1: \begin{thebibliography}{10}

2: 

3: \bibitem{Bac00}

4: Bace, R.:

5: \newblock Intrusion detection.

6: \newblock Macmillan Publishing Co., Inc. (2000)

7: 

8: \bibitem{DDW00}

9: Debar, H., Dacier, M., Wespi, A.:

10: \newblock A revised taxonomy for intrusion detection systems.

11: \newblock Annales des T{\'e}l{\'e}communications \textbf{55}(7--8) (2000)

12:   361--378

13: 

14: \bibitem{ACFM+00}

15: Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., Stoner, E.:

16: \newblock State of the practice of intrusion detection technologies.

17: \newblock Technical Report CMU/SEI-99TR-028, Carnegie-Mellon University -

18:   Software Engineering Institute (2000)

19: 

20: \bibitem{MCZH00}

21: Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.:

22: \newblock A {D}ata {M}ining {A}nalysis of {RTID} alarms.

23: \newblock Computer Networks: The International Journal of Computer and

24:   Telecommunications Networking \textbf{34}(4) (2000)  571--577

25: 

26: \bibitem{NX03}

27: Ning, P., Xu, D.:

28: \newblock Learning attack strategies from intrusion alerts.

29: \newblock In: CCS '03: Proc.~10th ACM conference on Computer and Communications

30:   Security, ACM Press (2003)  200--209

31: 

32: \bibitem{Axe00}

33: Axelsson, S.:

34: \newblock The base-rate fallacy and the difficulty of intrusion detection.

35: \newblock ACM Trans.~Inf.~Syst.~Secur.~(TISSEC) \textbf{3}(3) (2000)  186--205

36: 

37: \bibitem{CG00}

38: Clifton, C., Gengo, G.:

39: \newblock Developing custom intrusion detection filters using data mining.

40: \newblock In: MILCOM '00: Proc.~21st Century Military Communications

41:   Conference. Volume~1., IEEE Computer Society Press (2000)  440--443

42: 

43: \bibitem{Jul01}

44: Julisch, K.:

45: \newblock {M}ining {A}larm {C}lusters to {I}mprove {A}larm {H}andling

46:   {E}fficiency.

47: \newblock In: ACSAC '01: Proc.~17th Annual Computer Security Applications

48:   Conference (ACSAC), ACM Press (2001)  12--21

49: 

50: \bibitem{Jul03}

51: Julisch, K.:

52: \newblock Clustering intrusion detection alarms to support root cause analysis.

53: \newblock ACM Transactions on Information and System Security (TISSEC)

54:   \textbf{6}(4) (2003)  443--471

55: 

56: \bibitem{DC02}

57: Dain, O., Cunningham, R.:

58: \newblock {F}using {H}eterogeneous {A}lert {S}treams into {S}cenarios.

59: \newblock In: Proc.~Workshop on Data Mining for Security Applications, 8th ACM

60:   Conference on Computer Security (CCS' 01), ACM Press (2002)  1--13

61: 

62: \bibitem{Axe99}

63: Axelsson, S.:

64: \newblock {Intrusion Detection Systems: A Survey and Taxonomy}.

65: \newblock Technical Report 99-15, Chalmers University (2000)

66: 

67: \bibitem{Roe99}

68: Roesch, M.:

69: \newblock {S}nort - {L}ightweight {I}ntrusion {D}etection for {N}etworks.

70: \newblock In: LISA '99: Proc.~13th USENIX Conference on System Administration,

71:   USENIX Association (1999)  229--238

72: 

73: \bibitem{snort}

74: Sourcefire:

75: \newblock Snort {N}etwork {I}ntrusion {D}etection {S}ystem web site (1999) URL

76:   http://www.snort.org.

77: 

78: \bibitem{LHFK+00}

79: Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.:

80: \newblock The 1999 {DARPA} off-line intrusion detection evaluation.

81: \newblock Computer Networks: The International Journal of Computer and

82:   Telecommunications Networking \textbf{34}(4) (2000)  579--595

83: 

84: \bibitem{Pie04}

85: Pietraszek, T.:

86: \newblock Using {A}daptive {A}lert {C}lassification to {R}educe {F}alse

87:   {P}ositives in {I}ntrusion {D}etection.

88: \newblock In Jonsson, E., Valdes, A., Almgren, M., eds.: RAID '04: Proc.~7th

89:   Symposium on Recent Advances in Intrusion Detection. Volume 3224 of LNCS.,

90:   Springer-Verlag (2004)  102--124

91: 

92: \bibitem{DDW99}

93: Debar, H., Dacier, M., Wespi, A.:

94: \newblock Towards a taxonomy of intrusion-detection systems.

95: \newblock Computer Networks \textbf{31}(8) (1999)  805--822

96: 

97: \bibitem{wasc}

98: {Web Application Security Consortium}:

99: \newblock {W}eb {S}ecurity {T}hreat {C}lassification (2005) URL

100:   http://www.webappsec.org/projects/threat/.

101: 

102: \bibitem{Tre68}

103: van Trees, H.L.:

104: \newblock Detection, {E}stimation and {M}odulation {T}heory. {P}art {I}:

105:   {D}etection, {E}stimation, and {L}inear {M}odulation {T}heory.

106: \newblock John Wiley and Sons, Inc. (1968)

107: 

108: \bibitem{owasp10}

109: {The Open Web Application Security Project}:

110: \newblock {OWASP Top Ten Most Critical Web Application Security

111:   Vulnerabilities} (2006) URL http://www.owasp.org/documentation/topten.html.

112: 

113: \bibitem{postNukeExploit}

114: {Security Reason}:

115: \newblock {PostNuke} {I}nput {V}alidation {E}rror (2005) URL

116:   http://securitytracker.com/alerts/2005/May/1014066.html.

117: 

118: \bibitem{postnuke}

119: PostNuke:

120: \newblock {P}ost{N}uke {C}ontent {M}anagament {S}ystem (2006) URL

121:   http://www.postnuke.com/.

122: 

123: \bibitem{checkpoint}

124: {Check Point Software Technologies}:

125: \newblock {Stateful Inspection Technology} (2005) URL

126:   http://www.checkpoint.com/products/downloads/Stateful\_Inspection.pdf.

127: 

128: \bibitem{BZEH06}

129: Bolzoni, D., Zambon, E., Etalle, S., Hartel, P.:

130: \newblock {POSEIDON}: a 2-tier {A}nomaly-based {N}etwork {I}ntrusion

131:   {D}etection {S}ystem.

132: \newblock In: IWIA '06: Proc.~4th IEEE International Workshop on Information

133:   Assurance, IEEE Computer Society (2006) To appear.

134: 

135: \bibitem{WS04}

136: Wang, K., Stolfo, S.J.:

137: \newblock Anomalous {P}ayload-{B}ased {N}etwork {I}ntrusion {D}etection.

138: \newblock In Jonsson, E., Valdes, A., Almgren, M., eds.: RAID '04: Proc.~7th

139:   Symposium on Recent Advances in Intrusion Detection. Volume 3224 of LNCS.,

140:   Springer-Verlag (2004)  203--222

141: 

142: \bibitem{McH00}

143: McHugh, J.:

144: \newblock {T}esting {I}ntrusion {D}etection {S}ystems: a critique of the 1998

145:   and 1999 {DARPA} intrusion detection system evaluations as performed by

146:   {L}incoln {L}aboratory.

147: \newblock ACM Transactions on Information and System Security (TISSEC)

148:   \textbf{3}(4) (2000)  262--294

149: 

150: \bibitem{MC03}

151: Mahoney, M.V., Chan, P.K.:

152: \newblock An {A}nalysis of the 1999 {DARPA}/{L}incoln {L}aboratory {E}valuation

153:   {D}ata for {N}etwork {A}nomaly {D}etection.

154: \newblock In Vigna, G., Kruegel, C., Jonsson, E., eds.: RAID '03: Proc.~6th

155:   Symposium on Recent Advances in Intrusion Detection. Volume 2820 of LNCS.,

156:   Springer-Verlag (2003)  220--237

157: 

158: \bibitem{symantec}

159: {Symantec Corporation}:

160: \newblock {I}nternet {S}ecurity {T}hreat {R}eport (2006) URL

161:   https://enterprise.symantec.com/enterprise/whitepaper.cfm?id=2238.

162: 

163: \bibitem{QW02}

164: Qiao, Y., Weixin, X.:

165: \newblock A {N}etwork {IDS} with {L}ow {F}alse {P}ositive {R}ate.

166: \newblock In Fogel, D.B., El-Sharkawi, M.A., Yao, X., Greenwood, G., Iba, H.,

167:   Marrow, P., Shackleton, M., eds.: CEC '02: Proc.~IEEE Congress on

168:   Evolutionary Computation, IEEE Computer Society Press (2002)  1121--1126

169: 

170: \bibitem{NRC01}

171: Ning, P., Reeves, D., Cui, Y.:

172: \newblock Correlating {A}lerts {U}sing {P}rerequisites of {I}ntrusions.

173: \newblock Technical Report TR-2001-13, North Carolina State University (2001)

174: 

175: \bibitem{NC02}

176: Ning, P., Cui, Y.:

177: \newblock An {I}ntrusion {A}lert {C}orrelator {B}ased on {P}rerequisites of

178:   {I}ntrusions.

179: \newblock Technical Report TR-2002-01, North Carolina State University (2002)

180: 

181: \bibitem{NCR02a}

182: Ning, P., Cui, Y., Reeves, D.:

183: \newblock Analyzing intensive intrusion alerts via correlation.

184: \newblock In Wespi, A., Vigna, G., Deri, L., eds.: RAID '02: Proc.~5th

185:   Symposium on Recent Advances in Intrusion Detection. Volume 2516 of LNCS.,

186:   Springer-Verlag (2002)  74--94

187: 

188: \bibitem{NCRX04}

189: Ning, P., Cui, Y., Reeves, D.S., Xu, D.:

190: \newblock Techniques and tools for analyzing intrusion alerts.

191: \newblock ACM Transactions on Information and System Security (TISSEC)

192:   \textbf{7}(2) (2004)  274--318

193: 

194: \bibitem{defcon}

195: DEFCON8:

196: \newblock Defcon {C}apture the {F}lag ({CTF}) contest (2000) URL

197:   http://www.defcon.org/html/defcon-8/defcon-8-post.html, data set

198:   http://wi2600.org/mediawhore/mirrors/shmoo/.

199: 

200: \bibitem{MMDD02}

201: Morin, B., M{\'e}, L., Debar, H., Ducass{\'e}, M.:

202: \newblock M2d2: A formal data model for ids alert correlation.

203: \newblock In Wespi, A., Vigna, G., Deri, L., eds.: RAID '02: Proc.~5th

204:   Symposium on Recent Advances in Intrusion Detection. Volume 2516 of LNCS.,

205:   Springer-Verlag (2002)  115--127

206: 

207: \bibitem{LS00}

208: Lee, W., Stolfo, S.J.:

209: \newblock A {F}ramework for {C}onstructing {F}eatures and {M}odels for

210:   {I}ntrusion {D}etection {S}ystems.

211: \newblock ACM Transactions on Information and System Security \textbf{3}(4)

212:   (2000)  227--261

213: 

214: \bibitem{AS95}

215: Agrawal, R., Srikant, R.:

216: \newblock Mining sequential patterns.

217: \newblock In: Proc.~7th International Conference on Data Engineering, IEEE

218:   Computer Society Press (1995)  3--14

219: 

220: \bibitem{HPY00}

221: Han, J., Pei, J., Yin, Y.:

222: \newblock Mining frequent patterns without candidate.

223: \newblock In: SIGMOD '00: Proc.~19th ACM SIGMOD International Conference on

224:   Management of Data, ACM Press (2000)  1--12

225: 

226: \bibitem{LFGH+00}

227: Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber,

228:   D., Webster, S., Wyschogrod, D., Cunningham, R., Zissman, M.:

229: \newblock Evaluating {I}ntrusion {D}etection {S}ystems: {T}he 1998 {DARPA}

230:   {O}ff-line {I}ntrusion {D}etection {E}valuation.

231: \newblock In: DISCEX '00: Proc.~1st {DARPA} Information Survivability

232:   Conference and Exposition. Volume~2., IEEE Computer Society Press (2000)

233:   12--26

234: 

235: \bibitem{PT05}

236: Pietraszek, T., Tanner, A.:

237: \newblock {Data Mining and Machine Learning -- Towards Reducing False Positives

238:   in Intrusion Detection}.

239: \newblock Information Security Technical Report \textbf{10}(3) (2005)  169--183

240: 

241: \bibitem{MT96}

242: Mannila, H., Toivonen, H.:

243: \newblock {D}iscovering {G}eneralized {E}pisodes {U}sing {M}inimal

244:   {O}ccurrences.

245: \newblock In: KDD '96: Proc.~2nd International Conference on Knowledge

246:   Discovery and Data Mining, AAAI Press (1996)  146--151

247: 

248: \bibitem{MTV97}

249: Mannila, H., Toivonen, H., {Inkeri Verkamo}, A.:

250: \newblock {D}iscovery of {F}requent {E}pisodes in {E}vent {S}equences.

251: \newblock Data Min. Knowl. Discov. \textbf{1}(3) (1997)  259--289

252: 

253: \bibitem{JD02}

254: Julisch, K., Dacier, M.:

255: \newblock Mining intrusion detection alarms for actionable knowledge.

256: \newblock In: KDD '02: Proc.~8th ACM SIGKDD international conference on

257:   Knowledge Discovery and Data Mining, ACM Press (2002)  366--375

258: 

259: \bibitem{Hof99}

260: Hofmeyr, S.A.:

261: \newblock An {I}mmunological {M}odel of {D}istributed {D}etection and its

262:   {A}pplication to {C}omputer {S}ecurity.

263: \newblock PhD thesis, University of New Mexico (1999) URL

264:   http://www.cs.unm.edu/$\sim$steveah/steve\_diss.pdf.

265: 

266: \bibitem{FH96}

267: Forrest, S., Hofmeyr, S.A.:

268: \newblock A {S}ense of {S}elf for {U}nix {P}rocesses.

269: \newblock In: S\&P '96: Proc.~17th {IEEE} Symposium on Security and Privacy,

270:   IEEE Computer Society Press (2002)  120--128

271: 

272: \bibitem{FHS97}

273: Forrest, S., Hofmeyr, S.A., Somayaji, A.:

274: \newblock Computer immunology.

275: \newblock Communications of the ACM \textbf{40}(10) (1997)  88--96

276: 

277: \end{thebibliography}

278: