近年來入侵偵測系統的發展已從著重於提高警訊之效率、正確率，漸漸地轉移到將警訊關聯，以提供更全面的攻擊概觀。換句話說，如何將低階警訊資料關聯成為對資訊安全管理人員有用的資訊及知識，已成為目前網路安全研究的重點之一。而本篇論文主要就是以隱藏式馬可夫模型（Hidden Markov Model, HMM）及彩色派翠網（Colored Petri Net, CPN）為理論基礎，發展出一套能將CPN圖形上的place與transition的關係轉換成HMM狀態轉換圖上的狀態以及觀察值之方法，轉換結果包含狀態的初始機率、狀態與狀態之間的轉換機率以及狀態與觀察值之間的符號產生機率。如此一來便能在警訊的關聯上充份的結合HMM與CPN的優點。此外，我們也針對HMM於警訊之處理上並沒有考慮到警訊間AND與OR的邏輯關係提出一個改善的模型，以便能適合於多步驟攻擊之警訊關聯上，我們將此改善後的HMM稱之為調適性隱藏式馬可夫模型（Adaptive HMM, AHMM）。我們也成功的根據這些想法開發出一套警訊關聯系統，並在最後的實驗中，透過DARPA 2000資料集以及我們自行蒐集的一些警訊資料來證明我們的系統確實可以成功的找出警訊堆當中的多步驟攻擊行為，也可以做到預測攻擊，以及有效的降低傳統HMM所會帶來的高誤判率與漏判率問題。

中文參考文獻
[翁興國2004]翁興國，“資訊安全營運中心之事件關聯處理的根本問題分析”，2004網際網路安全工程研討會論文集，台北，2004。
[劉美君2004]劉美君，一種利用彩色派翠網關聯警訊以重建多步驟攻擊的方法，國立中央大學資訊管理學系碩士論文，6月2004。
[劉陳2004]劉美君、陳奕明，“一種利用彩色派翠網關聯警訊以重建多步驟攻擊的方法”，第十四屆全國資訊安全會議論文集，台北，2004。
英文參考文獻
[CERT2002] CERT/CC, “Overview of Attack Trends”, http://www.cert.org/ , 2002.
[CERT2003] CERT/CC, “Overview Incident and Vulnerability Trends”, May 2003.
[CERT2005] CERT/CC, “CERT/CC Statistics 1988-2005”, 2005.
[CUI2002] Yun Cui, “A Toolkit for Intrusion Alerts Correlation Based on Prerequisites and Consequences of Attacks”, Master thesis, North Carolina State University, Department of Computer Science, December 2002.
[CM2002] Frédéric Cuppens, Alexandre Miège, “Alert Correlation in a Cooperative Intrusion Detection Framework”, In Proceedings of IEEE Symposium on Research in Security and Privacy, 2002.
[DLD2002] Kristopher Daley, Ryan Larson, Jerald Dawkins, “A Structural Framework for Modeling Multi-Stage Network Attacks”, In Proceedings of International Conference on Parallel Processing Workshop, 2002.
[GHA2001] Zoubin Ghahramani, “An Introduction to Hidden Markov Models and Bayesian Networks”, International Journal of Pattern Recognition and Artificial Intelligence, Vol. 15, No. 1, 2001.
[HFT1998] Yuan Ho, Deborah Frincke, Donald Tobin, “Planning, Petri Nets, and Intrusion Detection”, In Proceedings of the 21st National Information Systems Security Conference (NISSC’98), 1998.
[HWSH2001] Guy Helmer, Johnny Wong, Mark Slagell, Vasant Honavar, Les Miller, “Software Fault Tree and Colored Petri Net Based Specification, Design and Implementation of Agent-Based Intrusion Detection Systems”, ACM Transactions on Computer Security, Iowa State University, Department of Computer Science, 2001.
[IKP1995] Koral Ilgun, Richard A. Kemmerer and Phillip A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection Approach”, In Proceedings of IEEE Transactions on Software Engineering, 21(3), 1995.
[JEN1992] Kurt Jensen, “Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical Use. Vol. 1：Basic Concepts”, Monographs in Theoretical Computer Science, Spring-Verlag, 1992.
[KS1994] Sandeep Kummar, Eugene H. Spafford, “A Pattern Matching Model For Misuse Intrusion Detection”, In Proceedings of the 17th National Computer Security Conference, October 1994.
[NC2002] Peng Ning, Yun Cui, “An Intrusion Alert Correlator Based on Prerequisites of Intrusions”, Technical Report, TR- 2002-01, North Carolina State University, Department of Computer Science, 2002.
[NCR2002] Peng Ning, Yun Cui, Douglas S. Reeves, “Constructing Attack Scenarios through Correlation of Intrusion Alerts”, In Proceedings of the 9th ACM Conference on Computer & Communications Security, pages 245--254, Washington D.C., November 2002.
[NRC2001] Peng Ning, Douglas S. Reeves, Yun Cui, “Correlating Alerts Using Prerequisites of Intrusions”, Technical Report, TR-2001-13, North Carolina State University, Department of Computer Science, 2001.
[OMSH2003] Dirk Ourston, Sara Matzner, William Stump, Bryan Hopkins, “Applications of Hidden Markov Models to Detecting Multi-stage Network Attacks”, In Proceedings of the 36th Hawaii International Conference on System Sciences (HICSS’03), Applied Research Laboratories University of Texas at Austin, 2003.
[OMSH2004] Dirk Ourston, Sara Matzner, William Stump, Bryan Hopkins, “Coordinated Internet attacks: responding to attack complexity”, Journal of Computer Security 12 (2004) 165-190, 2004.
[RAB1989] Lawrence R. Rabiner, Fellow, IEEE, “A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition”, In Proceedings of the IEEE, Vol. 77, No. 2, February 1989.
[RJ1986] L. R. Rabiner, B. H. Juang, “An Introduction to Hidden Markov Models”, IEEE ASSP Magazine, January 1986.
[VK1998] Giovanni Vigna and Richard A. Kemmerer, “NetSTAT : A Network-based Intrusion Detection Approach”, In Proceedings of the 14th Annual Computer Security Conference, Scottsdale, Arizona, December 1998.
[YF2004] Dong Yu, Deborah Frincke, “A Novel Framework for Alert Correlation and Understanding”, In Proceedings of Applied Cryptography and Network Security, Second International Conference(ACNS2004), Center for Secure and Dependable Software, University of Idaho, USA, 2004.
相關網站
[COMA] Confusion Matrix Website,
http://www2.cs.uregina.ca/~hamilton/courses/831/notes/confusion_matrix/confusion_matrix.html
[DARP] MIT Lincoln Lab, 2000 DARPA intrusion detection scenario specific datasets, http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html
[HMM] Arpin Studio, http://www.deyuan.idv.tw/weblog/index.php?blogId=1
[JAHM] Jahmm Website, a Java implementation of Hidden Markov Model related algorithm, http://www.run.montefiore.ulg.ac.be/~francois/software/jahmm/
[NESS] Nessus Website, http://www.nessus.org/
[SASA] WORM_SASSER.A,
http://www.trendmicro.com/vinfo/zh-tw/virusencyclo/default5.asp?VName=WORM_SASSER.A&VSect=T
[SASC] WORM_SASSER.C,
http://www.trendmicro.com/vinfo/zh-tw/virusencyclo/default5.asp?VName=WORM_SASSER.C&VSect=T
[SLAM] WORM_SLAMMER, http://cert.ntu.edu.tw/virusDocument/Slammer.doc
[SNOR] Snort Website, http://www.snort.org/
[SYMA] Symantec Website, 賽門鐵克網路安全威脅研究報告重點摘要，
http://www.symantec.com/region/tw/avcenter/threat_report.html