Skip to main content

Table 15 A subjective comparison between the proposed approach and other correlation methods

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

Method Attack detection method Attack type
Correlation type Alert causal analysis Hybrid correlationa Multi-step attack detection Low-level attack detection Slow attack detection
Debar and Wespi [73] Alert Correlation
Valeur et al. [74] Alert Correlation \(\checkmark\)
Wang and Chiou [75] Alert Correlation \(\checkmark\)
Valdes and Skinner [76] Alert Correlation \(\checkmark\)
Julisch 2001 [77] Alert Correlation \(\checkmark\)
Julisch 2003 [78] Alert Correlation \(\checkmark\)
Al-Mamory and Zhang [79] Alert Correlation \(\checkmark\) \(\checkmark\)
Peng et al. [80] Alert Correlation \(\checkmark\)
Qin and Lee [81] Alert Correlation \(\checkmark\) \(\checkmark\)
Goldman et al. [82] Alert Correlation \(\checkmark\) \(\checkmark\)
Viinikka et al. [83] Alert Correlation
Treinen and Thurimella [84] Alert Correlation \(\checkmark\) \(\checkmark\)
Ourston et al. [41] Alert Correlation \(\checkmark\)
Ren et al. [85] Alert Correlation \(\checkmark\) \(\checkmark\)
Zhitang et al. [86] Alert Correlation \(\checkmark\)
Ma et al. [87] Alert Correlation \(\checkmark\)
Zhitang et al. [88] Alert Correlation \(\checkmark\)
Farhadi et al. [89] Alert Correlation \(\checkmark\) \(\checkmark\)
Manganiello et al. [90] Alert Correlation \(\checkmark\) \(\checkmark\)
Soleimani and Ghorbani [91] Alert Correlation \(\checkmark\)
Ramaki et al. [92] Alert Correlation \(\checkmark\) \(\checkmark\)
Ghafir et al. [40] Alert Correlation \(\checkmark\)
Lajevardi and Amini [16] Event Correlation \(\checkmark\) \(\checkmark\) \(\checkmark\) \(\checkmark\)
Mohamed and Belaton [38] Alert Correlation \(\checkmark\) \(\checkmark\)
Our proposed approach Event Correlation \(\checkmark\) \(\checkmark\) \(\checkmark\) \(\checkmark\) \(\checkmark\)
  1. aHybrid correlation means correlating operating system events with network events