protocol; refers to the type of protocol, sensorID; refers to
the sensor detected that event, confidence; refers to the
confidence level of the alert event, severity; refers to
severity level of the alert event, other; refers to the other
information of the alert event.
Security Situation Modeling. It refers to the process of
analyzing the alert events generated from various security
sensors and finally generating the global security situation of
network. It consists of following functions:
Event Simplification. [el,e2; • • ,enJ ---> em , the redundant
alert events are simplified, which have the relation of
repetition or concurrency, to reduce the amount of effective
events.
Event Filtering. [epP(e;)ft: H]