{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,12]],"date-time":"2025-11-12T14:08:17Z","timestamp":1762956497597,"version":"build-2065373602"},"reference-count":24,"publisher":"MDPI AG","issue":"11","license":[{"start":{"date-parts":[[2020,11,19]],"date-time":"2020-11-19T00:00:00Z","timestamp":1605744000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100003194","name":"Agent\u00fara Ministerstva \u0160kolstva, Vedy, V\u00fdskumu a \u0160portu SR","doi-asserted-by":"publisher","award":["APVV-17-0561"],"award-info":[{"award-number":["APVV-17-0561"]}],"id":[{"id":"10.13039\/501100003194","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>The rapid move to digitalization and usage of online information systems brings new and evolving threats that organizations must protect themselves from and respond to. Monitoring an organization\u2019s network for malicious activity has become a standard practice together with event and log collection from network hosts. Security operation centers deal with a growing number of alerts raised by intrusion detection systems that process the collected data and monitor networks. The alerts must be processed so that the relevant stakeholders can make informed decisions when responding to situations. Correlation of alerts into more expressive intrusion scenarios is an important tool in reducing false-positive and noisy alerts. In this paper, we propose correlation rules for identifying multi-stage attacks. Another contribution of this paper is a methodology for inferring from an alert the values needed to evaluate the attack in terms of the attacker\u2019s skill level. We present our results on the CSE-CIC-IDS2018 data set.<\/jats:p>","DOI":"10.3390\/info11110537","type":"journal-article","created":{"date-parts":[[2020,11,19]],"date-time":"2020-11-19T10:46:26Z","timestamp":1605782786000},"page":"537","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Evaluation of Attackers\u2019 Skill Levels in Multi-Stage Attacks"],"prefix":"10.3390","volume":"11","author":[{"given":"Ter\u00e9zia","family":"M\u00e9ze\u0161ov\u00e1","sequence":"first","affiliation":[{"name":"Faculty of Science, Pavol Jozef \u0160af\u00e1rik University in Ko\u0161ice, 040 01 Ko\u0161ice, Slovakia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1967-8802","authenticated-orcid":false,"given":"Pavol","family":"Sokol","sequence":"additional","affiliation":[{"name":"Faculty of Science, Pavol Jozef \u0160af\u00e1rik University in Ko\u0161ice, 040 01 Ko\u0161ice, Slovakia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tom\u00e1\u0161","family":"Bajto\u0161","sequence":"additional","affiliation":[{"name":"Faculty of Science, Pavol Jozef \u0160af\u00e1rik University in Ko\u0161ice, 040 01 Ko\u0161ice, Slovakia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2020,11,19]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"M\u00e9ze\u0161ov\u00e1, T., Sokol, P., and Bajto\u0161, T. (2019, January 27\u201329). Evaluation of Attacker Skill Level for Multi-stage Attacks. Proceedings of the 2019 11th International Conference on Electronics, Computers and Artificial Intelligence (ECAI), Pitesti, Romania.","DOI":"10.1109\/ECAI46879.2019.9042153"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Paulauskas, N., and Garsva, E. (2008, January 18\u201321). Attacker skill level distribution estimation in the system mean time-to- compromise. Proceedings of the 2008 1st International Conference on Information Technology, Gdansk, Poland.","DOI":"10.1109\/INFTECH.2008.4621683"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Hu, H., Liu, Y., Zhang, H., and Zhang, Y. (2018). Security metric methods for network multistep attacks using AMC and big data correlation analysis. Secur. Commun. Netw., 2018.","DOI":"10.1155\/2018\/5787102"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1016\/j.cose.2015.03.001","article-title":"Incorporating attacker capabilities in risk estimation and mitigation","volume":"51","author":"Ranchal","year":"2015","journal-title":"Comput. Secur."},{"key":"ref_5","unstructured":"van Rensburg, A.J., Nurse, J.R., and Goldsmith, M. (2016, January 24\u201328). Attacker-parametrised attack graphs. Proceedings of the Tenth International Conference on Emerging Security Information, Systems and Technologies, Nice, France."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Rocchetto, M., and Tippenhauer, N.O. (2016, January 26\u201330). On attacker models and profiles for cyber-physical systems. Proceedings of the European Symposium on Research in Computer Security, Heraklion, Greece.","DOI":"10.1007\/978-3-319-45741-3_22"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Fraunholz, D., Anton, S.D., and Schotten, H.D. (2017, January 21\u201323). Introducing gamfis: A generic attacker model for information security. Proceedings of the 2017 25th International Conference on Software, Telecommunications and Computer Networks (SoftCOM), Split, Croatia.","DOI":"10.23919\/SOFTCOM.2017.8115550"},{"key":"ref_8","unstructured":"O\u0161t\u2019\u00e1dal, R., \u0160venda, P., and Maty\u00e1\u0161, V. (2016, January 7\u20138). Reconsidering attacker models in Ad-Hoc networks. Proceedings of the Cambridge International Workshop on Security Protocols, Brno, Czech Republic."},{"key":"ref_9","unstructured":"Krautsevich, L., Martinelli, F., and Yautsiukhin, A. (2012, January 25\u201326). Towards modelling adaptive attacker\u2019s behaviour. Proceedings of the International Symposium on Foundations and Practice of Security, Montreal, QC, Canada."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Mohammadian, M. (2017, January 18\u201320). Intelligent security and risk analysis in network systems. Proceedings of the 2017 International Conference on Infocom Technologies and Unmanned Systems (Trends and Future Directions) (ICTUS), Dubai, UAE.","DOI":"10.1109\/ICTUS.2017.8286120"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Hassan, S., and Guha, R. (2017, January 6\u201310). A probabilistic study on the relationship of deceptions and attacker skills. Proceedings of the 2017 IEEE 15th International Conference on Dependable, Autonomic and Secure Computing, 15th International Conference on Pervasive Intelligence and Computing, 3rd International Conference on Big Data Intelligence and Computing and Cyber Science and Technology Congress (DASC\/PiCom\/DataCom\/CyberSciTech), Orlando, FL, USA.","DOI":"10.1109\/DASC-PICom-DataCom-CyberSciTec.2017.121"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Sharafaldin, I., Lashkari, A.H., and Ghorbani, A.A. (2020, January 22\u201324). Toward generating a new intrusion detection dataset and intrusion traffic characterization. Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018), Funchal, Portugal.","DOI":"10.5220\/0006639801080116"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"102767","DOI":"10.1016\/j.jnca.2020.102767","article-title":"Deep learning methods in network intrusion detection: A survey and an objective comparison","volume":"169","author":"Gamage","year":"2020","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_14","first-page":"102419","article-title":"Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study","volume":"50","author":"Ferrag","year":"2020","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"107417","DOI":"10.1016\/j.comnet.2020.107417","article-title":"Hybrid approach to intrusion detection in fog-based IoT environments","volume":"180","author":"Westphall","year":"2020","journal-title":"Comput. Netw."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"M\u00e9ze\u0161ov\u00e1, T., and Bahsi, H. (2019, January 3\u20134). Expert Knowledge Elicitation for Skill Level Categorization of Attack Paths. Proceedings of the 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Oxford, UK.","DOI":"10.1109\/CyberSecPODS.2019.8885192"},{"key":"ref_17","unstructured":"Mell, P., Scarfone, K., and Sasha, R. (2020, November 19). A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Published by FIRST-Forum of Incident Response and Security Teams, Available online: https:\/\/tsapps.nist.gov\/publication\/get_pdf.cfm?pub_id=51198."},{"key":"ref_18","unstructured":"CVSS Special Interest Group (2020, November 19). Common Vulnerability Scoring System v3.1: Specification Document. Available online: https:\/\/www.first.org\/cvss\/v3-1\/cvss-v31-specification_r1.pdf."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1016\/j.entcs.2007.12.013","article-title":"Adaptive threat modeling for secure ad hoc routing protocols","volume":"197","author":"Andel","year":"2008","journal-title":"Electron. Notes Theor. Comput. Sci."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Allodi, L., Banescu, S., Femmer, H., and Beckers, K. (2018, January 19\u201321). Identifying relevant information cues for vulnerability assessment using CVSS. Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, Tempe, AZ, USA.","DOI":"10.1145\/3176258.3176340"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Elbaz, C., Rilling, L., and Morin, C. (2020, January 25\u201328). Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure. Proceedings of the 15th International Conference on Availability, Reliability and Security, Dublin, Ireland.","DOI":"10.1145\/3407023.3407038"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Watters, P., Scolyer-Gray, P., Kayes, A., and Chowdhury, M.J.M. (2019). This would work perfectly if it weren\u2019t for all the humans: Two factor authentication in late modern societies. First Monday, 24.","DOI":"10.5210\/fm.v24i7.10095"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"307","DOI":"10.1016\/j.future.2020.02.001","article-title":"Achieving security scalability and flexibility using Fog-Based Context-Aware Access Control","volume":"107","author":"Kayes","year":"2020","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_24","unstructured":"ET Labs (2020). Emerging Threats Rules, ET Labs."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/11\/11\/537\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T10:34:28Z","timestamp":1760178868000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/11\/11\/537"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,11,19]]},"references-count":24,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2020,11]]}},"alternative-id":["info11110537"],"URL":"https:\/\/doi.org\/10.3390\/info11110537","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2020,11,19]]}}}