The remaining part of our paper is structured as follows. In the next section, we describe the data we used. Then, in Section ‘Evidence correlation studies’ we describe the investigation of four representative malware cases. We present our findings regarding the utility of the data sources and the effective signatures in Section ‘Complementary utility and ranking of security sources’ and ‘What does a good IDS signature look like?’, respectively. Finally, in Sections ‘Related work’ and ‘Conclusions’ we outline the related work and conclude our paper.