Real Time Intrusion Prediction based on Optimized Alerts with Hidden Markov Model

doi:10.4304/jnw.7.2.311-321

Journal of Networks, Vol 7, No 2 (2012), 311-321, Feb 2012

doi:10.4304/jnw.7.2.311-321

Real Time Intrusion Prediction based on Optimized Alerts with Hidden Markov Model

Alireza Shameli Sendi, Michel Dagenais, Masoume Jabbarifar, Mario Couture

Abstract

Cyber attacks and malicious activities are rapidlybecoming a major threat to proper secure organization.Many security tools may be installed in distributed systemsand monitor all events in a network. Security managers oftenhave to process huge numbers of alerts per day, produced bysuch tools. Intrusion prediction is an important technique tohelp response systems reacting properly before the networkis compromised. In this paper, we propose a frameworkto predict multi-step attacks before they pose a serioussecurity risk. Hidden Markov Model (HMM) is used toextract the interactions between attackers and networks.Since alerts correlation plays a critical role in prediction,a modulated alert severity through correlation concept isused instead of just individual alerts and their severity.Modulated severity generates prediction alarms for the mostinteresting steps of multi-step attacks and improves theaccuracy. Our experiments on the Lincoln Laboratory 2000data set show that our algorithm perfectly predicts multi-step attacks before they can compromise the network.

Keywords

Intrusion; Prediction; Response System; Correlation; Hidden Markov Model

References

F. Xiao, S. Jin, and X. Li, ”A Novel Data Mining-Based
Method for Alert Reduction and Analysis,” Journal of
Network, vol. 5, 2010, pp. 88-97.
[2] D. Yu, and D. A. Frincke, ”Improving the quality of alerts
and predicting intruder’s next goal with Hidden Colored
Petri-Net,” Computer Networks, vol. 51, 2007, pp. 632-654.
[3] K. Scarfone, and P. Mell, ”Guide to Intrusion Detection
and Prevention Systems,” Technical Report NIST SP 800-
94, National Institute of Standards and Technology, 2007.
[4] N. Stakhanova, S. Basu, and J. Wong, ”Taxonomy of
Intrusion Response Systems,” Journal of Information and
Computer Security, vol. 1, 2007, pp. 169-184.
[5] D. B. Payne, and H. G. Gunhold, ”Policy-based security
configuration management application to intrusion detection
and prevention,” 2009 IEEE International Conference on
Communications, Dresden, Germany, 2009.
[6] A. Curtis, and J. Carver, ”Adaptive agent-based intrusion
response,” Ph.D thesis, Texas A&M University, USA, 2001.
[7] W. Lee, W. Fan, and M. Miller, ”Toward cost-sensitive
modeling for intrusion detection and response,” Journal of
Computer Security, vol. 10, 2002, pp. 5-22.
[8] D. B. Payne, and H. G. Gunhold, ”Evaluating the Impact
of Automated Intrusion Response Mechanisms,” Proceed-
ings of the 18th Annual Computer Security Applications
Conference, Los Alamitos, USA, 2002.
[9] C. P. Mu, and Y. Li, ”An intrusion response decision-making
model based on hierarchical task network planning,” Expert
systems with applications, vol. 37, 2010, pp. 2465-2472.
[10] RealSecure Signatures Reference Guide. Internet Security
Systems, http://documents.iss.net/
literature/RealSecure/RS Signatures 6.0.pdf.
[11] K. Haslum, A. Abraham, and S. Knapskog, ”Dips: A
framework for distributed intrusion prediction and preven-
tion using hidden markov models and online fuzzy risk
assessment,” In Third International Symposium on Infor-
mation Assurance and Security, 2007, pp. 183-188.
[12] K. Haslum, M. E. G. Moe, and S. J. Knapskog, ”Real-
time intrusion prevention and security analysis of networks
using HMMs,” 33rd IEEE Conference on Local Computer
Networks, Montreal, Canada, 2008.
[13] B. Zhu, and A. A. Ghorbani, ”Alert correlation for ex-
tracting attack strategies,” International Journal of Network
Security, vol. 3, 2006, pp. 244-258.
[14] C. Kruegel, F. Valeur, and G. Vigna, ”Alert Correlation,”
in Intrusion Detection and Correlation, first edition, vol. 14,
Ed. New York: Springer, 2005, pp. 29-35.
[15] L. Feng, W. Wang, L. Zhu, and Y. Zhang, ”Predicting in-
trusion goal using dynamic Bayesian network with transfer
probability estimation,” Journal of Networks and Computer Applications, vol. 32, n. 3, 2009, pp. 721-732.
[16] MIT Lincoln Laboratory, 2000 darpa intrusion detection
scenario specific data sets, 2000.
[17] North Carolina State University Cyber Defense Lab-
oratory, Tiaa: A toolkit for intrusion alert analysis,
http://discovery.csc.ncsu.edu/software/
correlator/ver0.4/index.html.
[18] S. Tanachaiwiwat, K. Hwang, and Y. Chen, ”Adaptive In-
trusion Response to Minimize Risk over Multiple Network
Attacks,” ACM Trans on Information and System Security,
2002.
[19] J. Han, and M. Kamber, ”Data Mining: Concepts and
Techniques,” 2nd ed., San Francisco: Elsevier, 2006.
[20] M. Gaber, A. Zaslavsky, and S. Krishnaswamy, ”Mining
Data Streams: A Review,” ACM SIGMOD Record, vol. 34,
2005.
[21] J. Han, H. Cheng, D. Xin, and X. Yan, ”Frequent pattern
mining: Current status and future directions,” Data Mining
and Knowledge Discovery, 2007.
[22] W. Li, and Z. Guo, ”Hidden Markov Model Based Real
Time Network Security Quantification Method,” nswctc,
International Conference on Networks Security, Wireless
Communications and Trusted Computing, pp. 94-100, 2009.
[23] C. Aggarwal, J. Han, J. Wang, and P. Yu, ”A Frame-
work for Projected Clustering of High Dimensional Data
Streams,” Proceedings of the 30th VLDB Conference,
Toronto, Canada, 2004.
[24] N. B. Anuar, M. Papadaki, S. Furnell, and N. Clarke, ”An
investigation and survey of response options for intrusion
response systems,” Information Security for South Africa,
pp. 1-8, 2010.
[25] L. R. Rabiner, ”A tutorial on hidden markov models and
selected applications in speech recognition,” Readings in
speech recognition, pp. 267-296, 1990.

Full Text: PDF

Journal of Networks (JNW, ISSN 1796-2056)

Username
Password
Remember me