{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T01:27:45Z","timestamp":1760059665558,"version":"build-2065373602"},"reference-count":23,"publisher":"MDPI AG","issue":"7","license":[{"start":{"date-parts":[[2025,6,27]],"date-time":"2025-06-27T00:00:00Z","timestamp":1750982400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"State Grid Jiangsu Electric Power Co., Ltd.","award":["J2023131"],"award-info":[{"award-number":["J2023131"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Leveraging Data Processing Units (DPUs) deployed at network interfaces, the DPU-accelerated Intrusion Detection System (IDS) enables microsecond-latency initial traffic inspection through hardware offloading. However, while generating high-throughput alerts, this mechanism amplifies the inherent redundancy and noise issues of traditional IDS systems. This paper proposes an alert correlation method using multi-similarity factor aggregation and a suffix tree model. First, alerts are preprocessed using LFDIA, employing multiple similarity factors and dynamic thresholding to cluster correlated alerts and reduce redundancy. Next, an attack intensity time series is generated and smoothed with a Kalman filter to eliminate noise and reveal attack trends. Finally, the suffix tree models attack activities, capturing key behavioral paths of high-severity alerts and identifying attacker patterns. Experimental evaluations on the CPTC-2017 and CPTC-2018 datasets validate the proposed method\u2019s effectiveness in reducing alert redundancy, extracting critical attack behaviors, and constructing attack activity sequences. The results demonstrate that the method not only significantly reduces the number of alerts but also accurately reveals core attack characteristics, enhancing the effectiveness of network security defense strategies.<\/jats:p>","DOI":"10.3390\/info16070547","type":"journal-article","created":{"date-parts":[[2025,6,30]],"date-time":"2025-06-30T13:06:17Z","timestamp":1751288777000},"page":"547","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Intrusion Alert Analysis Method for Power Information Communication Networks Based on Data Processing Units"],"prefix":"10.3390","volume":"16","author":[{"given":"Rui","family":"Zhang","sequence":"first","affiliation":[{"name":"Information and Communication Branch of State Grid Jiangsu Electric Power Co., Ltd., Nanjing 210024, China"}]},{"given":"Mingxuan","family":"Zhang","sequence":"additional","affiliation":[{"name":"Information and Communication Branch of State Grid Jiangsu Electric Power Co., Ltd., Nanjing 210024, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-0162-9168","authenticated-orcid":false,"given":"Yan","family":"Liu","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}]},{"given":"Zhiyi","family":"Li","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}]},{"given":"Weiwei","family":"Miao","sequence":"additional","affiliation":[{"name":"Information and Communication Branch of State Grid Jiangsu Electric Power Co., Ltd., Nanjing 210024, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3945-0706","authenticated-orcid":false,"given":"Sujie","family":"Shao","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}]}],"member":"1968","published-online":{"date-parts":[[2025,6,27]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"103925","DOI":"10.1016\/j.jnca.2024.103925","article-title":"Recent endeavors in machine learning-powered intrusion detection systems for the Internet of Things","volume":"229","author":"Manivannan","year":"2024","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_2","first-page":"20230248","article-title":"Systematic literature review on intrusion detection systems: Research trends, algorithms, methods, datasets, and limitations","volume":"33","author":"Issa","year":"2024","journal-title":"J. Intell. Syst."},{"key":"ref_3","first-page":"37","article-title":"Intrusion Detection for IoT Network Security with Deep learning","volume":"12","author":"Morshedi","year":"2024","journal-title":"J. AI Data Min."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"103583","DOI":"10.1016\/j.cose.2023.103583","article-title":"Combating alert fatigue with AlertPro: Context-aware alert prioritization using reinforcement learning for multi-step attack detection","volume":"137","author":"Wang","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Roelofs, T.M., Barbaro, E., Pekarskikh, S., Orzechowska, K., Kwapie\u0144, M., Tyrlik, J., Smadu, D., Van Eeten, M., and Zhauniarovich, Y. (2024, January 8\u201312). Finding Harmony in the Noise: Blending Security Alerts for Attack Detection. Proceedings of the 39th ACM\/SIGAPP Symposium on Applied Computing, Avila, Spain.","DOI":"10.1145\/3605098.3635981"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"82799","DOI":"10.1109\/ACCESS.2022.3196362","article-title":"Discovering coordinated groups of IP addresses through temporal correlation of alerts","volume":"10","author":"Zadnik","year":"2022","journal-title":"IEEE Access"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"3937","DOI":"10.1007\/s10586-022-03622-2","article-title":"Detecting malicious transactions in database using hybrid metaheuristic clustering and frequent sequential pattern mining","volume":"25","author":"Jindal","year":"2022","journal-title":"Clust. Comput."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Albasheer, H., Siraj, M.M., Mubarakali, A., Tayfour, O.E., Salih, S., Hamdan, M., Khan, S., Zainal, A., and Kamarudeen, S. (2022). Cyber-attack prediction based on network intrusion detection systems for alert correlation techniques: A survey. Sensors, 22.","DOI":"10.3390\/s22041494"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"235","DOI":"10.1016\/j.future.2021.09.040","article-title":"GRU-based deep learning approach for network intrusion alert prediction","volume":"128","author":"Ansari","year":"2022","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"1564","DOI":"10.1109\/LCOMM.2020.3048995","article-title":"Discovering attack scenarios via intrusion alert correlation using graph convolutional networks","volume":"25","author":"Cheng","year":"2021","journal-title":"IEEE Commun. Lett."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"53655","DOI":"10.1007\/s11042-023-17637-3","article-title":"DDoS attack forecasting based on online multiple change points detection and time series analysis","volume":"83","author":"Bitit","year":"2024","journal-title":"Multimed. Tools Appl."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"3546","DOI":"10.1109\/TDSC.2021.3101649","article-title":"Poirot: Causal correlation aided semantic analysis for advanced persistent threat detection","volume":"19","author":"Yang","year":"2021","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"772","DOI":"10.1109\/IAEAC59436.2024.10503996","article-title":"Research on Network Security Event Correlation Analysis Method Based on Knowledge Graph","volume":"Volume 7","author":"Zou","year":"2024","journal-title":"Proceedings of the 2024 IEEE 7th Advanced Information Technology, Electronic and Automation Control Conference (IAEAC)"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1108\/IJICC-05-2023-0121","article-title":"Multiobjective network security dynamic assessment method based on Bayesian network attack graph","volume":"17","author":"Xie","year":"2024","journal-title":"Int. J. Intell. Comput. Cybern."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1690","DOI":"10.1016\/j.eswa.2013.08.066","article-title":"A novel hybrid intrusion detection method integrating anomaly detection with misuse detection","volume":"41","author":"Kim","year":"2014","journal-title":"Expert Syst. Appl."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"21954","DOI":"10.1109\/ACCESS.2017.2762418","article-title":"A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks","volume":"5","author":"Yin","year":"2017","journal-title":"IEEE Access"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"114894","DOI":"10.1109\/ACCESS.2024.3445261","article-title":"Rule-based with Machine learning IDS for DDoS attack detection in cyber-physical production systems (CPPS)","volume":"12","author":"Hussain","year":"2024","journal-title":"IEEE Access"},{"key":"ref_18","unstructured":"Moskal, S., and Yang, S.J. (2020). Cyberattack action-intent-framework for mapping intrusion observables. arXiv."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Jiang, B., Liu, Y., Liu, H., Ren, Z., Wang, Y., Bao, Y., and Wang, W. (2022, January 22\u201326). An Enhanced EWMA for Alert Reduction and Situation Awareness in Industrial Control Networks. Proceedings of the 2022 IEEE 18th International Conference on Automation Science and Engineering (CASE), Mexico City, Mexico.","DOI":"10.1109\/CASE49997.2022.9926545"},{"key":"ref_20","first-page":"1","article-title":"Introduction to Kalman filter and its applications","volume":"1","author":"Kim","year":"2018","journal-title":"Introd. Implement. Kalman Filter"},{"key":"ref_21","unstructured":"Rochester Institute of Technology (2024, July 05). Collegiate Penetration Testing Competition [EB\/OL]. Available online: http:\/\/nationalcptc.org."},{"key":"ref_22","first-page":"151","article-title":"Multi-stage cyber-attacks detection in the industrial control systems","volume":"255","author":"Sokol","year":"2020","journal-title":"Recent Dev. Ind. Control Syst. Resil."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"150540","DOI":"10.1109\/ACCESS.2019.2946261","article-title":"An intrusion action-based IDS alert correlation analysis and prediction framework","volume":"7","author":"Zhang","year":"2019","journal-title":"IEEE Access"}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/7\/547\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:00:15Z","timestamp":1760032815000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/7\/547"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,27]]},"references-count":23,"journal-issue":{"issue":"7","published-online":{"date-parts":[[2025,7]]}},"alternative-id":["info16070547"],"URL":"https:\/\/doi.org\/10.3390\/info16070547","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2025,6,27]]}}}