{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T00:36:46Z","timestamp":1760229406661,"version":"build-2065373602"},"reference-count":29,"publisher":"MDPI AG","issue":"12","license":[{"start":{"date-parts":[[2022,6,10]],"date-time":"2022-06-10T00:00:00Z","timestamp":1654819200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Future Combat System Network Technology Research Center program of Defense Acquisition Program Administration and Agency for Defense Development","award":["UD190033ED"],"award-info":[{"award-number":["UD190033ED"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Although the application of a wide range of sensors has been generalized through the development of technology, the processing of massive alerts generated through data analysis and monitoring remains a challenge. This problem is also found in cyber security because the intrusion detection system (IDS) produces a tremendous number of alerts. Massive alerts not only significantly increase resources for analysis, but also make it difficult to analyze the overall situation of the system. In order to handle massive alerts, we propose using an indicator as a frequency-based representation. The proposed indicator is generated from categorical parameters of alerts that occur within a unit time utilizing frequency and is used for situational awareness with machine learning to detect whether there is a threat or not. The advantage of using indicators is that they can determine the situation for a period without analyzing individual alerts, which helps security experts to recognize the situation in the system and focus on targets that require in-depth analysis. In addition, the conversion from the categorical parameters which is highly related to analysis to numeric parameter allows for applying machine learning. For performance evaluation, we collect data from an HAI testbed similar to real critical infrastructure and conduct experiments using indicators and XGBoost, a classification machine learning algorithm against five famous vulnerability attacks. Consequently, we show that the proposed method can detect attacks with more than 90 percent accuracy, and the performance is enhanced using heterogeneous intrusion detection systems.<\/jats:p>","DOI":"10.3390\/s22124417","type":"journal-article","created":{"date-parts":[[2022,6,13]],"date-time":"2022-06-13T02:01:44Z","timestamp":1655085704000},"page":"4417","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["Frequency-Based Representation of Massive Alerts and Combination of Indicators by Heterogeneous Intrusion Detection Systems for Anomaly Detection"],"prefix":"10.3390","volume":"22","author":[{"given":"Hyunjae","family":"Park","sequence":"first","affiliation":[{"name":"Department of Computer Engineering, Ajou University, Suwon 16499, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2240-0892","authenticated-orcid":false,"given":"Young-June","family":"Choi","sequence":"additional","affiliation":[{"name":"Department of Artificial Intelligence, Ajou University, Suwon 16499, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2022,6,10]]},"reference":[{"key":"ref_1","first-page":"1","article-title":"Industry 4.0: A survey on technologies, applications and open research issues","volume":"6","author":"Lu","year":"2017","journal-title":"J. Ind. Inf. Integr."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"383","DOI":"10.1016\/j.ijpe.2018.08.019","article-title":"The expected contribution of Industry 4.0 technologies for industrial performance","volume":"204","author":"Dalenogare","year":"2018","journal-title":"Int. J. Prod. Econ."},{"doi-asserted-by":"crossref","unstructured":"Raposo, D., Rodrigues, A., Sinche, S., S\u00e1 Silva, J., and Boavida, F. (2018). Industrial IoT monitoring: Technologies and architecture proposal. Sensors, 18.","key":"ref_3","DOI":"10.3390\/s18103568"},{"doi-asserted-by":"crossref","unstructured":"Zhang, Z.K., Cho, M.C.Y., Wang, C.W., Hsu, C.W., Chen, C.K., and Shieh, S. (2014, January 17\u201319). IoT security: Ongoing challenges and research opportunities. Proceedings of the 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications, Matsue, Japan.","key":"ref_4","DOI":"10.1109\/SOCA.2014.58"},{"doi-asserted-by":"crossref","unstructured":"Sadeghi, A.R., Wachsmann, C., and Waidner, M. (2015, January 8\u201312). Security and privacy challenges in industrial internet of things. Proceedings of the 2015 52nd ACM\/EDAC\/IEEE Design Automation Conference (DAC), San Francisco, CA, USA.","key":"ref_5","DOI":"10.1145\/2744769.2747942"},{"doi-asserted-by":"crossref","unstructured":"Drias, Z., Serhrouchni, A., and Vogel, O. (2015, January 5\u20137). Analysis of cyber security for industrial control systems. Proceedings of the 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC), Shanghai, China.","key":"ref_6","DOI":"10.1109\/SSIC.2015.7245330"},{"key":"ref_7","first-page":"16","article-title":"Guide to industrial control systems (ICS) security","volume":"800","author":"Stouffer","year":"2011","journal-title":"NIST Spec. Publ."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"1550147718794615","DOI":"10.1177\/1550147718794615","article-title":"A survey of intrusion detection on industrial control systems","volume":"14","author":"Hu","year":"2018","journal-title":"Int. J. Distrib. Sens. Netw."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"1152","DOI":"10.1109\/JPROC.2005.849714","article-title":"Security for industrial communication systems","volume":"93","author":"Dzung","year":"2005","journal-title":"Proc. IEEE"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"1153","DOI":"10.1109\/COMST.2015.2494502","article-title":"A survey of data mining and machine learning methods for cyber security intrusion detection","volume":"18","author":"Buczak","year":"2015","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.comcom.2014.04.012","article-title":"False alarm minimization techniques in signature-based intrusion detection systems: A survey","volume":"49","author":"Hubballi","year":"2014","journal-title":"Comput. Commun."},{"doi-asserted-by":"crossref","unstructured":"Moskal, S., Yang, S.J., and Kuhl, M.E. (2018, January 9\u201311). Extracting and evaluating similar and unique cyber attack strategies from intrusion alerts. Proceedings of the 2018 IEEE International Conference on Intelligence and Security Informatics (ISI), Miami, FL, USA.","key":"ref_12","DOI":"10.1109\/ISI.2018.8587402"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"153","DOI":"10.1016\/j.cose.2008.11.010","article-title":"An incremental frequent structure mining framework for real-time alert correlation","volume":"28","author":"Sadoddin","year":"2009","journal-title":"Comput. Secur."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"7290","DOI":"10.1109\/TIE.2018.2795573","article-title":"Detection of frequent alarm patterns in industrial alarm floods using itemset mining methods","volume":"65","author":"Hu","year":"2018","journal-title":"IEEE Trans. Ind. Electron."},{"doi-asserted-by":"crossref","unstructured":"Zhuang, X., Xiao, D., Liu, X., and Zhang, Y. (2008, January 20\u201322). Applying data fusion in collaborative alerts correlation. Proceedings of the 2008 International Symposium on Computer Science and Computational Technology, Shanghai, China.","key":"ref_15","DOI":"10.1109\/ISCSCT.2008.38"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"831","DOI":"10.1016\/j.cherd.2015.06.019","article-title":"A method for pattern mining in multiple alarm flood sequences","volume":"117","author":"Lai","year":"2017","journal-title":"Chem. Eng. Res. Des."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"443","DOI":"10.1145\/950191.950192","article-title":"Clustering intrusion detection alarms to support root cause analysis","volume":"6","author":"Julisch","year":"2003","journal-title":"ACM Trans. Inf. Syst. Secur. (TISSEC)"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"012031","DOI":"10.1088\/1757-899X\/435\/1\/012031","article-title":"An Alert Aggregation Algorithm Based on K-means and Genetic Algorithm","volume":"Volume 435","author":"Lu","year":"2018","journal-title":"Proceedings of the IOP Conference Series: Materials Science and Engineering"},{"doi-asserted-by":"crossref","unstructured":"Brahmi, H., and Ben Yahia, S. (2013). Discovering multi-stage attacks using closed multi-dimensional sequential pattern mining. Database and Expert Systems Applications, Proceedings of the 24th International Conference, DEXA 2013, Prague, Czech Republic, 26\u201329 August 2013, Springer.","key":"ref_19","DOI":"10.1007\/978-3-642-40173-2_38"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1289","DOI":"10.1016\/j.comnet.2012.10.022","article-title":"A model-based survey of alert correlation techniques","volume":"57","author":"Salah","year":"2013","journal-title":"Comput. Netw."},{"unstructured":"Lee, C.P., Trost, J., Gibbs, N., Beyah, R., and Copeland, J.A. (2005, January 26). Visual firewall: Real-time network security monitor. Proceedings of the IEEE Workshop on Visualization for Computer Security, 2005, (VizSEC 05), Minneapolis, MN, USA.","key":"ref_21"},{"unstructured":"Abdullah, K., Lee, C.P., Conti, G.J., Copeland, J.A., and Stasko, J.T. (2005, January 26). IDS RainStorm: Visualizing IDS Alarms. Proceedings of the IEEE Symposium on Information Visualization\u2019s Workshop on Visualization for Computer Security (VizSEC), Minneapolis, MN, USA.","key":"ref_22"},{"doi-asserted-by":"crossref","unstructured":"Shiravi, H., Shiravi, A., and Ghorbani, A.A. (2010). IDS alert visualization and monitoring through heuristic host selection. Information and Communications Security, Proceedings of the 12th International Conference, ICICS 2010, Barcelona, Spain, 15\u201317 December 2010, Springer.","key":"ref_23","DOI":"10.1007\/978-3-642-17650-0_31"},{"key":"ref_24","first-page":"1","article-title":"IDSRadar: A real-time visualization framework for IDS alerts","volume":"56","author":"Zhao","year":"2013","journal-title":"Sci. China Inf. Sci."},{"doi-asserted-by":"crossref","unstructured":"Chen, T., and Guestrin, C. (2016, January 13\u201317). Xgboost: A scalable tree boosting system. Proceedings of the 22nd Acm Sigkdd International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, USA.","key":"ref_25","DOI":"10.1145\/2939672.2939785"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"84","DOI":"10.1016\/j.inffus.2021.11.011","article-title":"Tabular data: Deep learning is not all you need","volume":"81","author":"Armon","year":"2022","journal-title":"Inf. Fusion"},{"unstructured":"Shin, H.K., Lee, W., Yun, J.H., and Kim, H. (2019, January 12). Implementation of programmable {CPS} testbed for anomaly detection. Proceedings of the 12th {USENIX} Workshop on Cyber Security Experimentation and Test ({CSET} 19), San Jose, CA, USA.","key":"ref_27"},{"doi-asserted-by":"crossref","unstructured":"Choi, S., Yun, J.H., Min, B.G., and Kim, H. (2020, January 5\u20139). POSTER: Expanding a Programmable CPS Testbed for Network Attack Analysis. Proceedings of the ASIA CCS \u201920: 15th ACM Asia Conference on Computer and Communications Security, Taipei, Taiwan.","key":"ref_28","DOI":"10.1145\/3320269.3405447"},{"unstructured":"Choi, S., Choi, J., Yun, J.H., Min, B.G., and Kim, H. (2020, January 10). Expansion of ICS Testbed for Security Validation based on MITRE ATT&CK Techniques. Proceedings of the 13th USENIX Workshop on Cyber Security Experimentation and Test (CSET 20), Online.","key":"ref_29"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/12\/4417\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T23:27:55Z","timestamp":1760138875000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/12\/4417"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,6,10]]},"references-count":29,"journal-issue":{"issue":"12","published-online":{"date-parts":[[2022,6]]}},"alternative-id":["s22124417"],"URL":"https:\/\/doi.org\/10.3390\/s22124417","relation":{},"ISSN":["1424-8220"],"issn-type":[{"type":"electronic","value":"1424-8220"}],"subject":[],"published":{"date-parts":[[2022,6,10]]}}}