{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,25]],"date-time":"2026-04-25T15:03:05Z","timestamp":1777129385907,"version":"3.51.4"},"reference-count":58,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2024,7,1]],"date-time":"2024-07-01T00:00:00Z","timestamp":1719792000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,7,1]],"date-time":"2024-07-01T00:00:00Z","timestamp":1719792000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100010661","name":"Horizon 2020 Framework Programme","doi-asserted-by":"publisher","award":["830927"],"award-info":[{"award-number":["830927"]}],"id":[{"id":"10.13039\/100010661","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000266","name":"Engineering and Physical Sciences Research Council","doi-asserted-by":"publisher","award":["EP\/V026763\/1"],"award-info":[{"award-number":["EP\/V026763\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Reflection attacks are one of the most intimidating threats organizations face. A reflection attack is a special type of distributed denial-of-service attack that amplifies the amount of malicious traffic by using reflectors and hides the identity of the attacker. Reflection attacks are known to be one of the most common causes of service disruption in large networks. Large networks perform extensive logging of NetFlow data, and parsing this data is an advocated basis for identifying network attacks. We conduct a comprehensive analysis of NetFlow data containing 1.7 billion NetFlow records and identified reflection attacks on the network time protocol (NTP) and NetBIOS servers. We set up three regression models including the Ridge, Elastic Net and LASSO. To the best of our knowledge, there is no work that studied different regression models to understand patterns of reflection attacks in a large network. In this paper, we (a) propose an approach for identifying correlations of reflection attacks, and (b) evaluate the three regression models on real NetFlow data. Our results show that (a) reflection attacks on the NTP servers are not correlated, (b) reflection attacks on the NetBIOS servers are not correlated, (c) the traffic generated by those reflection attacks did not overwhelm the NTP and NetBIOS servers, and (d) the dwell times of reflection attacks on the NTP and NetBIOS servers are too small for predicting reflection attacks on these servers. Our work on reflection attacks identification highlights recommendations that could facilitate better handling of reflection attacks in large networks.<\/jats:p>","DOI":"10.1186\/s42400-023-00203-7","type":"journal-article","created":{"date-parts":[[2024,7,1]],"date-time":"2024-07-01T04:37:01Z","timestamp":1719808621000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["An empirical study of reflection attacks using NetFlow data"],"prefix":"10.1186","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8659-1803","authenticated-orcid":false,"given":"Edward","family":"Chuah","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Neeraj","family":"Suri","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2024,7,1]]},"reference":[{"key":"203_CR1","volume-title":"Statistics: the art and science of learning from data","author":"A Agresti","year":"2009","unstructured":"Agresti A, Franklin C (2009) Statistics: the art and science of learning from data. Prentice Hall, Upper Saddle River"},{"key":"203_CR2","doi-asserted-by":"publisher","unstructured":"Ahuja V, Kotkar M, Bhongade R, Kshirsagar D (2022) Reflection based distributed denial of service attack detection system. In: Proceedings of the 6th IEEE international conference on computing, communication, control and automation (ICCUBEA). IEEE, pp 1\u20135. https:\/\/doi.org\/10.1109\/ICCUBEA54992.2022.10011055","DOI":"10.1109\/ICCUBEA54992.2022.10011055"},{"key":"203_CR3","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2022.103168","volume":"66","author":"M Anagnostopoulos","year":"2022","unstructured":"Anagnostopoulos M, Lagos S, Kambourakis G (2022) Large-scale empirical evaluation of DNS and SSDP amplification attacks. J Inf Secur Appl 66:103168. https:\/\/doi.org\/10.1016\/j.jisa.2022.103168","journal-title":"J Inf Secur Appl"},{"key":"203_CR4","doi-asserted-by":"publisher","first-page":"25","DOI":"10.1142\/S0218843023500259","volume":"235","author":"E Benmohamed","year":"2023","unstructured":"Benmohamed E, Thaljaoui A, El Khediri S, Aladhadh S, Alohali M (2023) DDoS attacks detection with half autoencoder-stacked deep neural network. Int J Coop Inf Syst 235:25. https:\/\/doi.org\/10.1142\/S0218843023500259","journal-title":"Int J Coop Inf Syst"},{"key":"203_CR5","doi-asserted-by":"publisher","unstructured":"Bian H, Bai T, Salahuddin MA, Limam N, Daya AA, Boutaba R (2019) Host in danger? Detecting network intrusions from authentication logs. In: Proceedings of 15th international conference on network and service management (CNSM), pp 1\u20139. https:\/\/doi.org\/10.23919\/CNSM46954.2019.9012700","DOI":"10.23919\/CNSM46954.2019.9012700"},{"issue":"10","key":"203_CR6","first-page":"382","volume":"14","author":"S Chawla","year":"2016","unstructured":"Chawla S, Sachdeva M, Behal S (2016) Discrimination of DDoS attacks and flash events using Pearson\u2019s product moment correlation method. Int J Comput Sci Inf Secur (IJCSIS) 14(10):382","journal-title":"Int J Comput Sci Inf Secur (IJCSIS)"},{"key":"203_CR7","doi-asserted-by":"publisher","DOI":"10.1155\/2018\/6459326","author":"J Cheng","year":"2018","unstructured":"Cheng J, Li M, Tang X, Sheng VS, Liu Y, Guo W (2018) Flow correlation degree optimization driven random forest for detecting DDoS attacks in cloud computing. Secur Commun Netw. https:\/\/doi.org\/10.1155\/2018\/6459326","journal-title":"Secur Commun Netw"},{"issue":"5","key":"203_CR8","doi-asserted-by":"publisher","first-page":"1564","DOI":"10.1109\/LCOMM.2020.3048995","volume":"25","author":"Q Cheng","year":"2021","unstructured":"Cheng Q, Wu C, Zhou S (2021) Discovering attack scenarios via intrusion alert correlation using graph convolutional networks. IEEE Commun Lett 25(5):1564\u20131567. https:\/\/doi.org\/10.1109\/LCOMM.2020.3048995","journal-title":"IEEE Commun Lett"},{"key":"203_CR9","doi-asserted-by":"publisher","unstructured":"Chordiya AR, Majumder S, Javaid AY (2018) Man-in-the-middle (MITM) attack based hijacking of HTTP traffic using open source tools. In: Proceedings of IEEE international conference on electro\/information technology (EIT), pp 0438\u20130443. https:\/\/doi.org\/10.1109\/EIT.2018.8500144","DOI":"10.1109\/EIT.2018.8500144"},{"key":"203_CR10","doi-asserted-by":"publisher","unstructured":"Chuah E, Suri N, Jhumka A, Alt S (2021) Challenges in identifying network attacks using netflow data. In: Proceedings of IEEE international symposium on network computing and applications (NCA). https:\/\/doi.org\/10.1109\/NCA53618.2021.9685305","DOI":"10.1109\/NCA53618.2021.9685305"},{"key":"203_CR11","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2020.114520","volume":"169","author":"AE Cil","year":"2021","unstructured":"Cil AE, Yildiz K, Buldu A (2021) Detection of DDoS attacks with feed forward based deep neural network model. Expert Syst Appl 169:114520. https:\/\/doi.org\/10.1016\/j.eswa.2020.114520","journal-title":"Expert Syst Appl"},{"key":"203_CR12","doi-asserted-by":"publisher","unstructured":"Dasari KB, Devarakonda N (2023) Evaluation of svm kernels with multiple uncorrelated feature subsets selected by multiple correlation methods for reflection amplification DDoS attacks detection, pp 99\u2013111. https:\/\/doi.org\/10.1007\/978-981-19-6791-7_6","DOI":"10.1007\/978-981-19-6791-7_6"},{"key":"203_CR13","doi-asserted-by":"publisher","unstructured":"Dwyer J, Truta TM (2013) Finding anomalies in windows event logs using standard deviation. In: Proceedings of the IEEE international conference on collaborative computing: networking, applications and worksharing, pp 563\u2013570. https:\/\/doi.org\/10.4108\/icst.collaboratecom.2013.254136","DOI":"10.4108\/icst.collaboratecom.2013.254136"},{"key":"203_CR14","doi-asserted-by":"publisher","unstructured":"Elsayed MS, Jahromi HZ, Nazir MM, Jurcut AD (2021) The role of CNN for intrusion detection systems: an improved CNN learning approach for SDNs. In: Proceedings of the international conference on future access enablers of ubiquitous and intelligent infrastructures. Springer, pp 91\u2013104. https:\/\/doi.org\/10.1007\/978-3-030-78459-1_7","DOI":"10.1007\/978-3-030-78459-1_7"},{"key":"203_CR15","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1016\/j.cose.2014.09.006","volume":"48","author":"I Friedberg","year":"2015","unstructured":"Friedberg I, Skopik F, Settanni G, Fiedler R (2015) Combating advanced persistent threats: from network event correlation to incident detection. Comput Secur 48:35\u201357. https:\/\/doi.org\/10.1016\/j.cose.2014.09.006","journal-title":"Comput Secur"},{"key":"203_CR16","doi-asserted-by":"publisher","unstructured":"Ghafir I, Prenosil V, Svoboda J, Hammoudeh M (2016) A survey on network security monitoring systems. In: Proceedings of the IEEE international conference on future internet of things and cloud workshops (FiCloudW), pp 77\u201382. https:\/\/doi.org\/10.1109\/W-FiCloud.2016.30","DOI":"10.1109\/W-FiCloud.2016.30"},{"key":"203_CR17","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-031-23690-7_1","volume-title":"Information systems security","author":"SK Ghosh","year":"2022","unstructured":"Ghosh SK, Satvat K, Gjomemo R, Venkatakrishnan VN (2022) Ostinato: cross-host attack correlation through attack activity similarity detection. In: Badarla VR, Nepal S, Shyamasundar RK (eds) Information systems security. Springer, Cham, pp 1\u201322. https:\/\/doi.org\/10.1007\/978-3-031-23690-7_1"},{"key":"203_CR18","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1016\/j.future.2020.01.024","volume":"108","author":"JJC Gondim","year":"2020","unstructured":"Gondim JJC, de Oliveira Albuquerque R, Sandoval Orozco AL (2020) Mirror saturation in amplified reflection distributed denial of service: a case of study using SNMP, SSDP, NTP and DNS protocols. Future Gener Comput Syst 108:68\u201381. https:\/\/doi.org\/10.1016\/j.future.2020.01.024","journal-title":"Future Gener Comput Syst"},{"key":"203_CR19","doi-asserted-by":"publisher","first-page":"234","DOI":"10.1016\/j.cose.2019.02.008","volume":"83","author":"F Gottwalt","year":"2019","unstructured":"Gottwalt F, Chang E, Dillon T (2019) CorrCorr: a feature selection method for multivariate correlation network anomaly detection techniques. Comput Secur 83:234\u2013245. https:\/\/doi.org\/10.1016\/j.cose.2019.02.008","journal-title":"Comput Secur"},{"key":"203_CR20","doi-asserted-by":"publisher","DOI":"10.1145\/3325061.3325062","author":"S Haas","year":"2019","unstructured":"Haas S, Fischer M (2019) On the alert correlation process for the detection of multi-step attacks and a graph-based realization. ACM SIGAPP Appl Comput Rev. https:\/\/doi.org\/10.1145\/3325061.3325062","journal-title":"ACM SIGAPP Appl Comput Rev"},{"key":"203_CR21","doi-asserted-by":"publisher","unstructured":"Haas S, Wilkens F, Fischer M (2019) Efficient attack correlation and identification of attack scenarios based on network-motifs. In: Proceedings of the IEEE international performance computing and communications conference (IPCCC), pp 1\u201311. https:\/\/doi.org\/10.1109\/IPCCC47392.2019.8958734","DOI":"10.1109\/IPCCC47392.2019.8958734"},{"issue":"1","key":"203_CR22","doi-asserted-by":"publisher","first-page":"93","DOI":"10.1007\/s10922-018-9459-y","volume":"27","author":"F Hachmi","year":"2019","unstructured":"Hachmi F, Boujenfa K, Limam M (2019) Enhancing the accuracy of intrusion detection systems by reducing the rates of false positives and false negatives through multi-objective optimization. J Netw Syst Manag 27(1):93\u2013120. https:\/\/doi.org\/10.1007\/s10922-018-9459-y","journal-title":"J Netw Syst Manag"},{"key":"203_CR23","volume-title":"Data communications, computer networks and open systems","author":"F Halsall","year":"1996","unstructured":"Halsall F (1996) Data communications, computer networks and open systems. Addison-Wesley, New York"},{"key":"203_CR24","doi-asserted-by":"publisher","unstructured":"Heryanto A, Stiawan D, Bin Idris MY, Bahari MR, Hafizin AA, Budiarto R (2022) Cyberattack feature selection using correlation-based feature selection method in an intrusion detection system. In: Proceedings of the international conference on electrical engineering, computer science and informatics (EECSI), pp 79\u201385. https:\/\/doi.org\/10.23919\/EECSI56542.2022.9946449","DOI":"10.23919\/EECSI56542.2022.9946449"},{"issue":"1","key":"203_CR25","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1080\/00401706.1970.10488634","volume":"42","author":"AE Hoerl","year":"2000","unstructured":"Hoerl AE, Kennard RW (2000) Ridge regression: biased estimation for nonorthogonal problems. Technometrics 42(1):80\u201386. https:\/\/doi.org\/10.1080\/00401706.1970.10488634","journal-title":"Technometrics"},{"issue":"7","key":"203_CR26","doi-asserted-by":"publisher","first-page":"4219","DOI":"10.1016\/j.jksuci.2022.05.004","volume":"34","author":"DP Hostiadi","year":"2022","unstructured":"Hostiadi DP, Ahmad T (2022) Hybrid model for bot group activity detection using similarity and correlation approaches based on network traffic flows analysis. J King Saud Univ Comput Inf Sci 34(7):4219\u20134232. https:\/\/doi.org\/10.1016\/j.jksuci.2022.05.004","journal-title":"J King Saud Univ Comput Inf Sci"},{"key":"203_CR27","first-page":"368","volume-title":"Network security: know it all","author":"J Joshi","year":"2008","unstructured":"Joshi J (2008) Network security: know it all. Morgan Kaufmann, Burlington, p 368"},{"issue":"9","key":"203_CR28","doi-asserted-by":"publisher","first-page":"3235","DOI":"10.1007\/s10489-019-01436-1","volume":"49","author":"N Kaja","year":"2019","unstructured":"Kaja N, Shaout A, Ma D (2019) An intelligent intrusion detection system. Appl Intell 49(9):3235\u20133247. https:\/\/doi.org\/10.1007\/s10489-019-01436-1","journal-title":"Appl Intell"},{"key":"203_CR29","doi-asserted-by":"publisher","unstructured":"Kopp D, Dietzel C, Hohlfeld O (2021) DDoS never dies? An IXP perspective on DDoS amplification attacks. In: Passive and active measurement. Springer, Cham, pp 284\u2013301. https:\/\/doi.org\/10.1007\/978-3-030-72582-2_17","DOI":"10.1007\/978-3-030-72582-2_17"},{"key":"203_CR30","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1007\/s12652-021-02907-5","volume":"1","author":"D Kshirsagar","year":"2022","unstructured":"Kshirsagar D, Kumar S (2022) A feature reduction based reflected and exploited DDoS attacks detection system. J Ambient Intell Hum Comput 1:13. https:\/\/doi.org\/10.1007\/s12652-021-02907-5","journal-title":"J Ambient Intell Hum Comput"},{"issue":"4","key":"203_CR31","doi-asserted-by":"publisher","first-page":"3257","DOI":"10.1109\/TNSE.2021.3109644","volume":"8","author":"S Lei","year":"2021","unstructured":"Lei S, Xia C, Li Z, Li X, Wang T (2021) HNN: a novel model to study the intrusion detection based on multi-feature correlation and temporal\u2013spatial analysis. IEEE Trans Netw Sci Eng 8(4):3257\u20133274. https:\/\/doi.org\/10.1109\/TNSE.2021.3109644","journal-title":"IEEE Trans Netw Sci Eng"},{"key":"203_CR32","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1016\/j.knosys.2015.01.009","volume":"78","author":"W-C Lin","year":"2015","unstructured":"Lin W-C, Ke S-W, Tsai C-F (2015) CANN: an intrusion detection system based on combining cluster centers and nearest neighbors. Knowl Based Syst 78:13\u201321. https:\/\/doi.org\/10.1016\/j.knosys.2015.01.009","journal-title":"Knowl Based Syst"},{"key":"203_CR33","doi-asserted-by":"publisher","first-page":"18345","DOI":"10.1109\/ACCESS.2018.2817921","volume":"6","author":"H Lin","year":"2018","unstructured":"Lin H, Yan Z, Chen Y, Zhang L (2018) A survey on network security-related data collection technologies. IEEE Access 6:18345\u201318365. https:\/\/doi.org\/10.1109\/ACCESS.2018.2817921","journal-title":"IEEE Access"},{"issue":"4","key":"203_CR34","doi-asserted-by":"publisher","first-page":"1948","DOI":"10.1109\/TNET.2018.2854795","volume":"26","author":"Z Liu","year":"2018","unstructured":"Liu Z, Jin H, Hu Y, Bailey M (2018) Practical proactive DDoS-attack mitigation via endpoint-driven in-network traffic control. IEEE\/ACM Trans Netw 26(4):1948\u20131961. https:\/\/doi.org\/10.1109\/TNET.2018.2854795","journal-title":"IEEE\/ACM Trans Netw"},{"key":"203_CR35","first-page":"250","volume-title":"Intrusion detection systems","author":"LV Mancini","year":"2008","unstructured":"Mancini LV, Pietro R (2008) Intrusion detection systems. Springer, Berlin, p 250"},{"issue":"2","key":"203_CR36","doi-asserted-by":"publisher","first-page":"52","DOI":"10.1109\/MS.2016.33","volume":"33","author":"A Miranskyy","year":"2016","unstructured":"Miranskyy A, Hamou-Lhadj A, Cialini E, Larsson A (2016) Operational-log analysis for big data systems: challenges and solutions. IEEE Softw 33(2):52\u201359. https:\/\/doi.org\/10.1109\/MS.2016.33","journal-title":"IEEE Softw"},{"key":"203_CR37","doi-asserted-by":"publisher","first-page":"9822","DOI":"10.1109\/ACCESS.2021.3049249","volume":"9","author":"FJ Mora-Gimeno","year":"2021","unstructured":"Mora-Gimeno FJ, Mora-Mora H, Volckaert B, Atrey A (2021) Intrusion detection system based on integrated system calls graph and neural networks. IEEE Access 9:9822\u20139833. https:\/\/doi.org\/10.1109\/ACCESS.2021.3049249","journal-title":"IEEE Access"},{"key":"203_CR38","doi-asserted-by":"publisher","unstructured":"More KK, Gosavi PB (2016) A real time system for denial of service attack detection based on multivariate correlation analysis approach. In: Proceedings of the 2016 international conference on electrical, electronics, and optimization techniques (ICEEOT), pp 1125\u20131131. https:\/\/doi.org\/10.1109\/ICEEOT.2016.7754860","DOI":"10.1109\/ICEEOT.2016.7754860"},{"issue":"6","key":"203_CR39","doi-asserted-by":"publisher","first-page":"8106","DOI":"10.1007\/s11227-021-04253-x","volume":"78","author":"M Najafimehr","year":"2022","unstructured":"Najafimehr M, Zarifzadeh S, Mostafavi S (2022) A hybrid machine learning approach for detecting unprecedented DDoS attacks. J Supercomput 78(6):8106\u20138136. https:\/\/doi.org\/10.1007\/s11227-021-04253-x","journal-title":"J Supercomput"},{"key":"203_CR40","doi-asserted-by":"publisher","unstructured":"Negi CS, Kumari N, Kumar P, Sinha SK (2021) An approach for alert correlation using ArcSight SIEM and open source NIDS. In: Nath V, Mandal JK (eds) Proceeding of fifth international conference on microelectronics, computing and communication systems. Springer, Singapore, pp 29\u201340. https:\/\/doi.org\/10.1007\/978-981-16-0275-7_3","DOI":"10.1007\/978-981-16-0275-7_3"},{"key":"203_CR41","doi-asserted-by":"publisher","unstructured":"Noble J, Adams NM (2016) Correlation-based streaming anomaly detection in cyber-security. In: Proceedings of the IEEE international conference on data mining workshops (ICDMW), pp 311\u2013318. https:\/\/doi.org\/10.1109\/ICDMW.2016.0051","DOI":"10.1109\/ICDMW.2016.0051"},{"key":"203_CR42","doi-asserted-by":"publisher","first-page":"206","DOI":"10.1016\/j.cose.2014.10.006","volume":"49","author":"AA Ramaki","year":"2015","unstructured":"Ramaki AA, Amini M, Ebrahimi Atani R (2015) RTECA: real time episode correlation algorithm for multi-step attack scenarios detection. Comput Secur 49:206\u2013219. https:\/\/doi.org\/10.1016\/j.cose.2014.10.006","journal-title":"Comput Secur"},{"key":"203_CR43","doi-asserted-by":"publisher","unstructured":"Sarmento AG, Yeo KC, Azam S, Karim A, Al Mamun A, Shanmugam B (2021) Applying big data analytics in DDos forensics: challenges and opportunities. In: Jahankhani H, Jamal A, Lawson S (eds) Cybersecurity, privacy and freedom protection in the connected world. Springer, Cham, pp 235\u2013252. https:\/\/doi.org\/10.1007\/978-3-030-68534-8_15","DOI":"10.1007\/978-3-030-68534-8_15"},{"key":"203_CR44","volume-title":"Understanding regression analysis: an introductory guide","author":"LD Schroeder","year":"2016","unstructured":"Schroeder LD, Sjoquist DL, Stephan PE (2016) Understanding regression analysis: an introductory guide, vol 57. Sage Publications, Thousand Oaks"},{"key":"203_CR45","doi-asserted-by":"publisher","first-page":"4","DOI":"10.1016\/j.engappai.2020.103770","volume":"94","author":"A Shahraki","year":"2020","unstructured":"Shahraki A, Abbasi M (2020) Haugen: boosting algorithms for network intrusion detection: a comparative evaluation of real adaboost, gentle adaboost and modest adaboost. Eng Appl Artif Intell 94:4. https:\/\/doi.org\/10.1016\/j.engappai.2020.103770","journal-title":"Eng Appl Artif Intell"},{"issue":"4","key":"203_CR46","doi-asserted-by":"publisher","first-page":"743","DOI":"10.5281\/zenodo.1123927","volume":"10","author":"A Shalaginov","year":"2016","unstructured":"Shalaginov A, Franke K, Huang X (2016) Malware beaconing detection by mining large-scale DNS logs for targeted attack identification. Int J Comput Syst Eng 10(4):743\u2013755. https:\/\/doi.org\/10.5281\/zenodo.1123927","journal-title":"Int J Comput Syst Eng"},{"key":"203_CR47","doi-asserted-by":"publisher","unstructured":"Shin MS, Jeong KJ (2006) Alert correlation analysis in intrusion detection. In: International conference on advanced data mining and applications. Springer, pp 1049\u20131056. https:\/\/doi.org\/10.1007\/11811305_114","DOI":"10.1007\/11811305_114"},{"key":"203_CR48","doi-asserted-by":"publisher","unstructured":"Singh Samom P, Taggu A (2021) Distributed denial of service (DDoS) attacks detection: a machine learning approach. In: Applied soft computing and communication networks: proceedings of ACN 2020, pp 75\u201387. Springer. https:\/\/doi.org\/10.1007\/978-981-33-6173-7_6","DOI":"10.1007\/978-981-33-6173-7_6"},{"issue":"CoNEXT3","key":"203_CR49","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3629135","volume":"1","author":"R Singh Samra","year":"2023","unstructured":"Singh Samra R, Barcellos M (2023) Ddos2vec: flow-level characterisation of volumetric DDoS attacks at scale. Proc ACM Netw 1(CoNEXT3):1\u201325. https:\/\/doi.org\/10.1145\/3629135","journal-title":"Proc ACM Netw"},{"issue":"22","key":"203_CR50","doi-asserted-by":"publisher","first-page":"2173","DOI":"10.1093\/ajhp\/58.22.2173","volume":"58","author":"MK Slack","year":"2001","unstructured":"Slack MK, Draugalis J, Jolaine R (2001) Establishing the internal and external validity of experimental studies. Am J Health Syst Pharm 58(22):2173\u20132181. https:\/\/doi.org\/10.1093\/ajhp\/58.22.2173","journal-title":"Am J Health Syst Pharm"},{"key":"203_CR51","volume-title":"Introduction to data mining","author":"P-N Tan","year":"2006","unstructured":"Tan P-N, Steinbach M, Kumar V (2006) Introduction to data mining. Addison-Wesley, New York"},{"issue":"1","key":"203_CR52","doi-asserted-by":"publisher","first-page":"267","DOI":"10.1111\/j.2517-6161.1996.tb02080.x","volume":"58","author":"R Tibshirani","year":"1996","unstructured":"Tibshirani R (1996) Regression shrinkage and selection via the lasso. J R Stat Soc Ser B (Methodol) 58(1):267\u2013288. https:\/\/doi.org\/10.1111\/j.2517-6161.1996.tb02080.x","journal-title":"J R Stat Soc Ser B (Methodol)"},{"key":"203_CR53","doi-asserted-by":"publisher","first-page":"4","DOI":"10.1142\/9781786345646_001","volume":"16","author":"MM Turcotte","year":"2018","unstructured":"Turcotte MM, Kent AD, Hash C (2018) Unified host and network data set. Data Sci Cyber Secur 16:4. https:\/\/doi.org\/10.1142\/9781786345646_001","journal-title":"Data Sci Cyber Secur"},{"issue":"2","key":"203_CR54","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1080\/00220970109600656","volume":"69","author":"P Yin","year":"2001","unstructured":"Yin P, Fan X (2001) Estimating R2 shrinkage in multiple regression: a comparison of different analytical methods. J Exp Educ 69(2):203\u2013224. https:\/\/doi.org\/10.1080\/00220970109600656","journal-title":"J Exp Educ"},{"key":"203_CR55","doi-asserted-by":"publisher","unstructured":"Yu M, Halak B, Zwolinski M (2019) Using hardware performance counters to detect control hijacking attacks. In: Proceedings of the IEEE international verification and security workshop (IVSW). https:\/\/doi.org\/10.1109\/IVSW.2019.8854399","DOI":"10.1109\/IVSW.2019.8854399"},{"key":"203_CR56","doi-asserted-by":"publisher","first-page":"82799","DOI":"10.1109\/ACCESS.2022.3196362","volume":"10","author":"M Zadnik","year":"2022","unstructured":"Zadnik M, Wrona J, Hynek K, Cejka T, Hus\u00e1k M (2022) Discovering coordinated groups of IP addresses through temporal correlation of alerts. IEEE Access 10:82799\u201382813. https:\/\/doi.org\/10.1109\/ACCESS.2022.3196362","journal-title":"IEEE Access"},{"key":"203_CR57","doi-asserted-by":"publisher","unstructured":"Zhenzheng H, He Q, Chuah E et al (2018) Developing data science tools for improving enterprise cyber-security. In: The Alan turing institute data study group final report. https:\/\/doi.org\/10.5281\/zenodo.3558251","DOI":"10.5281\/zenodo.3558251"},{"issue":"2","key":"203_CR58","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1111\/j.1467-9868.2005.00503.x","volume":"67","author":"H Zou","year":"2005","unstructured":"Zou H, Hastie T (2005) Regularization and variable selection via the elastic net. J R Stat Soc Ser B (Stat Methodol) 67(2):301\u2013320. https:\/\/doi.org\/10.1111\/j.1467-9868.2005.00503.x","journal-title":"J R Stat Soc Ser B (Stat Methodol)"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00203-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-023-00203-7\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00203-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,1]],"date-time":"2024-07-01T04:37:12Z","timestamp":1719808632000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-023-00203-7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,1]]},"references-count":58,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2024,12]]}},"alternative-id":["203"],"URL":"https:\/\/doi.org\/10.1186\/s42400-023-00203-7","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,7,1]]},"assertion":[{"value":"11 July 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 December 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 July 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}},{"value":"Not applicable.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval and consent to participate"}}],"article-number":"13"}}