“…Such enrichment solutions are possible due to their confinement to a single domain where attributes are mainly homogeneous. For instance, while the approach in [25] aims at enriching local alerts raised by IDS with global threat information available in honeypot databases, all information belongs to the cyber domain and is represented using similar attributes (IP addresses, detection time, classification of attacks). In contrast, information carried by physical domain alerts is represented in terms of widely different attributes (actuator/sensor events and states) in comparison to information within cyber domain alerts.…”