Real-Time Multistep Attack Prediction Based on Hidden Markov Models

Real-Time Multistep Attack Prediction Based on Hidden Markov Models

A novel method based on the Hidden Markov Model is proposed to predict multistep attacks using IDS alerts. We consider the hidden states as similar phases of a particular type of attack. As a result, it can be easily adapted to multistep attacks and foresee the next steps of an attacker. To achieve...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing 2020-01, Vol.17 (1), p.134-147
Hauptverfasser: Holgado, Pilar, Villagra, Victor A., Vazquez, Luis
Format: Artikel
Sprache:eng
Schlagworte:
Algorithms
Computer crime
distributed denial of service
hidden Markov model
Hidden Markov models
machine learning
Markov chains
Mathematical model
Multistep attack prediction
Prediction algorithms
Predictive models
proactive response
Proposals
Real time
Training
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 147
container_issue 1
container_start_page 134
container_title IEEE transactions on dependable and secure computing
container_volume 17
creator Holgado, Pilar
Villagra, Victor A.
Vazquez, Luis
description A novel method based on the Hidden Markov Model is proposed to predict multistep attacks using IDS alerts. We consider the hidden states as similar phases of a particular type of attack. As a result, it can be easily adapted to multistep attacks and foresee the next steps of an attacker. To achieve this goal, a preliminary off-line training phase based on observations will be required. These observations are obtained by matching the IDS alert information with a database previously built for this purpose using a clusterization method from the CVE global database to avoid overfitting. The training model is performed using both unsupervised and supervised algorithms. Once the training is completed and probability matrices are computed, the prediction module compute the best state sequence based on the state probability for each step of the multistep attack in progress using the Viterbi and forward-backward algorithms. The training model includes the mean number of alerts and the number of alerts in progress to assist in obtaining the final attack probability. The model is analyzed for DDoS phases because it is a great problem in all Internet services. The proposed method is validated into a virtual DDoS scenario using current vulnerabilities. The results proving the system's ability to perform real-time prediction.
doi_str_mv 10.1109/TDSC.2017.2751478
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_ieee_primary_8031986</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>8031986</ieee_id><sourcerecordid>2339385210</sourcerecordid><originalsourceid>FETCH-LOGICAL-c293t-239f7f3be36e898b9687c6e3334cb3b5f17a4addbc6a677e6d84e3bd4a5e1bd3</originalsourceid><addsrcrecordid>eNo9kE1Lw0AURQdRsFZ_gLgJuE6dlzfJzCxr_KjQoGj2wyTzAmnTps6kgv_elBZX7y7OvQ8OY7fAZwBcP5RPX_ks4SBniUxBSHXGJqAFxJyDOh9zKtI41RIu2VUIK84TobSYsPyTbBeX7YaiYt8NbRhoF82Hwdbr6MOTa-uh7bfRow3kojEsWudoGxXWr_ufqOgddeGaXTS2C3RzulNWvjyX-SJevr--5fNlXCcahzhB3cgGK8KMlFaVzpSsM0JEUVdYpQ1IK6xzVZ3ZTErKnBKElRM2JagcTtn9cXbn--89hcGs-r3fjh9NgqhRpQnwkYIjVfs-BE-N2fl2Y_2vAW4OqsxBlTmoMidVY-fu2GmJ6J9XHEGrDP8ANzZkeQ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2339385210</pqid></control><display><type>article</type><title>Real-Time Multistep Attack Prediction Based on Hidden Markov Models</title><source>IEEE Electronic Library (IEL)</source><creator>Holgado, Pilar ; Villagra, Victor A. ; Vazquez, Luis</creator><creatorcontrib>Holgado, Pilar ; Villagra, Victor A. ; Vazquez, Luis</creatorcontrib><description>A novel method based on the Hidden Markov Model is proposed to predict multistep attacks using IDS alerts. We consider the hidden states as similar phases of a particular type of attack. As a result, it can be easily adapted to multistep attacks and foresee the next steps of an attacker. To achieve this goal, a preliminary off-line training phase based on observations will be required. These observations are obtained by matching the IDS alert information with a database previously built for this purpose using a clusterization method from the CVE global database to avoid overfitting. The training model is performed using both unsupervised and supervised algorithms. Once the training is completed and probability matrices are computed, the prediction module compute the best state sequence based on the state probability for each step of the multistep attack in progress using the Viterbi and forward-backward algorithms. The training model includes the mean number of alerts and the number of alerts in progress to assist in obtaining the final attack probability. The model is analyzed for DDoS phases because it is a great problem in all Internet services. The proposed method is validated into a virtual DDoS scenario using current vulnerabilities. The results proving the system's ability to perform real-time prediction.</description><identifier>ISSN: 1545-5971</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2017.2751478</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>Algorithms ; Computer crime ; distributed denial of service ; hidden Markov model ; Hidden Markov models ; machine learning ; Markov chains ; Mathematical model ; Multistep attack prediction ; Prediction algorithms ; Predictive models ; proactive response ; Proposals ; Real time ; Training</subject><ispartof>IEEE transactions on dependable and secure computing, 2020-01, Vol.17 (1), p.134-147</ispartof><rights>Copyright IEEE Computer Society 2020</rights><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c293t-239f7f3be36e898b9687c6e3334cb3b5f17a4addbc6a677e6d84e3bd4a5e1bd3</citedby><cites>FETCH-LOGICAL-c293t-239f7f3be36e898b9687c6e3334cb3b5f17a4addbc6a677e6d84e3bd4a5e1bd3</cites><orcidid>0000-0003-4458-1700</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/8031986$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,777,781,793,27905,27906,54739</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/8031986$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Holgado, Pilar</creatorcontrib><creatorcontrib>Villagra, Victor A.</creatorcontrib><creatorcontrib>Vazquez, Luis</creatorcontrib><title>Real-Time Multistep Attack Prediction Based on Hidden Markov Models</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>A novel method based on the Hidden Markov Model is proposed to predict multistep attacks using IDS alerts. We consider the hidden states as similar phases of a particular type of attack. As a result, it can be easily adapted to multistep attacks and foresee the next steps of an attacker. To achieve this goal, a preliminary off-line training phase based on observations will be required. These observations are obtained by matching the IDS alert information with a database previously built for this purpose using a clusterization method from the CVE global database to avoid overfitting. The training model is performed using both unsupervised and supervised algorithms. Once the training is completed and probability matrices are computed, the prediction module compute the best state sequence based on the state probability for each step of the multistep attack in progress using the Viterbi and forward-backward algorithms. The training model includes the mean number of alerts and the number of alerts in progress to assist in obtaining the final attack probability. The model is analyzed for DDoS phases because it is a great problem in all Internet services. The proposed method is validated into a virtual DDoS scenario using current vulnerabilities. The results proving the system's ability to perform real-time prediction.</description><subject>Algorithms</subject><subject>Computer crime</subject><subject>distributed denial of service</subject><subject>hidden Markov model</subject><subject>Hidden Markov models</subject><subject>machine learning</subject><subject>Markov chains</subject><subject>Mathematical model</subject><subject>Multistep attack prediction</subject><subject>Prediction algorithms</subject><subject>Predictive models</subject><subject>proactive response</subject><subject>Proposals</subject><subject>Real time</subject><subject>Training</subject><issn>1545-5971</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2020</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNo9kE1Lw0AURQdRsFZ_gLgJuE6dlzfJzCxr_KjQoGj2wyTzAmnTps6kgv_elBZX7y7OvQ8OY7fAZwBcP5RPX_ks4SBniUxBSHXGJqAFxJyDOh9zKtI41RIu2VUIK84TobSYsPyTbBeX7YaiYt8NbRhoF82Hwdbr6MOTa-uh7bfRow3kojEsWudoGxXWr_ufqOgddeGaXTS2C3RzulNWvjyX-SJevr--5fNlXCcahzhB3cgGK8KMlFaVzpSsM0JEUVdYpQ1IK6xzVZ3ZTErKnBKElRM2JagcTtn9cXbn--89hcGs-r3fjh9NgqhRpQnwkYIjVfs-BE-N2fl2Y_2vAW4OqsxBlTmoMidVY-fu2GmJ6J9XHEGrDP8ANzZkeQ</recordid><startdate>202001</startdate><enddate>202001</enddate><creator>Holgado, Pilar</creator><creator>Villagra, Victor A.</creator><creator>Vazquez, Luis</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><orcidid>https://orcid.org/0000-0003-4458-1700</orcidid></search><sort><creationdate>202001</creationdate><title>Real-Time Multistep Attack Prediction Based on Hidden Markov Models</title><author>Holgado, Pilar ; Villagra, Victor A. ; Vazquez, Luis</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c293t-239f7f3be36e898b9687c6e3334cb3b5f17a4addbc6a677e6d84e3bd4a5e1bd3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2020</creationdate><topic>Algorithms</topic><topic>Computer crime</topic><topic>distributed denial of service</topic><topic>hidden Markov model</topic><topic>Hidden Markov models</topic><topic>machine learning</topic><topic>Markov chains</topic><topic>Mathematical model</topic><topic>Multistep attack prediction</topic><topic>Prediction algorithms</topic><topic>Predictive models</topic><topic>proactive response</topic><topic>Proposals</topic><topic>Real time</topic><topic>Training</topic><toplevel>online_resources</toplevel><creatorcontrib>Holgado, Pilar</creatorcontrib><creatorcontrib>Villagra, Victor A.</creatorcontrib><creatorcontrib>Vazquez, Luis</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Holgado, Pilar</au><au>Villagra, Victor A.</au><au>Vazquez, Luis</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Real-Time Multistep Attack Prediction Based on Hidden Markov Models</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2020-01</date><risdate>2020</risdate><volume>17</volume><issue>1</issue><spage>134</spage><epage>147</epage><pages>134-147</pages><issn>1545-5971</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>A novel method based on the Hidden Markov Model is proposed to predict multistep attacks using IDS alerts. We consider the hidden states as similar phases of a particular type of attack. As a result, it can be easily adapted to multistep attacks and foresee the next steps of an attacker. To achieve this goal, a preliminary off-line training phase based on observations will be required. These observations are obtained by matching the IDS alert information with a database previously built for this purpose using a clusterization method from the CVE global database to avoid overfitting. The training model is performed using both unsupervised and supervised algorithms. Once the training is completed and probability matrices are computed, the prediction module compute the best state sequence based on the state probability for each step of the multistep attack in progress using the Viterbi and forward-backward algorithms. The training model includes the mean number of alerts and the number of alerts in progress to assist in obtaining the final attack probability. The model is analyzed for DDoS phases because it is a great problem in all Internet services. The proposed method is validated into a virtual DDoS scenario using current vulnerabilities. The results proving the system's ability to perform real-time prediction.</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2017.2751478</doi><tpages>14</tpages><orcidid>https://orcid.org/0000-0003-4458-1700</orcidid></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1545-5971
ispartof IEEE transactions on dependable and secure computing, 2020-01, Vol.17 (1), p.134-147
issn 1545-5971
1941-0018
language eng
recordid cdi_ieee_primary_8031986
source IEEE Electronic Library (IEL)
subjects Algorithms
Computer crime
distributed denial of service
hidden Markov model
Hidden Markov models
machine learning
Markov chains
Mathematical model
Multistep attack prediction
Prediction algorithms
Predictive models
proactive response
Proposals
Real time
Training
title Real-Time Multistep Attack Prediction Based on Hidden Markov Models
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-20T13%3A13%3A27IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Real-Time%20Multistep%20Attack%20Prediction%20Based%20on%20Hidden%20Markov%20Models&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Holgado,%20Pilar&rft.date=2020-01&rft.volume=17&rft.issue=1&rft.spage=134&rft.epage=147&rft.pages=134-147&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2017.2751478&rft_dat=%3Cproquest_RIE%3E2339385210%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2339385210&rft_id=info:pmid/&rft_ieee_id=8031986&rfr_iscdi=true