現在的駭客入侵動作，往往包括許多步驟，較以前更為複雜多變，使得資訊安全管理人員或資訊安全營運中心(SOC)常需面對資安警訊數量太多，甚至有許多誤報的問題，以致讓資安管理人員疲於應付，工作效率不彰。此外，目前的資安警訊大都仍屬於低階資訊，未能讓管理人員很快地瞭解入侵行為的全貌。為解決此問題，近年來，入侵偵測系統的發展已從著重於提高警訊之效率、正確率，漸漸地轉移到將警訊關聯，以提供更全面的攻擊概觀。換句話說，如何將低階警訊資料關聯成為對資訊安全管理人員有用的資訊及知識，已成為目前網路安全研究的重點之一。本篇論文主要就是從資訊安全營運中心的角度，說明如何以彩色派翠網（Colored Petri Net，CPN）為理論基礎，發展出一套將已知的攻擊方法轉成CPN圖形的規則後，再利用CPN圖形來關聯入侵偵測系統產生的警訊而發出多步驟攻擊的安全通知。在文中，我們將蒐集多個多步驟攻擊案例，然後以實例來說明如何轉換，我們也將展示如何利用CPN Tools這套工具及我們開發的程式，將Snort偵測到Sasser攻擊警訊關聯，找出更全面的攻擊行為資訊。

中文參考文獻
[ 1] 李勁頤，“利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究”，國立中央大學資訊管理學系碩士論文，民國 91 年 6 月。
[ 2] 游啟勝，“合作式防火牆之設計與應用”，國立中央大學資訊管理學系碩士論文，民國 92 年 6 月。
[ 3] 翁興國，“資訊安全營運中心之事件關聯處理的根本問題分析”，2004網際網路安全工程研討會論文集,台北, 2004, pp.57-84
英文參考文獻
[ 4] CERT/CC Statistics 1998-2003 http://www.cert.org/stats/
[ 5] CERT/CC, “Overview of Attack Trends”, Software Engineering Institute,
Carnegie Mellon University, 2002.
(Available at http://www.cert.org/archive/pdf/attack_trends.pdf)
[ 6] T.F. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, P.G. Neumann, H.S.
Javitz, and A. Valdes. A Real-Time Intrusion-Detection Expert System (IDES).
Technical report, Computer Science Laboratory, SRI International, Menlo Park,
California, 28 February 1992.
[ 7] D. Anderson, T. Frivold, and A. Valdes. Next-generation Intrusion-Detection Expert System (NIDES). Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, SRI-CSL-95-07, May 1995.
[ 8] D. Anderson, T. Lunt, H. Javitz, A. Tamaru, and A. Valdes. Safeguard final report: Detecting unusual program behavior using the NIDES statistical component. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, 2 December 1993.
[ 9] R. Jagannathan, T.F. Lunt, D. Anderson, C. Dodd, F. Gilham, C. Jalali, H.S. Javitz, P.G. Neumann, A. Tamaru, and A. Valdes. System Design Document: Next-generation Intrusion-Detection Expert System (NIDES). Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, 9 March 1993.
[10] H.S. Javitz and A. Valdes. The NIDES statistical component description and justification. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, March 1994.
[11] U. Lindqvist and P.A. Porras. Detecting computer and network misuse through the Production-Based Expert System Toolset (P-BEST). In Proceedings of the 1999 Symposium on Security and Privacy, Oakland, California, May 1999. IEEE Computer Society.
[12] P.A. Porras and P.G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the Nineteenth National Computer Security Conference, pages 353-365, Baltimore, Maryland, 22-25 October 1997. NIST/NCSC.
[13] P.A. Porras and A. Valdes. “Live traffic analysis of TCP/IP gateways”, In Proceedings of the Symposium on Network and Distributed System Security. Internet Society, March 1998.
[14] Peter G. Neumann and Phillip A. Porras. “EXPERIENCE WITH EMERALD TO DATE”, Proceedings of the Workshop on Intrusion Detection and Network Monitoring , April, 1999.
[15] CERT/CC Statistics 1998-2003 http://www.cert.org/stats/
[16] F. Cuppens, F. Autrel, A. Miège et S. Benferhat, “Recognizing Malicious Intention in an Intrusion Detection Process”, Second International Conference on Hybrid Intelligent Systems, Santiago, Chili, Décembre 2002
[17] Kristopher Daley, Ryan Larson, Jerald Dawkins, “A Structural Framework for Modeling Multi-Stage Network Attacks”, Proceedings of International Conference on Parallel Processing Workshop, 2002.
[18] Kurt Jensen, “Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical Use. Vol 1：Basic Concepts”, Monographs in Theoretical Computer
Science, Spring-Verlag, 1992.
[19] H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts”, In the proceedings of Recent Advances in Intrusion Detection (RAID) 2001, pages: 85 ~ 103, November 2001.
[20] SRI，http://www.sri.com/
[21] A. Valdes and K. Skinner, “Probabilistic Alert Correlation,” In the proceedings of Recent Advances in Intrusion Detection (RAID) 2001, pages: 54 ~ 68, November 2001.
[22] Benjamin Morin, Ludovic Mé, Hervé Debar, and Mireille Ducassé, “M2D2：A Formal Data Model for IDS Alert Correlation”, Proceedings of the 5th symposium on Recent Advances in Intrusion Detection(RAID 2002), Zurich, Switzerland, October 2002. Springer LNCS 2516, pages 177-198
[23] Yuan Ho, Deborah Frincke, Donald Tobin , “Planning, Petri Nets, and Intrusion Detection” , In Proceedings of the 21st National Information Systems Security Conference (NISSC''98) , 1998
[24] Jeffrey Undercoffer, Anupam Joshi, and John Pinkston, “Modeling Computer Attacks：An Ontology for Intrusion Detection”, InProceedings, The Sixth International Symposium on Recent Advances in Intrusion Detection, September 2003. pages.113-135
[25] P. Ning, S. Jajodia, and XS Wang , “Abstraction-based Intrusion Detection in Distributed Environments”, ACM Transactions on Information and System Security (TISSEC), 4(4):407-452, November 2001.
[26] F. Cuppens , R. Ortalo, “LAMBDA：A Language to Model a Database for Detection of Attacks” , Third International Workshop on Recent Advances in Intrusion Detection (RAID''2000). Toulouse, Octobre 2000
[27] Frederic Cuppens , “Cooperative intrusion detection”, International Sysmposium on Information superiority: tools for crisis and conflict-management. Paris, 24-26 Septembre 2001.
[28] Schneier, B., “Attack Trees,” Secrets and Lies. pp. 318-333, John Wiley and Sons, New York, 2000.
[29] T. Tidwell, R. Larson, K. Fitch and J. Hale, “Modeling Internet Attacks”, Proccedings of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 5-6 June, 2001, Pages 54-59
[30] Kristopher Daley, Ryan Larson, Jerald Dawkins, “A Structural Framework for Modeling Multi-Stage Network Attacks”, Proceedings of International Conference on Parallel Processing Workshop, 2002.
[31] Giovanni Vigna and Richard A. Kemmerer, “NetSTAT：A Network-based Intrusion Detection Approach”, In Proceedings of the 14th Annual Computer Security Conference, Scottsdale, Arizona, December 1998.,1998
[32] K. Ilgun, R.A. Kemmerer, and P.A. Porras, “State Transition Analysis: A
Rule-Based Intrusion Detection Approach,” IEEE Transaction on Software
Engineering, 21(3), pages: 181 ~ 199, March 1995.
[33] Sandeep Kummar, Eugene H. Spafford, “A Pattern Matching Model For Misuse Intrusion Detection”, In Proceedings of the 17th National Computer Security Conference, October 1994, pp. 1121.
[34] Guy Helmer, Johnny Wong, Mark Slagell, Vasant Honavar, Les Miller,“Software Fault Tree and Colored Petri Net Based Specification, Design and Implementation of Agent-Based Intrusion Detection Systems ”, ACM Transactions on Computer Security, 2001
[35] K.M. Hansen, A.P. Ravn, V. Stavridou, “From safety analysis to software
requirements,” IEEE Transactions on Software Engineering, 24(7), pages 573 ~
584, July 1998.
[36] N.G. Leveson, “Safeware: System Safety and Computers,” Addison-Wesley,
Reading, MA, USA, 1995.
[37] Shijie Zhou, Zhiguang Qin, Feng Zhang, Xianfeng Zhang, Wei Chen, Jinde Liu, “Colored Petri Net Based Attack Modeling”, 9th International Conference, RSFDGrC 2003, Chongqing, China, May 26-29, 2003. Proceedings ,2003
[38] Peng Ning, Yun Cui, Douglas S. Reeves, “Constructing Attack Scenarios through Correlation of Intrusion Alerts”, In Proceedings of the 9th ACM Conference on Computer & Communications Security, pages 245--254, Washington D.C., November 2002.
[39] Peng Ning, Yun Cui, “An Intrusion Alert Correlator Based on Prerequisites of Intrusions”, Technical Report TR- 2002-01, North Carolina State University, Department of Computer Science, 2002.
[40] Peng Ning, Douglas S. Reeves, Yun Cui, “Correlating Alerts Using Prerequisites of Intrusions”, Technical Report, TR-2001-13, North Carolina State University, Department of Computer Science, December 2001.
[41] F. Cuppens. “Managing alerts in a multi-intrusion detection environment”. In Proceedings of the 17th Annual Computer Security Applications Conference, December 2001
[42] Frédéric Cuppens, Alexandre Miège, “Alert Correlation in a Cooperative Intrusion Detection Framework”, IEEE Symposium on Research in Security and Privacy, 2002
[43] Steven Cheung, Ulf Lindqvist, Martin W. Fong, “Modeling Multistep
Cyber Attacks for Scenario Recognition”, DARPA Information Survivability
Conference and Exposition (DISCEX III), 2003
[44] CPN Tools, http://wiki.daimi.au.dk/cpntools/cpntools.wiki
[45] F. Cuppens, F. Autrel, A. Miège , S. Benferhat. , “Correlation in an intrusion detection process”, Internet Security Communication Workshop (SECI''02), Tunis, September 2002
[46] F. Cuppens, F. Autrel, A. Miège et S. Benferhat, “Recognizing Malicious Intention in an Intrusion Detection Process”, Second International Conference on Hybrid Intelligent Systems, Santiago, Chili, 2002
[47] MIT Lincoln Lab.2000 DARPA intrusion detection scenario specific datasets.http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html,2000.
[48] WORM_SASSER.C http://www.trendmicro.com/vinfo/zh-tw/virusencyclo/default5.asp?VName=WORM_SASSER.C&VSect=T
[49] Yun Cui, “A Toolkit for Intrusion Alerts Correlation Based on Prerequisites and Consequences of Attacks”. M.S. thesis, North Carolina State University. 2002. Available at http://www.lib.ncsu.edu/ theses/available/etd-12052002-193803/.
[50] F. Cuppens , R. Ortalo, “LAMBDA：A Language to Model a Database for Detection of Attacks” , Third International Workshop on Recent Advances in Intrusion Detection (RAID''2000). Toulouse, Octobre 2000
[51] Frederic Cuppens , “Cooperative intrusion detection”, International Sysmposium on Information superiority: tools for crisis and conflict-management. Paris, 24-26 Septembre 2001.