1. Introduction

With the continuous evolution of cyberattack techniques, Intrusion Detection Systems (IDSs) have become a core component of network security defense, especially critical within Power Information Communication Networks (PICNs). These networks, which form the backbone of modern power grids including smart grids and SCADA systems, are increasingly targeted due to their societal importance and inherent vulnerabilities. Intrusion Detection Systems (IDSs) in this context monitor network traffic and system activities across geographically dispersed and often resource-constrained power infrastructure to detect potential security threats, generating a vast number of alerts [1]. As cyberattacks against critical infrastructure grow exponentially in complexity and scale, conventional CPU-based Intrusion Detection Systems (IDSs) struggle to cope with the high-throughput and low-latency demands essential for maintaining the stability and reliability of power systems, leading to increasing performance bottlenecks and real-time processing challenges.

This context has propelled Data Processing Units (DPUs), particularly SmartNIC variants deployed directly within network infrastructure, to emerge as key enablers for next-generation IDSs in PICN environments. By leveraging their position at the network edge and dedicated processing cores, DPUs allow for the offloading of computation-intensive initial traffic inspection tasks (e.g., parsing specific industrial control protocols, basic flow analysis) directly at the point of packet arrival. This enables distributed, high-speed capture, filtering, and metadata extraction with microsecond-level latency, substantially improving the efficiency of generating threat alerts in large-scale PICN environments. However, IDS alerts within PICNs suffer from two major issues: (1) the sheer volume of alerts, often exacerbated by the diverse and numerous devices in power networks, frequently contains significant redundancy [2], and (2) the presence of noise within alerts, potentially stemming from normal operational fluctuations in power systems, complicates the extraction and interpretation of true attack behaviors [3]. These issues not only increase the complexity of security analysis for operators managing critical power infrastructure but also lead to the risk of missing or misinterpreting critical threats that could compromise energy delivery and grid stability.

First, an IDS generates an enormous number of alerts, often with significant redundancy, particularly in rule-based or signature-based detection approaches. A single attack behavior can trigger multiple alerts. For example, a network scanning attack may generate hundreds or even thousands of highly similar alerts, differing only slightly in attributes such as timestamps, source IPs, or target IPs [4]. This redundancy not only increases storage and processing burdens but also makes it challenging for security analysts to quickly identify real threats. Additionally, an IDS exhibits a high false positive rate, where many alerts originate from normal network activities or misconfigurations, further escalating the analysis workload.

Second, noise is prevalent in IDS alerts, restricting the accurate identification of at-tack behaviors [5]. The sources of noise include false positives, complex network environments, and evasive attacker strategies such as traffic dispersion or encryption techniques. These factors can lead to incomplete or inaccurate alerts. More importantly, an IDS often fails to determine whether an attack was successful. Even unsuccessful attacks may trigger alerts, making it exceedingly difficult to extract key attack behaviors from a massive number of alerts, particularly in multi-stage attack scenarios where security analysts struggle to reconstruct the complete attacker behavior path.

Traditional alert correlation methods primarily rely on rule-based or statistical analysis, aggregating alerts based on time windows or IP address similarity [6]. However, these methods often fall short in complex attack scenarios, as they lack the ability to analyze attack behavior trends, making it difficult to uncover attacker strategies and intentions. Recent studies have attempted to leverage machine learning techniques to process alert data, but due to the high dimensionality and noise in IDS alerts, their practical effectiveness remains suboptimal.

In terms of attack sequence analysis, existing research mainly focuses on sequential pattern mining, analyzing alert time series and attack types to reconstruct attacker behavior paths [7]. However, due to noise and redundancy, extracting meaningful attack sequences from raw alerts remains a significant challenge. Moreover, existing methods often overlook the dynamic nature of attack behaviors, making it difficult to capture how attackers adjust their strategies at different stages. Therefore, effectively extracting key attack behaviors and constructing attack sequences that reflect attacker strategies remain pressing challenges.

To address these challenges, we first propose a DPU-based IDS framework by leveraging their proximity to network interfaces and independent processing capabilities. This framework enables early and distributed traffic inspection at network entry points or critical nodes before data reach the host CPUs while offloading resource-intensive deep analysis and correlation tasks to a central platform. On this basis, we propose a novel alert correlation method aimed at reducing redundant alerts, extracting key attack behaviors, and constructing attack sequences to better reveal attacker behavior patterns and strategies. From an alert correlation perspective, we employ multi-similarity factor aggregation to comprehensively capture the potential relationships between alerts, thereby significantly reducing alert redundancy. Aiming at noise reduction, we apply a Kalman filter to smooth time series data, eliminating noise and enhancing the recognition of attack patterns. Finally, we utilize a suffix tree model to structurally represent alerts, capturing key behavioral paths leading to high-severity alerts and identifying common and distinct attacker strategies.

2. Background

The DPU-accelerated detection mechanism, while delivering high-throughput alert generation, exacerbates the traditional IDS’s inherent redundancy and noise issues. Hardware-level parallel processing produces massive heterogeneous alerts with orders-of-magnitude increases in temporal density and correlation complexity, rendering conventional software-based post-processing analysis inadequate. This paradox highlights the critical need to reconstruct alert processing paradigms for DPU architectures: an intelligent correlation framework must be developed to extend DPUs’ line-rate processing advantages into the threat analysis domain, ensuring seamless integration with hardware detection layers. To address this issue, researchers have proposed various alert correlation methods in recent years, aiming to reduce alert redundancy, extract key attack behaviors, and construct attack sequences. Existing alert correlation methods can be broadly classified into three categories: similarity-based, statistical-based, and knowledge-based approaches [8].

(1) Similarity-Based Alert Correlation:

These methods reduce redundant alerts and improve detection efficiency by calculating alert similarity. Recently, deep learning-based similarity methods have gained research interest. For instance, Ansari et al. [9] proposed a deep learning model based on Gated Recurrent Units (GRUs) for predicting network intrusion alerts, leveraging temporal dependencies in alert sequences to significantly improve prediction accuracy. Additionally, Cheng et al. [10] proposed an alert correlation method using Graph Convolutional Networks (GCNs), constructing an alert graph model to identify multi-step attack scenarios, effectively reducing redundant alerts and enhancing attack scene recognition.

(2) Statistical-Based Alert Correlation:

These methods analyze the statistical characteristics of alerts to identify attack scenarios. Time-series analysis and causal inference have been widely applied in this domain. For example, Bitit et al. [11] proposed a time-series-based alert prediction method, predicting future attacks by analyzing alert time-series features. Yang et al. [12] introduced a causal inference-based semantic analysis approach for detecting Advanced Persistent Threats (APTs) by analyzing causal relationships between alerts, effectively identifying complex attack scenarios.

(3) Knowledge-Based Alert Correlation:

These methods rely on predefined attack scenarios and rules to recognize multi-step attacks. Knowledge graphs and attack graph models have been widely applied in this field. For instance, Zou et al. [13] proposed an intelligent alert correlation framework based on knowledge graphs to identify attack scenarios. Xie et al. [14] developed a Bayesian network attack graph based on attacker and defender behavioral models, leveraging Bayesian inference to effectively identify complex attack paths.

While various advanced alert correlation methods exist [15,16]—including those using LSTMs, attention mechanisms, DBSCAN clustering, Bayesian inference, or knowledge graphs—the context of a DPU-accelerated IDS in PICN imposes specific demands. Key among these are the need for real-time processing and interpretable analysis to handle high-volume data and enable rapid, clear decision making.

Our LFDIA-based alert preprocessing is specifically tailored to these requirements. Instead of adopting computationally intensive or ‘black-box’ deep learning models for the initial alert aggregation, LFDIA employs a transparent, feature-based heuristic. This approach utilizes five explicit similarity factors and dynamic, severity-based thresholds for efficient, high-throughput alert clustering. Such a design allows LFDIA to achieve significant alert compression and a high retention of critical alerts, providing a balance of speed, clarity, and effectiveness. This makes it a suitable precursor to the subsequent Kalman filtering and suffix tree modeling stages in our DPU-centric framework. This comprehensive approach provides a more precise and efficient solution for alert processing and analysis in complex attack scenarios.

3. Methodology

3.1. Overview

The proposed alert correlation framework is illustrated in Figure 1.

This study proposes a holistic approach to extract attack scenarios from intrusion alerts. By implementing high-speed line-rate distributed traffic capture, preliminary detection, filtering, and metadata extraction on DPUs deployed at network critical points, we establish an efficient and scalable foundation for IDS architecture. We propose an LFDIA-based alert preprocessing mechanism to cleanse massive noisy IDS alerts, which is followed by Kalman filter application to smooth same-phase intrusion alerts, effectively reducing data noise and revealing temporal attack intensity trends to form preliminary intrusion sequences. These sequences subsequently undergo suffix tree modeling, which prioritizes attack patterns with higher severity levels, enabling focused analysis on critical cybersecurity threats. Experimental validation on the standardized CPTC-2017 and CPTC-2018 datasets, providing intrusion alert streams characteristic of those produced by distributed, high-speed detection systems like a DPU-based IDS, demonstrates the effectiveness of the proposed alert correlation and analysis pipeline in reducing alert redundancy, extracting critical attack behaviors, and constructing attack activity sequences.

3.2. Alarm Data Collection Based on Distributed DPUs

Modern DPUs (e.g., NVIDIA BlueField, Intel IPU) typically incorporate features such as dedicated ARM-based control processors, hardware-accelerated network functions (e.g., crypto, checksum), programmable data planes for line-rate packet processing, and strong isolation between host and DPU workloads. Leveraging these capabilities, DPUs deployed at network critical points (servers, gateways, aggregation points) can efficiently perform the required distributed sensing functions. Implementation of the specific packet processing, inspection, and metadata extraction logic described above can utilize programming paradigms and tools commonly supported on DPU platforms.

DPUs efficiently extract network flow metadata for basic statistical analysis, enabling the early detection of port scanning and DDoS attack precursors. Traffic metadata facilitate simple baseline learning and anomaly detection models. For critical protocols (e.g., HTTP, DNS), key header fields are extracted for inspection.

The processing workflow is as follows:

1.. Raw packets arrive at DPU physical interfaces for internal processing.

Non-inspected traffic or cleared flows are normally forwarded to host OSes or down-stream network nodes.

The specific logic for packet capture, filtering, parsing, basic analysis, and alert generation described in steps 1–8 can be implemented using programming models and tools commonly available on DPU platforms, such as P4 (for data plane programming), eBPF extensions (for flexible packet processing on the control plane cores), or vendor-provided SDKs (e.g., NVIDIA DOCA, Intel IPDK).

For instance, consider an attacker with IP 192.168.1.100 initiating a TCP SYN scan against server 10.0.0.5 on ports 80 and 443. A DPU at the server’s network entry point (Figure 2) would capture these packets. Its lightweight detection engine might identify this as a port scan based on the pattern of connection attempts. Consequently, the DPU generates raw alert events for each attempt, detailing source/destination IPs, ports, protocol, a preliminary classification (e.g., ‘Port Scan’), and timestamps. These alerts are formatted (as per Section 3.3.1) and sent to the central analysis platform.

3.3. Intrusion Alert Preprocessing

IDS alerts typically contain multiple attributes, including timestamp, source IP, destination IP, source port, destination port, attack type, attack signature, and severity level [17]. To facilitate subsequent processing, we first format the raw alerts, extract key attributes, and standardize their representation. Next, we perform deduplication and correlation to form alert clusters, which are then aggregated into time series for further analysis.

3.3.1. Raw Alert Representation

Each raw alert $o\in O$ is represented as a tuple:

(1)$o=⟨sIP,dIP,sPort,dPort,ts,\lambda ,serv,mcontent⟩,$

$o_1=⟨\mathrm{192.168.1.100}, \mathrm{10.0.0.5}, 54321, 80, t{s}_1,Scan, Low, ‘Host Discovery Scan’⟩$

A second alert $o_2$ for the scan on port 443, occurring at $t{s}_2=t{s}_1+2 \mathrm{s}$, would be

$o_2=⟨\mathrm{192.168.1.100}, \mathrm{10.0.0.5}, 54322, 443, t{s}_2, Scan, Low, ‘Host Discovery Scan’⟩$

Due to formatting inconsistencies across different IDS platforms, we standardize the alerts by converting timestamps to a uniform time format (e.g., Unix timestamps), transforming IP addresses and ports into numerical representations, and mapping attack types to a unified classification system [18]. These preprocessing steps establish a consistent foundation for subsequent analysis.

3.3.2. LFDIA-Based Alert Preprocessing Method

To further reduce redundant alerts and uncover attacker behavior patterns, we propose a similarity-based alert aggregation method named LFDIA (Longest-Feature-based Dynamic Inter-Alert Aggregation). This method computes the similarity between consecutive alerts using five similarity factors—Longest Common Substring, Filename, Directory, IP Address, and Attack Type—and dynamically adjusts aggregation thresholds based on severity levels. This ensures that high-severity alerts retain crucial details while minimizing redundancy for low-severity alerts.

The core idea of LFDIA is to aggregate raw alerts based on time intervals and payload similarity. Specifically, if two consecutive alerts have a time interval smaller than a predefined threshold $t_0$ and their average similarity score $S_{avg}$ exceeds a threshold $S_0$, they are merged into a single alert. The selection of an appropriate $t_0$ (set to 60 s in our experiments) is guided by an experimental analysis balancing the Compression Rate (CR) and High-Severity Retention (HSR), as detailed in Section 4.2.1. This strategy significantly reduces duplicate alerts while preserving key details reflecting attack behaviors. The method follows these steps:

Grouping: Alerts are first grouped by destination IP, and within each group, alerts are sorted in ascending order of timestamp to form an ordered alert sequence.

Time-Based Filtering: Adjacent alerts are examined, and those with a time interval smaller than $t{s}_0$ are considered potentially related and proceed to the next aggregation step.

Similarity Calculation: The average similarity $S_{avg}$ between adjacent alerts is computed using five similarity factors, as shown in Table 1.

These factors are combined using a weighted sum with a weight matrix $W_k$:

(2)$S_{avg}={\displaystyle \sum }_{k=1}^5{W}_k\cdot F_k\left(a_i,a_j\right)$

In this study, the weight matrix $W_k$ assigns equal importance to each of the five similarity factors (i.e., $W_k$ = 0.2 for $k=1,\dots ,5$). This approach was chosen to provide a balanced contribution from each factor, ensuring that all aspects of similarity are considered without a predefined bias toward any particular feature for the datasets analyzed. Let us apply LFDIA to alerts $o_1$ and $o_2$. Given $t_0=60 \mathrm{s}$ and $S_0=0.7$ for low severity, the time difference $\Delta t=t{s}_2-t{s}_1=2 \mathrm{s}$, which is <$t_0$. Thus, $o_1$ and $o_2$ are candidates for aggregation. For Equation (2), with $W_k$ = 0.2 for all five factors (Table 1):

$F_{LCS}\left(o_1,o_2\right)=1$ (identical $mcontent$: ‘Host Discovery Scan’).

$F_{Filename}\left(o_1,o_2\right)=0$ (no filename).

$F_{Directory}\left(o_1,o_2\right)=0$ (no directory).

$F_{IPAddress}\left(o_1,o_2\right)=1$ (identical sIP, dIP).

$F_{AttackTypes}\left(o_1,o_2\right)=1$ (identical ‘Scan’ type). So, $S_{avg}\left(o_1,o_2\right)=0.2\left(1+0+0+1+1\right)=0.6$. Since $\Delta t<t_0$, $o_1$ and $o_2$ are merged regardless of $S_{avg}$ not exceeding $S_0$. If many such scan alerts occur, LFDIA consolidates them into fewer aggregated alerts.

To accommodate different alert severity levels, the aggregation threshold $S_0$ is dynamically adjusted:

High-severity alerts: $S_0=0.7$, preserving detailed attack information.

Medium-severity alerts: $S_0=0.5$, balancing detail retention and redundancy reduction.

Low-severity alerts: $S_0=0.3$, aggressively filtering redundant alerts.

These specific $S_0$ thresholds were determined empirically through preliminary experiments on a subset of the training data. The values were selected to optimize the trade-off between maximizing alert reduction and minimizing the loss of critical alert information, particularly for high-severity alerts. The chosen values represent a balance that ensures high-severity alerts are preserved with high fidelity while allowing for the more aggressive aggregation of lower-severity, often voluminous, alerts. If $S_{avg}$ exceeds the corresponding $S_0$, the two alerts are merged. This approach enables the efficient compression of redundant alerts while effectively revealing attack patterns.

3.3.3. Time Series Generation

After alert aggregation, we generate a time series to represent variations in attack intensity over time. The time series is constructed based on the timestamps and count of aggregated alerts. Specifically, alert counts are analyzed from the perspective of the destination IP $dIP$ and attack classification $\lambda$. The timeline is divided into fixed-length time windows: $w_j=\left[t_0,t_0+j\cdot \Delta \right]$, where $\Delta$ represents the time interval (e.g., one minute). For each time window $w_j$, the number of alerts within that window is counted, forming the time series:

(3)$X\left(\Gamma \right)=x_1;x_2;\cdots ;x_n,$

It shows the intensity of attacks that meet certain conditions over time, where $\Gamma =\left(\lambda ,dIP\right)$, and $x_i$ represents the number of alerts within the time window $w_j$. Suppose after LFDIA, $dIP=\mathrm{10.0.0.5} \mathrm{and} \lambda =\mathrm{Scan}$ for, we count aggregated alerts in 1-minute windows ($\Delta =60 \mathrm{s}$): window 1 (${\omega }_1$): 3 alerts; window 2 (${\omega }_2$): 5 alerts; window 3 (${\omega }_3$): 2 alerts. The time series for $\Gamma =\left(Scan, \mathrm{10.0.0.5}\right)$ is $X\left(\Gamma \right)=\left(3,5,2\right)$.

The pseudocode of the entire process is shown in Algorithm 1.

3.3.4. Kalman Filter Smoothing

Despite the removal of duplicate alerts, the time series $X\left(\Gamma \right)$ may still contain noise, which can impact the extraction of attack activities and attack sequences. For instance, during certain time periods, random fluctuations in the number of alerts may occur due to incidental factors, resembling high-frequency noise [19]. To eliminate high-frequency noise and reveal the true trend of attack intensity, we apply a Kalman filter [20] for smoothing the time series. The core principle of the Kalman filter is to predict the system state using a dynamic model and refine predictions based on observed data.

First, we define the state vector as: ${\mathrm{x}}_k=\left[x_k,{\dot{x}}_k\right]$, where $x_k$ represents the number of alerts at time $k$, and ${\dot{x}}_k$ denotes its rate of change. Assuming that the rate of change remains constant over short periods, the state transition model can be formulated as shown below:

(4)$x_k=A_k{x}_{k-1}+w_{k-1},$

(5)$z_k=H_k{x}_k+v_k,$

At initialization, the initial state estimate is given by ${\hat{\mathrm{x}}}_0={\left[x_0,{\dot{x}}_0\right]}^T$, and the error covariance matrix is ${\mathrm{P}}_0=\left[\begin{array}{cc}{P}_{0,1}& 0\\ 0& P_{0,2}\end{array}\right]$, which provides sufficient flexibility for subsequent filtering adjustments. During the Kalman filter iterative process, the first step is the time update (prediction step):

(6)${\widehat{x}}_k^{-}=A_k{\widehat{x}}_{k-1},$

The prediction covariance matrix is

(7)$P_k^{-}=A_k{P}_{k-1}{A}_k^T+Q_k,$

Next, during the measurement update step, the Kalman gain ${\mathrm{K}}_k$ is computed as

(8)$K_k=P_k^{-}{H}_k^T{\left(H_k{P}_k^{-}{H}_k^T+R_k\right)}^{-1},$

Using this gain, we update the state estimate:

(9)${\widehat{x}}_k={\widehat{x}}_k^{-}+K_k\left(z_k-H_k{\widehat{x}}_k^{-}\right),$

And finally, we update the error covariance matrix:

(10)$P_k=\left(I-K_k{H}_k\right)P_k^{-},$

By applying the Kalman filter, the smoothed time series $\widehat{x}\left(\Gamma \right)$ effectively eliminates random fluctuations, providing a clearer representation of attack intensity trends over time. This offers a more reliable foundation for subsequent attack activity extraction and analysis. The specific effect of the Kalman filter is illustrated in Figure 3.

For the example time series $X\left(\Gamma \right)=\left(3,5,2\right)$, which might represent an initial burst of scanning, the Kalman filter would smooth these data if it were part of a longer, noisier sequence, aiming to produce a clearer trend of attack intensity akin to the ‘filtered data’ shown in Figure 3.

Our filter configuration aims to eliminate high-frequency noise and reveal true attack intensity trends rather than obscuring pronounced short-term attack bursts. The filter’s parameters are set to maintain responsiveness to substantial deviations from predicted trends, which characterize genuine attacks. Thus, a significant short-term burst, marked by a rapid and notable increase in alert frequency, will still typically form a discernible peak (local maximum) in the smoothed time series $\widehat{x}\left(\Gamma \right)$. This allows for its capture as an attack activity even if its absolute amplitude is somewhat reduced or its edges are smoothed. As Figure 3 visually demonstrates, major underlying trends and peaks are preserved while minor, erratic fluctuations are effectively reduced. This approach achieves a balance, ensuring that noise reduction does not lead to the oversight of brief but critical attack phases.

3.4. Attack Sequence Generation

In an ideal scenario, an attack sequence consists of a single continuous action that encompasses various scanning or exploitation behaviors performed by an attacker. However, from an observable data perspective, accurately reconstructing a complete attack sequence is nearly impossible due to limitations in IDS detection and potential evasion strategies employed by attackers. In Section 3.3.4, we applied a Kalman filter to smooth the data and obtain $\widehat{x}\left(\Gamma \right)$, which reflects the variations in attack intensity for different attack types. Changes in this trend often indicate that the attacker is transitioning from one attack type to another. Intuitively, when an attacker enters a specific attack phase, the intensity of related attack categories will gradually increase. When the intensity reaches its peak and begins to decline, it suggests that the attacker may have completed that phase and is preparing to move on to the next. Based on this logic, we first define an attack activity as follows.

In $\widehat{x}$, an attack activity is defined as a tuple: $AT=\left\{t{s}_i,x_i,\lambda ,dIP\right\}$, where $t{s}_i$ represents the timestamp of a local maximum in attack intensity, $x_i$ is the corresponding magnitude, $\lambda$ denotes the attack classification, and $dIP$ represents the target IP address.

A local maximum in attack activity indicates that the attacker has completed a specific stage of their attack and may be transitioning to the next stage. An attack sequence is a time-ordered series of attack activities, which is represented as shown below:

(11)$es={es}_1,{es}_2,\dots ,{es}_n,$

In scenarios where a vast number of low-severity alerts exist, high-severity alerts often are buried or overlooked. This presents a significant challenge in promptly responding to potential threats. To address this, we propose an attack activity subsequence-based analysis method, which traces the preceding events of critical high-severity alerts.

This method mimics the analytical workflow of security analysts, who typically begin their investigation from the most critical alerts and then trace back to their preceding events. Specifically, by referencing the severity level of attack categories, we define a high-severity subsequence as ${es}_{crit}={es}_i,\dots ,{es}_j$, where this subsequence captures all activities occurring between two high-severity attack events ${es}_i$ and ${es}_j$. We categorize alert severity into high, medium, and low levels, describing the potential threat level associated with each alert. Using this high-severity subsequence, we can effectively identify critical malicious attack behaviors and analyze whether an attacker exhibits consistent or unique behavioral patterns when executing an attack.

3.5. Suffix Tree Model Generation

To analyze attacker behavior paths and uncover commonalities and unique patterns in attack sequences, we propose a suffix tree-based probabilistic model. An attack sequence reflects a series of actions taken by an attacker against a specific target network. For example, an attacker may first perform network scanning, followed by privilege escalation, and finally exploit a vulnerability to complete data exfiltration.

By analyzing these sequences, security analysts can identify strategic preferences of specific attack groups. However, since IDS-generated alerts often contain a significant amount of noise and redundant information, directly extracting meaningful content from these sequences is highly challenging. The suffix tree model mitigates this issue by incrementally decomposing attack sequences and computing transition probabilities at each step, allowing for the structured modeling and analysis of complex attack behaviors.

Through suffix tree modeling, we can structure attack sequences and compute the probability distributions of different attack paths. This approach not only reveals similarities and distinctions in attack behaviors but also provides a quantitative basis for security analysis.

3.5.1. Definition and Construction of the Suffix Tree

First, we define the suffix of an attack sequence $es$ as $\mathrm{suff}\left(es\right)={es}_2,{es}_3,\dots ,{es}_n$, where $n$ is the length of the sequence. The set of all possible suffixes is represented as $suf{f}^{*}\left(es\right)=\left\{{es}_i,\dots ,{es}_n\mid 1\le i\le n\right\}$. A suffix tree $M\left(N,E\right)$ consists of a node set $N$ and an edge set $E$, where each node $n\in N$ represents a state, and each edge $e\left(n_x,n_y\right)\in E$ represents a transition from state $n_x$ to state $n_y$.

The set of child nodes of node $n$ is denoted as $C\left(n\right)$, and the count of observations for edge $e$ is represented as $\mathrm{count}\left(e\right)$.

Given an attack sequence $es$, we construct its suffix tree model $M$ using Algorithm 3. The specific construction steps are as follows.

Using this algorithm, we construct a suffix tree model $M_T$ for each attacker $T$ and a global model $M_{all}$ for all attackers. These models enable the comparative analysis of different attack sequences to identify unique and common patterns across attackers.

We use our example attack sequence $es=\left(Category1, Category7\right)$ and follow Algorithm 3 to produce the following:

Suffixes are $s_1=\left(\mathrm{Category}1,\mathrm{Category}7\right)$ and $s_2=\left(\mathrm{Category}7\right)$.

Processing $s_1$: Adds/updates the path $\mathrm{Root}\stackrel{\mathrm{Category}1}{\to }\mathrm{N}1\stackrel{\mathrm{Category}7}{\to }\mathrm{N}2$ in the tree, incrementing edge counts.

Processing $s_2$: Adds/updates the path $\mathrm{Root}\stackrel{\mathrm{Category}7}{\to }\mathrm{N}3$ (or increments counts if N3 is shared). This structure allows calculating probabilities like $P (Category7 | Category1)$ using Equation (12).

The input to Algorithm 3 are sequences of attack categories derived from our comprehensive preprocessing pipeline (Section 3.3 and Section 3.4). This pipeline condenses voluminous raw alerts into shorter, meaningful attack phase sequences. In our following dataset experiments, these resulting sequences proved to be of manageable length and structure, posing no issues for the correct functioning or complexity of the suffix tree model and allowing for effective behavior modeling.

The scalability of our suffix tree model in large-scale deployments is effectively addressed by several aspects of our methodology. Primarily, the comprehensive alert preprocessing pipeline (Section 3.3 and Section 3.4) significantly condenses voluminous raw alerts into much shorter sequences of attack categories. This ensures that the input length ($N$) for suffix tree construction is kept manageable, directly contributing to scalability. Furthermore, suffix tree construction is inherently efficient, typically exhibiting linear time complexity with respect to $N$ for a small alphabet of attack categories, such as the 16 categories used in our study. The method supports scalable analysis by enabling the construction of both individual attacker models ($M_T$) and a global model ($M_{all}$).

3.5.2. Probability Evaluation of Attack Sequences

To quantify the probability of an attack sequence $es$ appearing in a specific suffix tree model $M$, we define a probability evaluation function $P\left(es,M\right)$. This function traverses the suffix tree model, calculating the conditional probability of each symbol in the sequence, and ultimately derives the overall probability of the sequence. The computation process is as follows:

Initialization: Start from the root node $N_R$ and initialize the probability value $P_s=1$.

Reverse Traversal of the Sequence: Process each symbol $\lambda$ in the sequence $s$ in reverse order, starting from the last symbol.

Conditional Probability Calculation: If the current node $n$ has a child node corresponding to $\lambda$, compute the conditional probability $P\left(\lambda |n\right)$ and update the probability value $P_s$. The conditional probability is given by

(12)$P\left(\lambda |n\right)={\displaystyle \frac{count\left(n,\lambda \right)}{{{\displaystyle \sum }}_{i\in C\left(n\right)}count\left(e\left(n,i\right)\right)}},$

Node Transition: Move the current node to the child node $\lambda$ and continue processing the next symbol.

Termination Condition: If the current node does not have a child node $\lambda$, return a probability value of zero, indicating that the sequence does not exist in the model.

To avoid undefined behavior caused by zero denominators, we perform a check before computing the conditional probability. If the current node has no outgoing transitions, we directly assign a probability of zero to that step. This prevents division by zero and ensures numerical stability during probability evaluation.

Using this method, we compute the probability values $P_t$ and $P_{all}$ of sequence $s$ in the attacker-specific model $M_T$ and the global model $M_{all}$, respectively. By comparing the ratio $P_t/P_{all}$, we can determine the uniqueness of the sequence:

If $P_t/P_{all}=0$, the sequence is unique to attacker $T$.

If $P_t/P_{all}>0$, the sequence exhibits behavioral similarity with other attackers.

4. Experiment

4.1. Experimental Setup

To validate the core alert correlation and analysis methodology proposed in this paper, experiments were conducted using two open-source intrusion alert datasets [21]: CPTC-2017 and CPTC-2018. These datasets contain alerts generated by different student teams performing penetration testing in simulated network environments, which were recorded by the Suricata IDS. Crucially, these datasets provide rich, high-volume alert streams representative of the output expected from distributed DPU-based IDS deployments—exhibiting characteristics such as significant redundancy, noise, and sequences arising from multi-stage attacks.

CPTC-2017: Contains alerts from nine teams attacking an electronic voting infrastructure.

CPTC-2018: Contains alerts from six teams attacking an automotive company.

The datasets include essential alert attributes like timestamps, source IPs, destination IPs, attack signatures, and attack classifications (with severity levels), which are the primary inputs to our correlation and analysis pipeline (Section 3.3, Section 3.4, and Section 3.5). While not captured from a specific DPU hardware deployment, the nature and volume of these alerts effectively simulate the input data our method is designed to process within the proposed architecture where DPUs handle the initial distributed sensing and alert generation. Using these standardized, publicly available datasets allows for the reproducible evaluation and comparison of the analytical techniques themselves independent of specific DPU hardware configurations. The details of the dataset are shown in Table 2.

The security competition framework provides an isolated environment where teams can discover, exploit, and document system vulnerabilities within a simulated real-world network. Although these datasets may not perfectly represent real-world attack scenarios, the controlled environment allows for a fair comparison of different teams’ attack strategies on the same target. This setup also provides a theoretically sound foundation for computing the proposed evaluation metrics.

The experiment first splits and preprocesses the datasets, which is followed by independent analysis of each team’s intrusion alert data to extract and generate attack activity sequences. Each sequence consists of attack category identifiers, defined in a lookup table, where the final entries represent high-severity alerts. These sequences are then used to evaluate behavioral similarities and differences preceding high-severity events, supporting future security defense research. The classification and severity of the attacks are shown in Table 3.

4.2. Experimental Results

4.2.1. Aggregation Efficiency Analysis

Aggregation efficiency is a key metric in evaluating whether the proposed method can effectively extract critical information from large-scale alert data. Two key metrics are used:

Compression Rate (CR)—measures the ability to eliminate redundant alerts.

High-Severity Retention (HSR)—ensures the completeness of critical threat information after aggregation.

The formulas for these metrics are shown below:

(13)$CR=1-{\displaystyle \frac{Number of aggregated alerts}{Number of raw alerts}},$

(14)$CHSR={\displaystyle \frac{Number of aggregated high-severity alerts}{Number of raw high-severity alerts}},$

To validate the necessity of multi-similarity factor dynamic aggregation, we compare our method against below methods in Table 4.

Table 5 presents the aggregation results:

From the data in the above table, it can be observed that the method proposed in this paper achieves a CR of 87.2% in CPTC-2018, significantly outperforming time-window-only aggregation (52.0%), the IACF framework (71.0%), and the IP-Port method (56.8%). This demonstrates the method’s effectiveness in filtering out low-value repetitive alerts (such as persistent port scans). For example, an attacker triggering 1200 TCP/22 (SSH) scans within one minute is compressed into a single activity through multi-factor aggregation, preventing analysts from being overwhelmed by redundant information.

A comparison with state-of-the-art methods reveals that the IACF framework splits some high-severity alerts due to its strict reliance on port/type matching, while the IP-Port method suffers from insufficient aggregation due to its neglect of attack semantics. The proposed method significantly outperforms existing solutions on both metrics, particularly in retaining high-severity alerts (with a 4–15% improvement in HSR). This advantage stems from the joint modeling of attack semantics and temporal features through dynamic multi-factor aggregation, whereas existing methods rely solely on a single dimension (e.g., IP or time), leading to information loss.

The results prove that dynamic multi-factor aggregation can accurately eliminate redundant alerts while preserving critical threats, ensuring no loss of key nodes in the attack chain. Methods relying solely on time-window aggregation exhibit significantly lower CR and HSR due to the lack of semantic analysis, further validating the necessity of the multi-similarity-factor design.

Additionally, to find the most suitable aggregation parameters, the time threshold $t_0$ within the multi-similarity factor aggregation was adjusted to observe its impact on the Compression Rate (CR) and High-Severity Retention Rate (HSR). As shown in Figure 4, at $t_0=60 \mathrm{s}$, both CR and HSR maintain high levels, indicating that at this setting, it is possible to compress redundancy while still preserving key nodes in the attack chain. From the perspective of attack adaptability, this makes sense: in penetration testing, single-phase attacks (such as port scanning or vulnerability exploitation) typically last from several seconds to a few minutes. A 60 s window can cover multiple attempts within the same phase without merging across different stages.

4.2.2. Attack Activity Analysis

To validate the effectiveness of the proposed method in attack sequence modeling and the ability of the suffix tree model to quantify the similarity and uniqueness of attack strategies, we conducted experiments based on the CPTC-2017 dataset. The modeling results focused on key metrics such as the number of aggregated attack activities, high-severity sequences, similar sequences, unique sequences, longest similar sequence, and typical unique sequences. The results from five representative teams were selected for analysis.

The experimental results demonstrate that the proposed method significantly reduces low-severity redundant operations. For example, Team 4 had 7801 raw alerts, which were aggregated into 284 attack activities, achieving a compression rate of 96.4%. The method successfully merged redundant host and service discovery alerts while preserving high-severity operations, such as the exploitation of remote service vulnerabilities and data exfiltration. Team 9’s original sequence contained multiple redundant low-severity activities (e.g., service discovery). After aggregation, the attack sequence was optimized to [2 → 7 → 5 → 16] (Service Discovery → Application Vulnerability Exploitation → Privilege Escalation → Data Exfiltration), which focused on the core attack path, directly reflecting the attack logic.

For the quantification of Similar and Unique Sequences, regarding the quantification of similar and unique attack paths, the attack sequence [1 → 2(3) → 7 → 5] (Host Discovery → Service Discovery (Vulnerability Discovery) → Application Vulnerability Exploitation → Privilege Escalation) was observed across seven teams, confirming the standardization of automated attack toolchains, such as Nmap and Metasploit.

On the other hand, unique sequences reveal differentiation in team strategies: Team 4 had a high proportion of unique sequences (85%) with 241 unique sequences. A typical unique sequence [3 → 8 → 15 → 16] exhibits a highly planned and goal-oriented attack strategy. The attacker first identified vulnerabilities (3) to locate a target, exploited remote service vulnerabilities (8) to gain access, and eventually executed data exfiltration (15) and delivery (16). This approach differs from common automated toolchain attacks, indicating a more targeted and advanced attack behavior, which avoids low-value operations and focuses directly on high-severity events. Such an efficient and stealthy attack pattern suggests that Team 4 may represent a highly skilled, goal-driven attack group. Team 8’s sequence [8 → 5 → 10 → 15] highlights a long-term stealthy control strategy. The combination of evasion techniques (10) and data exfiltration (15) is a typical characteristic of an APT (Advanced Persistent Threat) attack. Importantly, our preprocessing pipeline successfully condensed raw alerts into manageable attack activity sequences with observed lengths ranging from a modest 76 to 318 activities per team. These sequence lengths demonstrate the practical effectiveness and manageability of our approach, confirming that the suffix tree could efficiently process these inputs to reveal meaningful attack patterns.

The results are presented in Table 6 and Figure 5.

Additionally, we compared two metrics, $l_t$ and $l_{all}$. Here, $l_a$ represents the probability value of a given attack sequence in the specific attacker model $T_A$, reflecting its occurrence frequency within attacker A. In contrast, $l_{all}$ represents the probability value of the same sequence in the global model $l_{all}$, indicating how frequently the sequence appears across all attackers.

The Similarity Index (SI) is defined as $l_a/l_{all}$ and is used to quantify the uniqueness of a sequence:

If $l_a/l_{all}=0$, the sequence is exclusive to attacker A and does not appear in any other attacker’s behavior.

If $l_a/l_{all}>0$, the sequence exhibits cross-attacker commonality, reflecting shared tactics or standardized toolchains.

From the CPTC-2017 dataset, five representative teams’ high-severity attack sequences were selected, and their SI values were computed. Figure 6 presents the results on a logarithmic scale. From the figure, the same conclusion can be drawn: the box plot of Team 4 is significantly higher than those of other teams, indicating that its attack sequences are highly unique, confirming the strong distinctiveness of its attack strategies. Conversely, the distributions of Team 1 and Team 7 are concentrated in the lower-to-middle range, suggesting that their attack strategies are highly similar to those of other teams with considerable overlap in their attack sequences. This indicates a possible reliance on standardized tools. From a defensive perspective, high-SI sequences can serve as attack fingerprints, aiding in targeted threat hunting for specific adversary groups. In contrast, low-SI sequences reflect general attack patterns, requiring the deployment of rule-based interception strategies.

Experimental results demonstrate that the proposed multi-factor aggregation method effectively distinguishes similar attack behaviors through fine-grained feature extraction, significantly compresses low-value operations, and retains critical information about high-severity events. The introduction of the Kalman filter further enhances the accuracy of attack phase transition detection, effectively reducing misclassification caused by noise interference.

The quantitative analysis based on the suffix tree model reveals that similar sequences predominantly originate from standardized operations within automated toolchains, allowing defenders to deploy rule-based interception strategies against such attack paths. Meanwhile, unique sequences highlight attackers’ technical preferences and strategy differentiation, providing crucial insights for advanced threat hunting. These findings not only validate the effectiveness of the proposed method but also offer more targeted strategic support for cybersecurity defense.

5. Conclusions

This paper presents an intrusion alert correlation method for power information communication networks, leveraging multi-similarity factor aggregation and a suffix tree model to address the challenges of redundancy and noise amplification inherent in DPU-accelerated IDSs. By dynamically clustering alerts through five similarity factors and adaptive thresholds, the proposed LFDIA-based preprocessing achieves significant alert compression (up to 87.2% reduction) while retaining critical high-severity events (89.7% retention). The integration of Kalman filtering enables effective noise suppression in attack intensity time series, revealing underlying attack trends and phase transitions. The suffix tree model further facilitates the structural analysis of attack sequences, quantifying behavioral similarities and unique patterns across attackers through probabilistic path evaluation. Experimental validation on CPTC datasets demonstrates the method’s capability to distill standardized attack toolchains while identifying advanced adversarial strategies, such as stealthy APT-like behaviors. This dual focus on redundancy elimination and strategic pattern extraction provides a robust framework for enhancing situational awareness in large-scale industrial networks, enabling security operators to prioritize high-impact threats and optimize defensive measures. The results highlight the necessity of co-designing hardware-accelerated detection with intelligent correlation mechanisms to fully exploit DPUs’ real-time processing advantages in cybersecurity operations.

Footnotes

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Figure 1 Overview.

Enlarge this image.

Figure 2 Alarm data collection based on distributed DPU.

Enlarge this image.

Figure 3 Kalman filter effect.

Enlarge this image.

Figure 4 Impact of time threshold on CR and HSR.

Enlarge this image.

Figure 5 Attack strategy analysis based on suffix tree modeling.

Enlarge this image.

Figure 6 SI value distribution.

Enlarge this image.