{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,19]],"date-time":"2025-12-19T21:55:14Z","timestamp":1766181314259,"version":"build-2065373602"},"reference-count":18,"publisher":"MDPI AG","issue":"18","license":[{"start":{"date-parts":[[2019,9,19]],"date-time":"2019-09-19T00:00:00Z","timestamp":1568851200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2017YFB0802303"],"award-info":[{"award-number":["2017YFB0802303"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>With the emergence of the Advanced Persistent Threat (APT) attacks, many Internet of Things (IoT) systems have faced large numbers of potential threats with the characteristics of concealment, permeability, and pertinence. However, existing methods and technologies cannot provide comprehensive and prompt recognition of latent APT attack activities in the IoT systems. To address this problem, we propose an APT Alerts and Logs Correlation Method, named APTALCM and a framework of deploying APTALCM on the IoT system, where an edge computing architecture was used to achieve cyber situation comprehension without too much data transmission cost. Specifically, we firstly present a cyber situation ontology for modeling the concepts and properties to formalize APT attack activities in the IoT systems. Then, we introduce a cyber situation instance similarity measurement method based on the SimRank mechanism for APT alerts and logs Correlation. Combining with instance similarity, we further propose an APT alert instances correlation method to reconstruct APT attack scenarios and an APT log instances correlation method to detect log instance communities. Through the coalescence of these methods, APTALCM can accomplish the cyber situation comprehension effectively by recognizing the APT attack intentions in the IoT systems. The exhaustive experimental results demonstrate that the two kernel modules, i.e., Alert Instance Correlation Module (AICM) and Log Instance Correlation Module (LICM) in our APTALCM, can achieve both high true-positive rate and low false-positive rate.<\/jats:p>","DOI":"10.3390\/s19184045","type":"journal-article","created":{"date-parts":[[2019,9,19]],"date-time":"2019-09-19T11:02:01Z","timestamp":1568890921000},"page":"4045","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":19,"title":["Cyber Situation Comprehension for IoT Systems based on APT Alerts and Logs Correlation"],"prefix":"10.3390","volume":"19","author":[{"given":"Xiang","family":"Cheng","sequence":"first","affiliation":[{"name":"College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China"},{"name":"The Collaborative Innovation Center of Novel Software Technology and Industrialization, Nanjing 210023, China"}]},{"given":"Jiale","family":"Zhang","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China"},{"name":"The Collaborative Innovation Center of Novel Software Technology and Industrialization, Nanjing 210023, China"}]},{"given":"Bing","family":"Chen","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China"},{"name":"The Collaborative Innovation Center of Novel Software Technology and Industrialization, Nanjing 210023, China"}]}],"member":"1968","published-online":{"date-parts":[[2019,9,19]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Palani, K., Holt, E., and Smith, S. (2016, January 14\u201318). Invisible and forgotten: Zero-day blooms in the IoT. Proceedings of the IEEE International Conference on Pervasive Computing & Communication Workshops, Melbourne, Australia.","DOI":"10.1109\/PERCOMW.2016.7457163"},{"key":"ref_2","first-page":"99","article-title":"Cloud Storage Defense Against Advanced Persistent Threats: A Prospect Theoretic Study","volume":"1","author":"Xiao","year":"2017","journal-title":"IEEE J. Sel. Areas Commun."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Cuppens, F., and Ortalo, R. (2000, January 2\u20134). Lambda: A language to model a database for detection of attacks. Proceedings of the 3rd International Workshop on Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France.","DOI":"10.1007\/3-540-39945-3_13"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Bhatt, P., Yano, E.T., and Gustavsson, P.M. (2014, January 7\u201311). Towards a framework to detect multi-stage advanced persistent threats attacks. Proceedings of the IEEE International Symposium on Service Oriented System Engineering, Toronto, ON, Canada.","DOI":"10.1109\/SOSE.2014.53"},{"key":"ref_5","first-page":"58","article-title":"A new alert correlation algorithm based on attack graph","volume":"6694","author":"Roschke","year":"2017","journal-title":"CISIS"},{"key":"ref_6","first-page":"9","article-title":"Scalable detection of cyberattacks","volume":"245","author":"Albanese","year":"2016","journal-title":"CISIM"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1145\/332051.332079","article-title":"Intrusion detection systems and multisensor data fusion: Creating cyberspace situational awareness","volume":"43","author":"Bass","year":"2000","journal-title":"Commun. ACM"},{"key":"ref_8","unstructured":"Mathew, S., and Upadhyaya, S. (2018, January 29\u201331). Situation awareness of multistage cyber attacks by semantic event fusion. Proceedings of the Military Communications Conference, London, UK."},{"key":"ref_9","first-page":"63","article-title":"Context and semantics for detection of cyber attacks","volume":"6","author":"Aleroud","year":"2014","journal-title":"Int. J. Inf. Comput. Secur."},{"key":"ref_10","unstructured":"Hutchins, E.M., Cloppert, M.J., and Amin, R.M. (2011, January 1\u20133). Intelligence driven computer network defense informed analysis of adversary campaigns intrusion kill chains. Proceedings of the ICIW, Chicago, IL, USA."},{"key":"ref_11","first-page":"443","article-title":"Clustering intrusion detection alarms to support root cause analysis","volume":"48","author":"Julisch","year":"2016","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"ref_12","unstructured":"Ourston, D., Matzner, S., and Stump, W. (2016, January 6\u20139). Applications of hidden Markov models to detecting multi-stage network attacks. Proceedings of the Hawaii International Conference on System Sciences, Big Island, HI, USA."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Qiao, L.B., Zhang, B.F., Lai, Z.Q., and Su, J.S. (2012, January 21\u201325). Mining of Attack Models in IDS Alerts from Network Backbone by a Two-stage Clustering Method. Proceedings of the IEEE 2012 26th IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW), Shanghai, China.","DOI":"10.1109\/IPDPSW.2012.146"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Murphy, C.T., and Yang, S.J. (2010, January 26\u201329). Clustering of multistage cyber attacks using significant services. Proceedings of the 13th International Conference on Information Fusion IEEE, Edinburgh, UK.","DOI":"10.1109\/ICIF.2010.5712046"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Murphy, C.T. (2009). CACTUSS: Clustering of Attack Tracks Using Significant Services. [Ph.D. Thesis, Rochester Institute of Technology].","DOI":"10.1109\/ICIF.2010.5712046"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"1438","DOI":"10.1109\/JSAC.2011.110809","article-title":"A Novel Probabilistic Matching Algorithm for Multi-Stage Attack Forecasts","volume":"29","author":"Cheng","year":"2011","journal-title":"IEEE J. Sel. Areas Commun."},{"key":"ref_17","first-page":"23","article-title":"An automatic multistep attack pattern mining approach for massiveWAF alert data","volume":"4514","author":"Zhang","year":"2015","journal-title":"Scanning"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ACCESS.2018.2873804","article-title":"Data Security and Privacy-Preserving in Edge Computing Paradigm: Survey and Open Issues","volume":"99","author":"Zhang","year":"2018","journal-title":"IEEE Access"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/19\/18\/4045\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:21:49Z","timestamp":1760188909000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/19\/18\/4045"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,9,19]]},"references-count":18,"journal-issue":{"issue":"18","published-online":{"date-parts":[[2019,9]]}},"alternative-id":["s19184045"],"URL":"https:\/\/doi.org\/10.3390\/s19184045","relation":{},"ISSN":["1424-8220"],"issn-type":[{"type":"electronic","value":"1424-8220"}],"subject":[],"published":{"date-parts":[[2019,9,19]]}}}