Applications of hidden Markov models to detecting multi-stage network attacks

Ourston, Dirk; Matzner, Sara; Stump, W.D.; Hopkins, Bryan

doi:10.1109/hicss.2003.1174909

Cited by 103 publications

(67 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The main disadvantage of previous attempts to attack prediction discussed in related work (e.g., [6,12,15]) was their reliance on an attack library, i.e., a database of possible attacks described in details in machine-readable format. Such library is very hard to create and maintain manually as the threat landscape is continuously evolving in a rapid pace, the detection capabilities in the network might be insufficient to capture all the security events, and even the set of expected attacks may not overlap with the set of actual ongoing attacks.…”

Section: Mining the Attack Prediction Rulesmentioning

confidence: 99%

“…Early approaches used predefined models of attack scenarios. Such models could be attack graphs [12][13][14], Bayesian networks [6], or Markov models [15,16], to cite the most relevant contributions. If a series of detected events corresponds to a part of an attack scenario in the model, the remaining parts of the scenario can be predicted.…”

Section: Related Workmentioning

confidence: 99%

“…Such library is very hard to create and maintain manually as the threat landscape is continuously evolving in a rapid pace, the detection capabilities in the network might be insufficient to capture all the security events, and even the set of expected attacks may not overlap with the set of actual ongoing attacks. However, data mining has been shown to be a suitable method of getting an insight into what is actually happening in the network and to (semi)automatically build the prediction models [13][14][15][16][17].…”

Section: Mining the Attack Prediction Rulesmentioning

confidence: 99%

See 2 more Smart Citations

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Husák

Kašpar

2018

2018 14th International Wireless Communications &Amp; Mobile Computing Conference (IWCMC)

View full text Add to dashboard Cite

Abstract-In this paper, we present an empirical evaluation of an approach to predict attacker's activities based on information exchange and data mining. We gathered the cyber security alerts shared within the SABU platform, in which around 220,000 alerts from heterogeneous geographically distributed sensors (intrusion detection systems and honeypots) are shared every day. Subsequently, we used the methods of sequential rule mining to identify common attack patterns and to derive rules for predicting attacks. As we illustrate in this paper, a collaborative environment allows attack prediction in multiple dimensions. First, we can predict what will the attacker do next and when. Second, we can predict where will the attack hit, e.g., when an attacker is targeting several networks at once. In a weeklong experiment, we processed in total over 1 million alerts, from which we mined predictive rules every day. Our findings show that most of the rules display stable values of support and confidence and, thus, can be used to predict cyber attacks in consecutive days after mining without a need to actualize the rules every day.

show abstract

Section: Mining the Attack Prediction Rulesmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Mining the Attack Prediction Rulesmentioning

confidence: 99%

See 1 more Smart Citation

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Husák

Kašpar

2018

2018 14th International Wireless Communications &Amp; Mobile Computing Conference (IWCMC)

View full text Add to dashboard Cite

show abstract

“…[37] compared the performance of a selection of neural network architectures for statistical anomaly detection to datasets from four different scenarios. The use of hidden Markov models to detect complex multistage Internet attacks that occur over extended periods of time is described by [38]. An event classification scheme based on Bayesian networks is proposed by [39].…”

Section: Related Workmentioning

confidence: 99%

Applying long short-term memory recurrent neural networks to intrusion detection

Staudemeyer¹

2015

SACJ

179

View full text Add to dashboard Cite

We claim that modelling network traffic as a time series with a supervised learning approach, using known genuine and malicious behaviour, improves intrusion detection. To substantiate this, we trained long short-term memory (LSTM) recurrent neural networks with the training data provided by the DARPA / KDD Cup ’99 challenge. To identify suitable LSTM-RNN network parameters and structure we experimented with various network topologies. We found networks with four memory blocks containing two cells each offer a good compromise between computational cost and detection performance. We applied forget gates and shortcut connections respectively. A learning rate of 0.1 and up to 1,000 epochs showed good results. We tested the performance on all features and on extracted minimal feature sets respectively. We evaluated different feature sets for the detection of all attacks within one network and also to train networks specialised on individual attack classes. Our results show that the LSTM classifier provides superior performance in comparison to results previously published results of strong static classifiers. With 93.82% accuracy and 22.13 cost, LSTM outperforms the winning entries of the KDD Cup ’99 challenge by far. This is due to the fact that LSTM learns to look back in time and correlate consecutive connection records. For the first time ever, we have demonstrated the usefulness of LSTM networks to intrusion detection.

show abstract

“…Ourston et al [8] have used a HMM based model to detect complex network attacks that happens in various stages. They use HMM to model alert sequences that were raised between every source/destination IP pair.…”

Section: Related Workmentioning

confidence: 99%

Adaptive network intrusion detection system using a hybrid approach

Karthick

Hattiwale

Ravindran

2012

2012 Fourth International Conference on Communication Systems and Networks (COMSNETS 2012)

View full text Add to dashboard Cite

Abstract-Any activity aimed at disrupting a service or making a resource unavailable or gaining unauthorized access can be termed as an intrusion. Examples include buffer overflow attacks, flooding attacks, system break-ins, etc. Intrusion detection systems (IDSs) play a key role in detecting such malicious activities and enable administrators in securing network systems. Two key criteria should be met by an IDS for it to be effective: (i) ability to detect unknown attack types, (ii) having very less miss classification rate.In this paper we describe an adaptive network intrusion detection system, that uses a two stage architecture. In the first stage a probabilistic classifier is used to detect potential anomalies in the traffic. In the second stage a HMM based traffic model is used to narrow down the potential attack IP addresses. Various design choices that were made to make this system practical and difficulties faced in integrating with existing models are also described. We show that this system achieves good performance empirically.

show abstract

Applications of hidden Markov models to detecting multi-stage network attacks

Cited by 103 publications

References 12 publications

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Applying long short-term memory recurrent neural networks to intrusion detection

Adaptive network intrusion detection system using a hybrid approach

Contact Info

Product

Resources

About