Incident Reaction Based on IntrusionDetections’ Alert Analysis

Michael Heigl∗†, Laurin Doerr∗†, Amar Almaini†, Dalibor Fiala∗ and Martin Schramm†∗University of West Bohemia, Pilsen, Czech Republic

Email: {heigl, laurind, dalfia}@kiv.zcu.cz†Deggendorf Institute of Technology, Deggendorf, Germany

Email: {michael.heigl, laurin.doerr, amar.almaini, martin.schramm}@th-deg.de

Abstract—The protection of internetworked systems bycryptographic techniques have crystallized as a funda-mental aspect in establishing secure systems. Comple-mentary, detection mechanisms for instance based onIntrusion Detection Systems has established itself as afundamental part in holistic security eco-systems in theprevious years. However, the interpretation of and reac-tion on detected incidents is still a challenging task. In thispaper an incident handling environment with relevantcomponents and exemplary functionality is proposed thatinvolves the processes from the detection of incidents overtheir analysis to the execution of appropriate reactions.An evaluation of a selection of implemented interactingcomponents using technology such as OpenFlow or Snortgenerally proofs the concept.

I. INTRODUCTION

New and progressive technologies and their fastdevelopment in recent years, led to a broad spectrum ofsecurity holes considering the increasing possibilitiesthat are also available to attackers [1]. Incidents, suchas cyber attacks, become not only more numerous anddiverse but also more damaging and disruptive [2].Apart from the prevention, the detection by IntrusionDetection Systems (IDS), either signature-based oranomaly-based, have made their way into the securityarea and allow the detection of malicious actions whencryptographic mechanisms are outwitted or broken [3].According to [1], a concept including cryptographicprocedures as well as IDS components is mandatoryfor a comprehensive security solution. Systems thatcombine the goods from both worlds are presentedin [4]. Adding alarm functionality to cryptograhpicmechanisms, when for instance sequence/packet coun-ters drift apart, the decryption process fails due totampering or message authentication code checks areviolated, can be used to identify malicious behaviorin networks. The detection process has only value ifthere is an appropriate response. New terms, such asHuge Data, state the trend of an ever increasing amountof data, leading to challenges in reliably identifyingattacks due to many raised alarms. The alert analysisand planning as well as executing appropriate reactionscan no longer be clamped by humans. Also under thecircumstances that manual operation cannot guaranteethe response time and accuracy, an efficient auto-matic decision-making support method is desperatelyneeded [5]. New approaches for instance applyingmachine learning techniques help to handle the detec-tion of massive input data. A semi-automated incident

management is crucial to complement prevention anddetection methods to a holistic security eco-system.The focus of this paper lies in the identification ofrequired components and possible applications as wellas interactions between them to cope with variousdetected incidents.

The rest of this paper is structured as follows:Section II gives details on incident handling and relatedwork. The proposed concept with relevant componentsfor a comprehensive incident handling environmentand exemplary applications are described in section III.Section IV deals with the evaluation of selected partsof the concept. A short conclusion and a glance at thefuture work of the ongoing research work is finalizingthe paper in section V.

II. INCIDENT HANDLING

Incident handling is a process involving variousdisciplines in order to remedy violations to certainsecurity policies. Many past incident handling and re-sponse planning methods, such as [6], targeted a higherlevel of abstraction in which mainly plans for humaninstructions in an incident response team are derived tocope with occurring incidents. An automated approachfor responding to incidents has not been focused. How-ever, managing the sheer number of raised alerts over-whelms many instructors such that the ideal consideredreaction in realtime to zero-day exploits becomes anunreachable target. Self-learning systems that leverage,e.g. artificial intelligence, seems a promising approachfor an automated incident response management. Thework in [7] presents a system based on the usageof artificial intelligence in forensics, which collectsand stores the data from a crime scene, and examinesany correlation with previously solved crimes. Theapproach is directed to the forensic use case. Thisimpedes the application of the adaption to a realtimeresponse planning within an environment of varioustechniques of network attack detection. However, theinvolvement of previous successfully detected networkattacks and expert knowledge from security specialistsin conjunction with machine learning techniques seemsquite promising to an incident handling architecture.

The survey in [2] proposes a Security OperationsCenter (SOC) including their mission and main func-tions that serves as an incident management systemnecessary to detect information security incidents, mit-igating possible vulnerabilities exploited and restoring

ISBN 978-80-261-0722-4, © University of West Bohemia, 2018

compromised Internet of Things infrastructures. Thesystem might be able to automatically research, gather,ultimately identify incidents, evaluate, categorize andanalyze them. However, the work only implemented asubset of parts of the comprehensive survey.

In [8] an intrusion prevention system for cloud envi-ronments based on Snort and OpenFlow is presented inwhich Snort is acting as an IPS. A Snort Agent filtersnetwork traffic on SDN-switches and forwards alertsto a server. On the server, the alarms are correlatedand new filter rules are generated. The rules will bedistributed to the SDN-Switches via an OpenFlowcontroller. The rule generation is roughly described andneed more effort in research. There is no correlationof related incidents, which occur on different points oftime, because no historical data is used. The systemfurther is only working autonomously so that theplausibility of each new rule must be questioned.

There are a lot more incident management systems,but they mainly operate on their own without the inter-action of other components. This limits their usabilityand reliability in more complex systems for incidentand response management. For example, a combinationof the three presented concepts would provide a strongimprovement in attack detection. [7] could generatea correlation model for [8] which is able to performreactions in realtime. A SOC could be used to bringdetected incidents in a human readable form and expertknowledge can then bring updates into the correlationmodel. Another aspect of the systems is that they arenot designed to work partially autonomous. Thereforea novel concept for incident management is proposedaddressing not only those topics but also allowing theapplication of various detection mechanisms in orderto exploit each method’s strengths.

III. PROPOSED CONCEPT

In the context of this paper the proposed con-cept for a partially autonomous incident managementcomprises several disciplines shown in figure 1. TheDetection module provides information about detectedincidents from various input data source to the Analysismodule. Multiple mechanisms can be involved buteach does not necessarily provide information aboutan actual attack or system failure. This componentis continuously updated with new incident patternsidentified by the Post-Processing module. The Analysiscomponent is the main intelligence of the incident han-dling environment. Different advanced methods suchas data mining, clustering, and correlation can achievethe detection of already known or novel attacks as wellas system failures based on the provided informationfrom the Detection module. The Analysis componentcontains historical data (database accessibility) withprevious detected attacks and their respective responsemeasures. Similar to the previous component, inputfrom the Post-Processing component continuously up-dates the database. If the Analysis module identifiesalready known patterns, the Response component isinstructed to automatically execute a reaction. Anexpert is informed about performed responses from

this module. The Post-Processing module receives theanalyzed data (e.g. patterns) from the Analysis moduleand refines it for the experts in form of visualizationor logging. It receives the instructions or confirmationsabout proposed reactions from the Expert Knowledge,updates the database and if required performs adjust-ments of detection mechanisms. Human experts orsecurity analysts operate within the Expert Knowledgemodule for instance in a SOC to cross-evaluate post-processing measures or monitor automated reactions.Orchestrating each module is a challenging task. Thus,a flexible Communication Framework is needed en-abling the frictionless exchange of information.

Incident Handling

Detection

Analysis

Response

Input Data

Expert Knowledge

Post-Processing

Incidents

Fig. 1. Incident handling environment

A. Detection

The detection of incidents can be performed byeither using an IDS or exploiting the nature of crypto-graphic mechanisms as described in the following. Thefocus of this paper lies in the detection of incidentsbased on network traffic but the concept also allowsinput from different sources such as the firmware inuse or the output of vulnerability assessments.

Intrusion Detection: IDSs can be used to detect ma-licious activities or policy violations by monitoring thenetwork traffics or system activities and can be catego-rized in three common architectures: Host-based IDS(HIDS), Application-based IDS (AIDS) and Network-based IDS (NIDS). Input data for incident handlingfrom HIDS could be detected anomalies for instancein parsed log-files. In the past years, the main attentionfocused on the application of NIDS [9] which can beplaced either centralized, decentralized or distributedwithin networks on either network switching entities(router, gateway, etc.) or dedicated hosts. There aretwo mainstream methods for IDS to detect intrusions:misuse-based and anomaly-based. The former, alsocalled signature- or knowledge-based, is founded ona set of rules or patterns describing network attackswhich are either pre-configured by the system or manu-ally by an administrator. The other method collects datacontaining examples of normal behavior and builds amodel of familiarity, therefore, any action that deviatesfrom the model is considered suspicious and is clas-sified as an anomaly. The main advantage comparedto misuse-based systems is that they are able to detectzero-day intrusions [10]. However, anomaly-based IDSsuffer from false-negative and false-positive alarms. Toovercome the drawbacks and exploit the advantages ofboth methods, hybrid systems are proposed such theone presented in [11].

Cryptographic Mechanisms: Another possibility ofincident detection is to exploit violations of the na-ture of cryptographic mechanisms, such as MACsec,IPsec or TLS, for alert generation that define a se-curity infrastructure to provide data confidentiality,data integrity and data origin authentication. MACsec,as an example, relies on GCM-AES to ensure theconfidentiality and integrity of all the network traf-fic mitigating attacks on layer-2 protocols [12]. In aMACsec-protected network further unauthorized LANconnections can be identified and excluded from thenetwork communication over IEEE 802.1X port basedauthentication. Thus, mismatching packet numbers,failing decryption or the detection of unauthorizedLAN connections could lead to an alarm generation.For Message Authentication Codes, alarm generationcould be applied for mismatching hash digests. A com-bination of cryptographic prevention using continuousauthentication for the detection is proposed in [13].

The concept in this work is designed for modularityto utilize various detection mechanisms in a hybridapproach exploiting each strengths to avail the meritsand alleviate their demerits. However, the utilizationstrongly depends on the environment, application fieldand task such that it might not be feasible to usemultiple mechanisms. For evaluation, the focus fora first proof of concept relies on only applying onesignature-based IDS providing detected incidents to theAnalysis component.

B. Analysis

Many work, for instance [5], make assumptions forresponse planning that each alert raised by a detectionengine is treated as one attack. The aggregation andfusion of alarms should be taken into account by thedetection system but they assume 100% confidence ofthe alerts. Sanity checks of the detection engine ensur-ing a better certainty is often out of scope. However,a detection system might raise false alerts.

Especially in environments in which multiple detec-tion mechanisms operate, an intelligent alert analysisis vital to handle the massive amount of alarms fromvarious sources and to intelligently react to incidents.In [14] for instance a comparison of supervised, semi-supervised and unsupervised learning methods foranomaly-based NIDS have been examined each havingit’s particular strengths but their detection capabilitydiffer significantly. According to [15], IDSs are notenough to detect complex attacks over a network. Fordetecting attacks with high accuracy, the input of eachmechanism might be important but operating for in-stance in safety-critical environments, cross-evaluationor plausibility checks of various inputs is essentialbefore performing a reaction. A standardized format,such as the Intrusion Detection Message ExchangeFormat (IDMEF) [16], is needed to bridge the outputsof various detection mechanisms and to perform analert analysis on which basis appropriate reactions canbe initiated. Fitting the alert output of cryptographicschemes or anomaly-based algorithms into IDMEFprovides interoperability with already IDMEF-capable

IDSs such as Snort/Barnyard2, OSSEC, Surricata orPrelude.

Generally three different analysis methods exist:similarity-based, sequential-based and case-based. Forsimilarity-based methods, the correlation is based onfeature similarity, such as IP addresses and portsassociated with their occurrence. These methods arerelatively easy to implement. The correlation can beimproved as more specific features are detected. Butno complex correlations can be identified. Sequential-based correlation uses relationships between multiplecausal events. Therefore, pre- and postconditions haveto be considered. Preconditions can be a set of require-ments needed to trigger an alarm. Postconditions arethe consequences of the execution of an event. Case-based correlation is defined for resolving new incidentsbased on similar incidents. The quality depends on thealgorithms responsible for recognizing specific patternsof behavior. Often a combination of the analysis meth-ods is used.

The framework described in [17] uses offline andonline correlation. The former is used to generate acorrelation model from historical alarms. It is regularlyupdated with new data from online correlation whichgenerates meta-alerts based on real-time alerts. Themeta-alerts are compared, then prioritized and clus-tered. Next, pattern mining extracts features for eachcluster and generates an attack pattern graph. Finally,a Graph Frequency Pattern Mining Algorithm extractscommon patterns from each cluster. The frameworkis optimized for a graphic information exchange toadministrators, which makes it difficult to use in apartially autonomous system.

Different aspects of the analysis have to be com-bined for semi-automatic systems. Thus, historical datacan be used to quickly evaluate known attack patternsand instruct the Response module. The correlationmodel must be constantly customized to recognize newpatterns and should use a combination of the threeanalysis methods. For this, an interaction with thePost-Processing unit is important. By using IDMEF,different detection systems can be used simultaneouslyas information source.

C. Response

Response or reaction implies the set of actions thesystem executes after incidents have been detected.Such a reaction could include reconfiguring the net-work through Software-Defined Networking (SDN)techniques, generating new configurations for firewalls,creating new misuse-based IDS rules or adapting theparameters for incident detection mechanisms.

An example for the latter is to adjust the samplingrate for IDSs. Such systems are applied either inenvironments characterized by having a large amountof network traffic or to save system resources (memory,CPU consumption). An adaptive sampling mechanismis presented in [18]. As a reaction to identified in-cidents by detection mechanisms, the sampling ratecould be increased to analyze a greater amount of

traffic in-depth if the amount of data for analysis isunsatisfactory to make a precise decision.

A further automatic response later evaluated in thepaper is to automatically generate rules for an IDS.Previous work in this field faced issues regardingautomation, robustness and elaboration in real net-work environments. Addressing those challenges, asan example, the work in [19] proposes an automaticsignature generation method called SigBox for fine-grained traffic generation using modified sequencepattern algorithm targeting content, packet, and flowsignatures for Snort.

Exploiting SDN technology to reconfigure the net-working environment is a further reaction possibil-ity. Controlling network flows dynamically enablesto separate malicious (or suspicious) network flowsfrom benign ones dynamically. For example, supposedthat a NIDS detects some suspected flows, the flowscan be rerouted for in-depth investigation, e.g., in ahoneypot [20]. Further firewall functionality can beimplemented using SDN. When a switch receives anew packet and there is no rule matching this packet inthe flow table, it reports it to the SDN-controller whichforwards, the packet to the firewall application. Thefirewall checks whether the incoming packet violatessecurity policies or not and enforces a new flow ruleaccordingly. This rule is delivered to the switch bythe controller and all future packets from the flowof the first packet would be handled directly in theswitch without the need to interact with the con-troller again [21]. Another possibility applying SDNto respond to a specific incident is through networkseparation. In traditional networks, the common way toseparate a network is employing Virtual LAN (VLAN)technique, which adds specific IDs in a packet header(12-bits VLAN ID field). However, VLAN technologyincurs scalability limits in large-scale networks, since itcan only assign 4,096 different virtual networks. SDN-based separation solutions provide the capability ofdifferent level abstractions with desired security prop-erties, which not only separates the network segmentsefficiently at scale, but also veils the physical view ofnetworks to users [22].

Above mentioned response measures are examplesthat can be executed autonomously within the conceptif instructed by the Analysis component if a historicsimilar incident already occurred in the past. If anautomatic reaction is not possible, further examinationis necessary in the Post-Processing module which alsoallows expert interaction.

D. Post-Processing

Post-Processing features can have a broad spectrumranging from visualizing analyzed incidents to workingthem up, logging each interaction, as well as per-forming cross-evaluation of already executed reactions.Visual analysis or presentation can help in intrusiondetection and to prepare a flood of complex data forthe end user accordingly. Efficient incident informationvisualization is an important element, which is notonly vital for unknown attack detection. Appropriate

presentation methods for different groups of implicatedpersons are necessary to display incidents helping torecognize and respond to attacks quickly. It also allowsan interaction, such as the confirmation of reactionexecution through expert knowledge by a human espe-cially necessary in highly critical environments. Apartfrom this, a cross-evaluation could help to mitigatefalse-negatives and reinforce IDS functionality throughthe involvement of various data sources available fromthe system or an administrator. An administrator ordeveloper needs a deeper and detailed insight, forinstance to clarify incidents from a forensic point ofview. In such case, the Honeypot example mentionedabove in the context of SDN can be an appropri-ate method to deliver in-depth investigated statementsabout the incidents. A novel real-time visualization,also considering a cross-evaluation by humans, isproposed in [23] to effectively display many securityevents collected by multiple IDS.

The lore gained from the Post-Processing compo-nent including Expert Knowledge continuously im-proves the quality of the incident handling environmentby adjusting the Detection or updating the Analysismodule which has then an immediate influence on theResponse component.

E. Communication Framework

A crucial part in order to orchestrate the incidenthandling components and enabling an exchange ofinformation is the communication. This is especiallythe case if the components are not implemented on thesame physical system. Thus, a framework that satisfiesthe following requirements is needed.

• Guaranteeing the authenticity of each component• Logging of each interaction for traceability and

forensics• Guaranteeing the authenticity, confidentiality, in-

tegrity and privacy of exchanged information• Enforcing policy-based access restrictionsA proposed system for the concept that can be

utilized as a communication backbone satisfying therequirements above, is the Distributed Smart SpaceOrchestration System (DS2OS) [24]. DS2OS dividesthe framework in two layers: Middleware and Ser-vices. The middleware provides a uniform, scenario-independent interface for participating components. Itis utilized by a distributed system whose componentsmay run on distributed nodes that have a sufficientamount of free resources and allows storing and bro-kering state context between multiple computationdevices (e.g computers, embedded controllers).

Dedicated functions of the components describedabove within the incident handling environment canbe implemented as dedicated services. The explicitseparation from the middleware as a used communi-cation platform makes it possible to create servicesdynamically for the different use cases. In addition, ser-vices can be dynamically started, stopped or migratedbetween the distributed middleware components, de-pending on the available resources, for example. Pos-sible services for the incident handling eco-system are

data aggregation, feature extraction, intrusion detec-tion, alert analysis, logging, or reaction execution.

IV. EVALUATION

The proposed automated incident handling environ-ment ranging from detection, analysis, reaction to post-processing measures is evaluated within a virtualizedProxmox environment as depicted in figure 2. Partsof the incident handling environment of figure 1 areimplemented in the Incident Management componentusing open source tools as well as the in Python lan-guage written Incident Processing Application (IPA).Communication takes place in form of local servicesvia DS2OS. In a simple scenario, a proof of conceptis established.

Host 1 is communicating with Host 2 over thenetwork route including the Open vSwitches OVS 0and OVS 1. The route from OVS 0 to Host 2 over OVS 2is not configured by default. An Attacker tries to sendmalicious messages to Host 1 and Host 2. Intrusiondetection is performed on the Incident Managemententity using the open source NIDS Snort based on themirrored traffic from OVS 0. Further the entity containsthe Python rules based correlation engine Prelude-Correlator from the Prelude-SIEM used for a simplealert analysis. Thus, it receives the IDMEF-based alertsfrom the IDS and raises an alert in the case of asuccessful correlation based on a provided ruleset.

As an automated response, based on a correlationalert stored in a database representing a reaction basedon a historical incident, the Incident Managemententity creates a new Snort rule and reloads it (IV-A).A second evaluation includes the interaction betweenpost-processing and admin confirmation (IV-B) to re-configure the Open vSwitches OVS 1 and OVS 2 basedon the OpenFlow controller OpenMUL.

Proxmox virtualization management platform

Mirrored

Traffic

Control

Host 2

Host 1

Attacker

OVS 1

OVS 2

OVS 0

Incident Management

Host n+2

Host n+1

Host n

Network

Honeypot

Fig. 2. Evaluation environment for incident detection and reaction

A. IDS Reconfiguration

Snort analyzes the mirrored traffic from the networkusing Winpcap, analyzes for matches to a defined ruleset and generates alerts in the unified2 binary outputformat. Allowing Snort to write these output files willnot cause Snort missing network packets. The opensource interpreter Barnyard2 is then used to parse thebinary data into IDMEF in a separate task. UsingPrelude, the generated IDMEF alerts are provided to acentral management unit called the Prelude Manager.In the scenario two rules are existing. One, exemplaryshown below, that creates an alarm of any IP address,

except Host 1’s, is sending any message to Host 2 andone vice versa.

alert any !$IP HOST 1 any -> $IP HOST 2 any(msg:”Unknown host communicating to Host 2”;sid:10000000; rev:1;)

IPA contains functionality from the Prelude-Correlator which is used to trigger a simple correlationalert if both of the above rules match for the IP addressof the Attacker entity. Further the application createsand activates a new Snort rule, as a response measure,that explicitly triggers for any communication sentby the attacker. Based on the results of an alreadyexecuted reaction in the past, stored in a SQL databaseshowing the same behavior, a new rule mask is pro-vided for response. Thus, first a new Snort ID must bedetermined, the new rule (shown below) and the newsid-entry for the sid-msg.map file created, loaded tothe Snort system and added to the appropriate files.

alert any $IP ATTACKER any -> any any(msg:”Unknown host (attacker) communicating”;sid:10000002; rev:1;)

In order to activate the new rule without missingany packets, Snort needs be reloaded using a SIGHUPsignal. Snort utilized in inline mode connecting theattacker to the network would even allow to block allfurther activities if Snorts rule header is configured todrop the packets when the rule matches.

B. Network Reconfiguration

In a second scenario, IPA is used to reconfigure thenetwork based on SDN technology. Thus again the firstSnort rule from above is used to detect malicious hostscommunicating to Host 2. If the Attacker is sendingmalicious packets to Host 2 via the route consisting ofOVS 0 and OVS 1 an alarm is raised. Since no historicalevent is known in the database, the post-processing ispresenting an admin the event in the graphical front-end Prewikka of the Prelude-SIEM and waiting fora possible reaction by the admin. Then, the IncidentManagement entity is reconfiguring OVS 1 and OVS 2such that network traffic is further only forwarded byOVS 2 for in-depth investigation within a honeypot.Thus, IPA is determining the dpid of the two OpenvSwitches created by the OpenFlow controller in orderto create new OpenFlow rules. It further temporarilysaves the existing rules and determines whether a newOpenFlow rule must be created for the attacker’s IPaddress. If the new rules are added, the controllerdistributes them triggered by a command line inter-face command of IPA. While in the reconfigurationprocess, malicious traffic might still flow for a certainduration. In a measurement, the duration from thedetection by Snort until the final reconfiguration of theOpen vSwitches could be determined to an average of733.76 ms for 74 measurements. Further work aims toreduce this time.

V. CONCLUSION AND FUTURE WORK

The necessity for protecting computer networks bythe detection of incidents and partially autonomousreaction demands a comprehensive incident handling

environment. The proposed concept in this paperidentifies several required components ranging fromvarious detection mechanisms to reaction possibilitiesand provides exemplary functionality. The evaluationprovides a first proof of concept that includes an auto-matic reaction to detected incidents based on historicalinformation and in a second scenario the involvementof expert confirmation including a reaction over a post-processing measure.

The detection of incidents in the evaluation wasbased on the single IDS Snort. Exploiting the ad-vantages of the proposed concept to include variousdetection mechanisms for instance by anomaly-basedmachine learning methods have already been imple-mented and evaluated during the writing of this paper.Further research needs to be done to extend them withIDMEF and to integrate them into the incident handlingenvironment. In addition, the concept is not limited to acentral incident detection and reaction component. Thenext step of evaluation is also to include distributedcomponents enabled by the strengths of the DS2OSframework to address distributed anomaly detectionapproaches.

Instead of relying on simple analysis techniquessuch as with Prelude-Correlator more sophisticatedapproaches as proposed in [25] are aimed to be in-tegrated in the near future. Multiple techniques ap-plied alongside in a hybrid fashion could improve theincident analysis capabilities. Targeting the require-ment for traceability and forensics of actions withinthe incident handling a promising approach could bebased on the usage of Distributed Ledger Technologyfor instance implemented with Blockchains. Furtherresearch aims to exploit such technology to eitherlog each interaction tamper-resistant implemented inthe DS2OS communication framework or to exploittheir consensus algorithm for conformity of variousdetection mechanism output.

ACKNOWLEDGMENT

This research work has been supported by the re-search projects no. 16KIS0539 and 03FH016IA5 of theGerman Federal Ministry of Education and Researchand by the Ministry of Education, Youth and Sports ofthe Czech Republic under grant No. LO1506.

REFERENCES

[1] Vittor T. R., Sukumara T., Sudarsan S. D., and Starck J.,Cyber security - security strategy for distribution managementsystem and security architecture considerations, 70th AnnualConference for Protective Relay Engineers (CPRE), 2017

[2] Miloslavskaya N., Security operations centers for informationsecurity incident management, IEEE 4th InternationalConference on Future Internet of Things and Cloud, 2016

[3] Arrington B., Barnett L., Rufus R., and Esterline A., Behavioralmodeling intrusion detection system (BMIDS) using internet ofthings (IoT) behavior-based anomaly detection via immunity-inspired algorithms, 25th International Conference on ComputerCommunication and Networks (ICCCN), 2016

[4] Studnia I., Alata E., Nicomette V., Kaaniche M., andLaarouchi Y., A language-based intrusion detection approachfor automotive embedded networks, 21st IEEE Pacific RimInternational Symposium on Dependable Computing, 2014

[5] Ossenbuhl S., Steinberger J., and Baier H., Towards AutomatedIncident Handling: How to Select an Appropriate Responseagainst a Network-Based Attack?, 9th International Conferenceon IT Security Incident Management and IT Forensics, 2015

[6] Takano M., ICS Cybersecurity Incident Response and theTroubleshooting Process, SICE Annual Conference 2014, 2014

[7] Hasan R., Raghav A., Mahmood S., and Hasan M. A.,Artificial Intelligence Based Model for Incident Response,2011 International Conference on Information Management,Innovation Management and Industrial Engineering, 2011

[8] Xing T., Huang D., Xu L., Chung C. J., and Khatkar P.,SnortFlow: A OpenFlow-based intrusion prevention system incloud environment, Second GENI Research and EducationalExperiment Workshop (GREE), 2013

[9] Fallstrand D., and Lindstroem V., Applicability analysis ofintrusion detection and prevention in automotive systems,Master’s Thesis in Computer Systems and Networks onthe Chalmers University of Technology Goteborg, [Online],Available: http://publications.lib.chalmers.se/records/fulltext/219075/219075.pdf, 2015

[10] Ashfaq R. A. R., Wang X.Z., Huang J.Z., Abbas H., and HeY. L., Fuzziness based semi-supervised learning approach forintrusion detection system, Journal Information Sciences, 2017

[11] Taylor A., Anomaly-based detection of malicious activity inin-vehicle networks, PhD Thesis at the University of Ottawa,[Online], Available: https://ruor.uottawa.ca/bitstream/10393/36120/3/Taylor Adrian 2017 thesis.pdf, 2017

[12] IEEE Computer Society, IEEE Standard for Local andMetropolitan Area Networks: Media Access Control (MAC)Security, IEEE Std 802.1AE-2006, 2006

[13] Boudguiga A., Witold K., Boulanger A., and Chiron P.,A Simple Intrusion Detection Method for Controller AreaNetwork, IEEE ICC 2016 Communication and InformationSystems Security Symposium, 2016

[14] Arunraj N. S., Hable R., Fernandes M., Leidl K., andHeigl M., Comparison of Supervised, Semi-supervised andUnsupervised Learning Methods in Network Intrusion DetectionSystem (NIDS) Application, Anwendungen und Konzepte derWirtschaftsinformatik, 2017

[15] Suarez-Tangil G., Palomar E., de Fuentes J. M., BlascoJ., and Ribagorda A., Automatic Rule Generation Based onGenetic Programming for Event Correlation, ComputationalIntelligence in Security for Information, 2009

[16] Debar H., et al., The Intrusion Detection Message ExchangeFormat (IDMEF), RFC 4765, 2007

[17] Shittu R., Healing A., Ghanea-Hercock R., Bloomfield R., andRajarajan M., Intrusion alert prioritisation and attack detectionusing post-correlation analysis, Computers & Security, 2015

[18] Taejin H., Sunghwan K., Namwon A., Jargalsaikhan N.,Chiwook J., JongWon K., and Hyuk L., Suspicious trafficsampling for intrusion detection in software-defined networks,Journal Computer Networks, 2016

[19] Shim K. S., Yoon S. H., Lee S. K., and Kim M. S., SigBox:Automatic Signature Generation Method for Fine-grainedTraffic Identification, Jounral of Information Science andEngineering 33, 2017

[20] Shin S., Xu L., Hong S., and Gu G., Enhancing NetworkSecurity through Software Defined Networking (SDN), 25thInternational Conference on Computer Communication andNetworks (ICCCN), 2016

[21] Giotis K., Androulidakis G., and Maglaris V., LeveragingSDN for efficient anomaly detection and mitigation on legacynetworks, Third European Workshop on Software-DefinedNetworks, 2014.

[22] Lehocine M. B., and Batouche M., Flexibility of managingVLAN filtering and segmentation in SDN networks, InternationalSymposium on Networks, Computers and Comm., 2017.

[23] Song B., Choi S. S., Choi J., and Song J., Visualization ofIntrusion Detection Alarms Collected from Multiple Networks,Lecture Notes in Computer Science (Including SubseriesLecture Notes in AI and in Bioinformatics), 2017

[24] Pahl M. O., Carle G., and Klinker G., Distributed SmartSpace Orchestration, Network Operations and ManagementSymposium 2016 - Dissertation Digest, 2016

[25] Kawakani C. T., Junior S. B., Miani R. S., Cukier M., andZarpelo B. B., Intrusion alert correlation to support securitymanagement, XII Brazilian Symposium on Information Systemsin the Cloud Computing Era, 2016