OMMA: open architecture for Operator-guided Monitoring of Multi-step Attacks

M-Trends 2017: a view from the front lines [Generic]. FireEye (2017). The publication date is March 14, 2017. https://www.fireeye.com/blog/threat-research/2017/03/m-trends-2017.html . Accessed 23 Apr 2018.

D Jaeger, M Ussath, F Cheng, C Meinel, in IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud). Multi-step attack pattern detection on normalized event logs (IEEENew York, 2015), pp. 390–398.

V Legrand, P Parrend, P Collet, S Frénot, M Minier, in Cesar 2014: Detection et reaction face aux attaques informatiques. Vers une architecture «big-data» bio-inspirée pour la détection d’anomalie des SIEM (RennesFrance, 2014).

E Crawley, O De Weck, C Magee, J Moses, W Seering, J Schindall, et al., The influence of architecture in engineering systems (MIT, Cambridge, 2004).

M Vogel, S Schmerl, in OASIcs-OpenAccess Series in Informatics. Efficient distributed intrusion detection applying multi step signatures, vol. 17 (Schloss Dagstuhl-Leibniz-Zentrum fuer InformatikWadern, 2011), pp. 188–193.

R Abreu, D Bobrow, H Eldardiry, A Feldman, J Hanley, T Honda, et al., in Proceedings of the 26th International Workshop on Principles of Diagnosis (DX-2015). Diagnosing advanced persistent threats: a position paper, (2015), pp. 193–200.

J Navarro, V Legrand, S Lagraa, J François, A Lahmadi, G De Santis, et al., in The 10th International Symposium on Foundations & Practice of Security (FPS). HuMa: a multi-layer framework for threat analysis in a heterogeneous log environment (Springer International PublishingNancy, 2017).

Aristophanes, Clouds. Wasps. Peace. Loeb Classical Library (Hardvard University Press, Cambridge, MA, 1998).

J Navarro, A Deruyver, P Parrend, in IEEE Symposium Series on Computational Intelligence (SSCI). Morwilog: an ACO-based system for outlining multi-step attacks (IEEEAthens, 2016).

Standard on logging and monitoring [Standard]. European Commission (2010). https://www.eba.europa.eu/documents/10180/1449046/Annex+5+Standard+on+Logging+and+Monitoring.pdf/4e9f17de-4589-424c-a670-c0cdc1b5f67b . Accessed 23 Apr 2018.

J Ya, T Liu, H Zhang, J Shi, L Guo, in IEEE Military Communications Conference (MILCOM). An automatic approach to extract the formats of network and security log messages (IEEETampa, 2015), pp. 1542–1547.

D Jaeger, A Azodi, F Cheng, C Meinel, in IFIP International Conference on Information Security Theory and Practice. Normalizing security events with a hierarchical knowledge base (SpringerHeraklion, 2015), pp. 237–248.

I Friedberg, F Skopik, G Settanni, R Fiedler, Combating advanced persistent threats: from network event correlation to incident detection [Journal Article]. Comput. Secur. 48:, 35–57 (2015).

J Navarro, ¿Quién teme a la APT feroz? [Magazine Article]. eSecurity. 50:, 52–57 (2014).

G Suarez-Tangil, E Palomar, JM De Fuentes, J Blasco, A Ribagorda, in Proceedings of the 2nd International Workshop on Computational Intelligence in Security for Information Systems (CISIS’09). Automatic rule generation based on genetic programming for event correlation, vol. 63 (SpringerBurgos, 2009), pp. 127–134.

M Hasan, B Sugla, R Viswanathan, in Proceedings of the Sixth IFIP/IEEE International Symposium on Integrated Network Management. A conceptual framework for network management event correlation and filtering systems (IEEEBoston, 1999), pp. 233–246.

KM Kavanagh, O Rochford, Magic quadrant for security information and event management [Generic] (Gartner, 2015).

A Müller, Event correlation engine [Master’s Thesis] (Eidgenössische Technische Hochschule Zürich, 2009).

TB Oliver Rochford, KM Kavanagh, Critical capabilities for security information and event management (Gartner, Stamford, 2016).

KM Kavanagh, O Rochford, Magic quadrant for security information and 1847 event management [Generic]. AlienVault (2014). https://www.alienvault.com/doc-repo/USM-for-Government/all/Lifecycle-of-a-Log.pdf . Accessed 23 Apr 2018.

F Alserhani, M Akhlaq, IU Awan, AJ Cullen, P Mirchandani, in 24th IEEE International Conference on Advanced Information Networking and Applications (AINA). MARS: Multi-stage Attack Recognition System (IEEEPerth, 2010), pp. 753–759.

B Chen, J Lee, AS Wu, in Fourth IEEE International Workshop on Information Assurance (IWIA’06). Active event correlation in Bro IDS to detect multi-stage attacks (IEEELondon, 2006), pp. 16–50.

H Du, DF Liu, J Holsopple, SJ Yang, in Proceedings of 19th International Conference on Computer Communications and Networks. Toward ensemble characterization and projection of multistage cyber attacks (IEEEZurich, 2010), pp. 1–8.

MY Huang, RJ Jasper, TM Wicks, A large scale distributed intrusion detection framework based on attack strategy analysis [Journal Article]. Comm. Com. Inf. SC. 31(23), 2465–2475 (1999).

X Qin, W Lee, in 20th Annual Computer Security Applications Conference. Attack plan recognition and prediction using causal networks (IEEETucson, 2004), pp. 370–379.

S Mathew, S Upadhyaya, in IEEE Military Communications Conference (MILCOM). Attack scenario recognition through heterogeneous event stream analysis (IEEEBoston, 2009), pp. 1–7.

P Ning, Y Cui, DS Reeves, in Proceedings of the 9th ACM Conference on Computer and Communications Security. Constructing attack scenarios through correlation of intrusion alerts (ACMWashington DC, 2002), pp. 245–254.

ST Eckmann, G Vigna, RA Kemmerer, STATL: an attack language for state-based intrusion detection [Journal Article]. J. Comput. Secur. 10(1-2), 71–103 (2002).

M Meier. Intrusion Detection effektiv!: Modellierung und Analyse von Angriffsmustern (Springer-VerlagBerlin, 2007).

M Ussath, F Cheng, C Meinel, in IEEE Symposium Series on Computational Intelligence (SSCI). Automatic multi-step signature derivation from taint graphs (IEEEAthens, 2016), pp. 1–8.

M Vogel, S Schmerl, H König, in IFIP International Conference on Autonomous Infrastructure, Management and Security. Efficient distributed signature analysis (SpringerNancy, 2011), pp. 13–25.

C Kruegel, T Toth, C Kerer, in International Conference on Information Security and Cryptology (ICISC). Decentralized event correlation for intrusion detection [Journal Article] (SpringerSeoul, 2002), pp. 59–95.

Z Anming, J Chunfu, in Fifth World Congress on Intelligent Control and Automation (WCICA). Study on the applications of Hidden Markov Models to computer intrusion detection, vol. 5 (IEEEHangzhou, 2004), pp. 4352–4356.

F Skopik, I Friedberg, R Fiedler, in 2014 IEEE Innovative Smart Grid Technologies Conference (ISGT). Dealing with advanced persistent threats in smart grid ICT networks (IEEEWashington DC, 2014), pp. 1–5.

P Giura, W Wang, in Proceedings of the 2012 International Conference on Cyber Security. A context-based detection framework for Advanced Persistent Threats (IEEE Computer SocietyWashington DC, 2012), pp. 69–74.

P Giura, W Wang, Using large scale distributed computing to unveil Advanced Persistent Threats [Journal Article]. Sci. J. 1(3), 93–105 (2012).

K Pei, Z Gu, B Saltaformaggio, S Ma, F Wang, Z Zhang, et al., in Proceedings of the 32nd Annual Conference on Computer Security Applications. HERCULE: attack story reconstruction via community discovery on correlated log graph (ACMLos Angeles, 2016), pp. 583–595.

J Navarro, A Deruyver, P Parrend, A systematic survey on multi-step attack detection. Comput. Secur. 76:, 214–249 (2018). https://doi.org/10.1016/j.cose.2018.03.001 .

M Dorigo, T Stützle, Ant colony optimization (MIT Press, Cambridge, 2004).

G Theraulaz, E Bonabeau, A brief history of stigmergy [Journal Article]. Artif Life. 5(2), 97–116 (1999).

DM Gordon, Ant encounters: interaction networks and colony behavior (Princeton University Press, Princeton, 2010).

M Dorigo, V Maniezzo, A Colorni, Positive feedback as a search strategy (Politecnico di Milano, Milan, 1991).

M Dorigo, Optimization, learning and natural algorithms [Ph.D. Thesis] (Politecnico di Milano, Italy, 1992).

S Haldenbilen, C Ozan, O Baskan, An ant colony optimization algorithm for area traffic control (INTECH Open Access Publisher, London, 2013).

S Fernandez, S Alvarez, D Díaz, M Iglesias, B Ena, in International Conference on Swarn Intelligence (ANTS 2014). Scheduling a galvanizing line by ant colony optimization (SpringerBrussels, 2014), pp. 146–157.

G Valigiani, Développement d’un paradigme d’optimisation par Hommilierè et application á l’enseignement assistè par ordinateur sur Internet [Ph.D. Thesis] (Université du Littoral Côte d’Opale, Dunkerque, 2006).

G Valigiani, E Lutton, C Fonlupt, P Collet, Optimisation par “hommilière” de chemins pédagogiques pour un logiciel d’e-learning [Journal Article]. Tech. Sci. Inform. 26(10), 1245–1267 (2007).

P Mahanti, M Al-Fayoumi, S Banerjee, Simulating targeted attacks using research honeypots based on ant colony metaphor [Journal Article]. Eur. J. Sci. Res. 17(4), 509–522 (2005).

Z Zhang, PH Ho, Janus: a dual-purpose analytical model for understanding, characterizing and countermining multi-stage collusive attacks in enterprise networks [Journal Article]. J. Netw. Comput. Appl. 32(3), 710–720 (2009).

GA Fink, JN Haack, AD McKinnon, EW Fulp, Defense on the move: ant-based cyber defense [Journal Article]. IEEE Secur. Priv. 12(2), 36–43 (2014).

X Hui, W Min, Z Zhi-ming, in International Conference on Industrial Mechatronics and Automation (ICIMA). Using Ant Colony Optimization to modeling the network vulnerability detection and restoration system (IEEEChengdu, 2009), pp. 21–23.

M Kemiche, R Beghdad, in Science and Information Conference (SAI). CAC-UA: a Communicating Ant for Clustering to Detect Unknown Attacks (IEEELondon, 2014), pp. 515–522.

DP Jeyepalan, E Kirubakaran, Agent based parallelized intrusion detection system using Ant Colony Optimization [Journal Article]. Int. J. Comput. Appl. (IJCA). 105(10), 1–6 (2014).

G Fernandes, LF Carvalho, JPC JRodrigues, ML Proença, Network anomaly detection using IP flows with principal component analysis and Ant Colony Optimization [Journal Article]. J. Netw. Comput. Appl. 64:, 1–11 (2016).

W Feng, Q Zhang, G Hu, JX Huang, Mining network data for intrusion detection through combining SVMs with Ant Colony Networks [Journal Article]. Futur. Gener. Comp. Sy. 37:, 127–140 (2014).

MS Abadeh, J Habibi, A hybridization of evolutionary fuzzy systems and Ant Colony Optimization for intrusion detection [Journal Article]. ISC Int. J. Inf. Secur. (ISeCure). 2(1), 33–46 (2015).

MNK Abdurrazaq, BR Trilaksono, B Rahardjo, DIDS using cooperative agents based on ant colony clustering [Journal Article]. J. ICT Res. Appl. 8(3), 213–233 (2015).

C Kolias, G Kambourakis, M Maragoudakis, Swarm intelligence in intrusion detection: a survey [Journal Article]. Comput. Secur. 30(8), 625–642 (2011).

A Shostack, Threat modeling: designing for security (Wiley, Hoboken, 2014).

F Guigou, P Parrend, P Collet, in First Complex Systems Digital Campus World E-Conference. An artificial immune ecosystem model for hybrid cloud supervision (SpringerTempe, 2015), pp. 71–84.

S Kobayashi, K Fukuda, H Esaki, in Proceedings of The Ninth International Conference on Future Internet Technologies. Towards an NLP-based log template generation algorithm for system log analysis (ACMTokyo, 2014), p. 11.

R Gerhards, The syslog protocol. RFC Editor; 2009. 5424. Available from: https://tools.ietf.org/html/rfc5424 . Accessed 23 Apr 2018.

J Pokorny, Proto-Indo-European etymological dictionary. A Revised Edition of Julius Pokorny’s Indogermanisches Etymologisches Wörterbuch. Indo-Eur. Lang. Revival Assoc. (2007). Available from: https://marciorenato.files.wordpress.com/2012/01/pokorny-julius-proto-indo-european-etymological-dictionary.pdf . Accessed 23 Apr 2018.

J Clackson, Indo-European linguistics: an introduction (Cambridge University Press, Cambridge, 2007).

M Bishop, in Proceedings of the 18th National Information Systems Security Conference. A standard audit trail format (DTIC DocumentBaltimore, 1995), pp. 136–145.

DJ Marchette, Computer intrusion detection and network monitoring: a statistical viewpoint (Springer Science & Business Media, New York, 2001).