USENIX Security \u201922). USENIX Association, Boston, MA, 1149\u20131165. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/bouwman"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3026063"},{"key":"e_1_3_2_22_2","volume-title":"Stream-Based IP Flow Analysis","author":"Cermak Milan","year":"2020","unstructured":"Milan Cermak. 2020. Stream-Based IP Flow Analysis. Dissertation. Masaryk University. Retrieved from https:\/\/is.muni.cz\/th\/tgxb6\/"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/1541880.1541882"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2018.2874004"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-93040-4_42"},{"key":"e_1_3_2_26_2","first-page":"1\u2013147 pages","volume-title":"Computer Security Incident Handling Guide","author":"Cichonski P.","year":"2012","unstructured":"P. Cichonski, T. Millar, T. Grance, and K. Scarfone. 2012. Computer Security Incident Handling Guide, Vol. 800. NIST Special Publication, Gaithersburg, MD, 1\u2013147 pages."},{"key":"e_1_3_2_27_2","author":"Creasey Jason","year":"2013","unstructured":"Jason Creasey. 2013. Cyber Security Incident Response Guide. Crest.","journal-title":"Cyber Security Incident Response Guide"},{"key":"e_1_3_2_28_2","unstructured":"Cybersecurity and Infrastructure Security Agency. 2021. Cybersecurity Incident & Vulnerability Response Playbooks. Retrieved November 12 2023 from https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf"},{"key":"e_1_3_2_29_2","unstructured":"Morten Dahl Jason Mancuso Yann Dupis Ben Decoste Morgan Giraud Ian Livingstone Justin Patriquin and Gavin Uhma. 2018. Private machine learning in TensorFlow using secure computation. arXiv:1810.08130. Retrieved from http:\/\/arxiv.org\/abs\/1810.08130"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2020-0077"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1145\/363958.363994"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3465481.3470111"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/PST52912.2021.9647755"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/3474374.3486915"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/3407023.3407030"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1007\/11681878_14"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1561\/0400000042"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660348"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.2824\/782573"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101941"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/SPW53761.2021.00017"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11235-018-0475-8"},{"key":"e_1_3_2_43_2","author":"FIRST Standards Definitions and Usage Guidance","year":"2022","unstructured":"FIRST Standards Definitions and Usage Guidance. 2022. Information Exchange Policy (IEP). Retrieved December 6, 2023 from https:\/\/www.first.org\/iep\/","journal-title":"Information Exchange Policy (IEP)"},{"key":"e_1_3_2_44_2","unstructured":"FIRST Standards Definitions and Usage Guidance. 2022. Traffic Light Protocol (TLP)\u2014Version 2.0. Retrieved December 6 2023 from https:\/\/www.first.org\/tlp\/"},{"key":"e_1_3_2_45_2","unstructured":"Inc Gartner. 2020. Security threat intelligence services reviews. Gartner. Retrieved November 12 2023 from https:\/\/www.gartner.com\/reviews\/market\/security-threat-intelligence-services"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623144"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2019.102526"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/BigData47090.2019.9006073"},{"key":"e_1_3_2_49_2","volume-title":"Application Fingerprinting Based on System Events using Process Mining","author":"Heine Nicolas","year":"2021","unstructured":"Nicolas Heine. 2021. Application Fingerprinting Based on System Events using Process Mining. Master\u2019s thesis. RWTH Aachen University."},{"key":"e_1_3_2_50_2","first-page":"58","volume-title":"Proceedings of 6th International Conference on Cyber-Technologies and Cyber-Systems (CYBER \u201921)","author":"Holmes Benedikt","year":"2021","unstructured":"Benedikt Holmes, Arthur Drichel, and Ulrike Meyer. 2021. Sharing FANCI features: A privacy analysis of feature extraction for DGA detection. In Proceedings of 6th International Conference on Cyber-Technologies and Cyber-Systems (CYBER \u201921). IARIA XPS Press, 58\u201364."},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/IWCMC.2018.8450512"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/3538969.3538981"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2016.2633620"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNSM.2020.3036528"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1145\/3600160.3605066"},{"key":"e_1_3_2_56_2","volume-title":"11 Strategies of a World-Class Cybersecurity Operations Center","author":"Knerler Kathryn","year":"2022","unstructured":"Kathryn Knerler, Ingrid Parker, and Carson Zimmerman. 2022. 11 Strategies of a World-Class Cybersecurity Operations Center. The MITRE Corporation."},{"key":"e_1_3_2_57_2","unstructured":"Dmitriy Komashinskiy and Andrew Patel. 2022. For security analysts a picture may be worth more than a thousand words. Retrieved April 20 2023 from https:\/\/sappan-project.eu\/?p=1699"},{"key":"e_1_3_2_58_2","volume-title":"ENISA Threat Landscape 2023","author":"Lella Ifigeneia","year":"2023","unstructured":"Ifigeneia Lella, Eleni Tsekmezoglou, Marianthi Theocharidou, Erika Magonara, Apostolos Malatras, Rossen Svetozarov Naydenov, and Cosmin Ciobanu. 2023. ENISA Threat Landscape 2023. Technical Report. European Union Agency for Cybersecurity (ENISA). Retrieved from https:\/\/www.enisa.europa.eu\/publications\/enisa-threat-landscape-2023"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE.2007.367856"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2021.3124599"},{"key":"e_1_3_2_61_2","first-page":"851","volume-title":"Proceedings of 28th USENIX Security Symposium (USENIX Security \u201919)","author":"Li Vector Guo","year":"2019","unstructured":"Vector Guo Li, Matthew Dunn, Paul Pearce, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. 2019. Reading the tea leaves: A comparative analysis of threat intelligence. In Proceedings of 28th USENIX Security Symposium (USENIX Security \u201919). USENIX Association, Santa Clara, CA, 851\u2013867. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/li"},{"key":"e_1_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1145\/1376616.1376629"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1145\/1217299.1217302"},{"key":"e_1_3_2_64_2","unstructured":"Mandiant. 2013. OpenIOC 1.1. Retrieved December 6 2023 from https:\/\/github.com\/fireeye\/OpenIOC_1.1"},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1109\/BigData52589.2021.9671893"},{"key":"e_1_3_2_66_2","author":"Microsoft","year":"2023","unstructured":"Microsoft. 2023. Microsoft Digital Defense Report 2023. Retrieved from https:\/\/microsoft.com\/mddr","journal-title":"Microsoft Digital Defense Report 2023"},{"key":"e_1_3_2_67_2","unstructured":"MISP. 2022. MISP Repository. Retrieved January 14 2023 from https:\/\/github.com\/MISP"},{"key":"e_1_3_2_68_2","unstructured":"MITRE. 2012. CEE Language. Retrieved December 6 2023 from https:\/\/cee.mitre.org\/language\/"},{"key":"e_1_3_2_69_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2017.2781126"},{"key":"e_1_3_2_70_2","first-page":"33","article-title":"Towards privacy-preserving sharing of cyber threat intelligence for effective response and recovery","volume":"126","author":"Nitz Lasse","year":"2021","unstructured":"Lasse Nitz, Mehdi Akbari Gurabi, Avikarsha Mandal, and Benjamin Heitmann. 2021. Towards privacy-preserving sharing of cyber threat intelligence for effective response and recovery. ERCIM NEWS 126 (2021), 33\u201334.","journal-title":"ERCIM NEWS"},{"key":"e_1_3_2_71_2","doi-asserted-by":"publisher","DOI":"10.1145\/3590777.3590795"},{"key":"e_1_3_2_72_2","doi-asserted-by":"publisher","DOI":"10.3897\/jucs.134762"},{"key":"e_1_3_2_73_2","first-page":"31\u201332","article-title":"From collaboration to automation: A proof of concept for improved incident response","volume":"129","author":"Nitz Lasse","year":"2022","unstructured":"Lasse Nitz, Martin Zadnik, Mehdi Akbari Gurabi, Mischa Obrecht, and Avikarsha Mandal. 2022. From collaboration to automation: A proof of concept for improved incident response. ERCIM NEWS 129 (2022), 31\u201332.","journal-title":"ERCIM NEWS"},{"key":"e_1_3_2_74_2","volume-title":"The Design of Everyday Things: Revised and Expanded Edition","author":"Norman Don","year":"2013","unstructured":"Don Norman. 2013. The Design of Everyday Things: Revised and Expanded Edition. Basic Books."},{"key":"e_1_3_2_75_2","volume-title":"Computer Security Incident Handling\u2014Step by Step Guide","author":"Northcutt Stephen","year":"2003","unstructured":"Stephen Northcutt. 2003. Computer Security Incident Handling\u2014Step by Step Guide. SANS Institute."},{"key":"e_1_3_2_76_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-22351-9_22"},{"key":"e_1_3_2_77_2","unstructured":"OASIS. 2016. CybOX \\({}^{\\rm TM}\\) Version 2.1.1. Retrieved December 19 2024 from https:\/\/docs.oasis-open.org\/cti\/cybox\/v2.1.1\/cybox-v2.1.1-part01-overview.html"},{"key":"e_1_3_2_78_2","unstructured":"OASIS. 2019. Open Command and Control (OpenC2) Language Specification Version 1.0. Retrieved December 6 2023 from https:\/\/docs.oasis-open.org\/openc2\/oc2ls\/v1.0\/oc2ls-v1.0.html"},{"key":"e_1_3_2_79_2","unstructured":"OASIS. 2019. STIX Version 2.1. Retrieved December 6 2023 from https:\/\/docs.oasis-open.org\/cti\/stix\/v2.1\/stix-v2.1.html"},{"key":"e_1_3_2_80_2","unstructured":"OASIS. 2022. CACAO Security Playbooks Version 1.1. Retrieved January 14 2023 from https:\/\/docs.oasis-open.org\/cacao\/security-playbooks\/v1.1\/security-playbooks-v1.1.html"},{"key":"e_1_3_2_81_2","doi-asserted-by":"publisher","DOI":"10.1145\/1111322.1111330"},{"key":"e_1_3_2_82_2","first-page":"263","article-title":"A comprehensive measurement study of domain generating malware","author":"Plohmann Daniel","year":"2016","unstructured":"Daniel Plohmann, Khaled Yakdan, Michael Klatt, Johannes Bader, and Elmar Gerhards-Padilla. 2016. A comprehensive measurement study of domain generating malware. In Proceedings of the USENIX Security Symposium. Thorsten Holz and Stefan Savage (Eds.), USENIX Association, 263\u2013278.","journal-title":"Proceedings of the USENIX Security Symposium"},{"key":"e_1_3_2_83_2","doi-asserted-by":"publisher","DOI":"10.3390\/jcp1010008"},{"key":"e_1_3_2_84_2","unstructured":"Th\u00e9o Ryffel Andrew Trask Morten Dahl Bobby Wagner Jason Mancuso Daniel Rueckert and Jonathan Passerat-Palmbach. 2018. A generic framework for privacy preserving deep learning. arXiv:1811.04017. Retrieved from http:\/\/arxiv.org\/abs\/1811.04017"},{"key":"e_1_3_2_85_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2021.3117338"},{"key":"e_1_3_2_86_2","first-page":"60","volume-title":"Proceedings of 2024 IEEE Symposium on Security and Privacy (SP)","author":"Schlette Daniel","year":"2023","unstructured":"Daniel Schlette, Philip Empl, Marco Caselli, Thomas Schreck, and G\u00fcnther Pernul. 2023. Do you play it by the books? A study on incident response playbooks and influencing factors. In Proceedings of 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 60\u201360."},{"key":"e_1_3_2_87_2","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyad009"},{"key":"e_1_3_2_88_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2014.102"},{"key":"e_1_3_2_89_2","doi-asserted-by":"publisher","DOI":"10.1186\/1472-6947-9-41"},{"key":"e_1_3_2_90_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICDMW.2016.0038"},{"key":"e_1_3_2_91_2","first-page":"1165","volume-title":"Proceedings of 27th USENIX Security Symposium (USENIX Security \u201918)","author":"Sch\u00fcppen Samuel","year":"2018","unstructured":"Samuel Sch\u00fcppen, Dominik Teubert, Patrick Herrmann, and Ulrike Meyer. 2018. FANCI: Feature-based automated NXDomain classification and intelligence. In Proceedings of 27th USENIX Security Symposium (USENIX Security \u201918). USENIX Association, Baltimore, MD, 1165\u20131181. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/schuppen"},{"key":"e_1_3_2_92_2","unstructured":"Sebastian Sch\u00e4fer and Ulrike Meyer. 2022. A pipeline for DNS-based software fingerprinting. arXiv:2208.07042. Retrieved from https:\/\/arxiv.org\/abs\/2208.07042"},{"key":"e_1_3_2_93_2","doi-asserted-by":"publisher","DOI":"10.1145\/3538969.3538976"},{"key":"e_1_3_2_94_2","first-page":"1","article-title":"Effective security monitoring using efficient SIEM architecture","volume":"13","author":"Sheeraz Muhammad","year":"2023","unstructured":"Muhammad Sheeraz, Muhammad Arsalan Paracha, Mansoor Ul Haque, Muhammad Hanif Durad, Syed Muhammad Mohsin, Shahab S. Band, and Amir Mosavi. 2023. Effective security monitoring using efficient SIEM architecture. Human-Centric Computing and Information Sciences 13 (2023), 1\u201318.","journal-title":"Human-Centric Computing and Information Sciences"},{"key":"e_1_3_2_95_2","doi-asserted-by":"publisher","DOI":"10.1145\/3427787"},{"key":"e_1_3_2_96_2","first-page":"05","article-title":"K-anonymity: A model for protecting privacy","volume":"10","author":"Sweeney Latanya","year":"2002","unstructured":"Latanya Sweeney. 2002. K-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, 05 (2002), 557\u2013570.","journal-title":"International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems"},{"key":"e_1_3_2_97_2","unstructured":"Tines. 2022. Voice of the SOC Analyst. Retrieved April 4 2024 from https:\/\/www.tines.com\/reports\/voice-of-the-soc-analyst"},{"key":"e_1_3_2_98_2","unstructured":"Daniel Tovarnak and Martin Lastovicka. 2022. Malware Pipeline. Retrieved September 1 2023 from https:\/\/github.com\/CSIRT-MU\/csirtmu-sappan-malware-evaluator"},{"key":"e_1_3_2_99_2","doi-asserted-by":"publisher","DOI":"10.1145\/3378679.3394533"},{"key":"e_1_3_2_100_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.05.009"},{"key":"e_1_3_2_101_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE.2019.00176"},{"key":"e_1_3_2_102_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3045514"},{"key":"e_1_3_2_103_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.101589"},{"key":"e_1_3_2_104_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.2988575"},{"key":"e_1_3_2_105_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICNP.2002.1181415"},{"key":"e_1_3_2_106_2","unstructured":"ytisf. 2023. theZoo\u2014A Live Malware Repository. Retrieved October 19 2023 from https:\/\/thezoo.morirt.com\/"},{"key":"e_1_3_2_107_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICBDA.2017.8078811"},{"key":"e_1_3_2_108_2","unstructured":"Martin Zadnik. 2021. Sharing response handling information. Retrieved December 19 2024 from https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/11\/D5.8-Sharing-Response-Handling-Information-M30.pdf"},{"key":"e_1_3_2_109_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2018.10.024"},{"key":"e_1_3_2_110_2","doi-asserted-by":"publisher","DOI":"10.1145\/1540276.1540279"},{"key":"e_1_3_2_111_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.2980235"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3707651","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3707651","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:17:38Z","timestamp":1750295858000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3707651"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,14]]},"references-count":110,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,3,31]]}},"alternative-id":["10.1145\/3707651"],"URL":"https:\/\/doi.org\/10.1145\/3707651","relation":{},"ISSN":["2576-5337"],"issn-type":[{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,14]]},"assertion":[{"value":"2023-12-30","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-11-12","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-02-14","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}