Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1002/acs.3163

IF: 3.369

2020-01-01

International Journal of Adaptive Control and Signal Processing

Abstract:SummaryThe problem of robust attack detection and prediction for networked control systems in the presence of outliers is discussed in this article. The conventional hidden Markov model (HMM) is trained to learn the system behavior (ie, transitions between different operating modes) in the nominal process. The HMM with time‐varying transition probabilities is used to track the attack behavior in which the adversary triggers more hazard modes to hasten fatigue of control devices by injecting attack signals with random magnitude and frequency. For different operating modes, the observations are assumed to follow different multivariate Student's t distributions instead of Gaussian distributions and thus address the robust estimation problem. The expectation maximization algorithm is used to estimate parameters. Finally, simulations are conducted to verify the effectiveness of the proposed method.

Udaya Sampath K. Perera Miriya Thanthrige,Jagath Samarabandu,Xianbin Wang

DOI: https://doi.org/10.48550/arXiv.1610.07276

2016-10-24

Abstract:Intrusion detection is only a starting step in securing IT infrastructure. Prediction of intrusions is the next step to provide an active defense against incoming attacks. Current intrusion prediction methods focus mainly on prediction of either intrusion type or intrusion category and do not use or provide contextual information such as source and target IP address. In addition most of them are dependant on domain knowledge and specific scenario knowledge. The proposed algorithm employs a bag-of-words model together with a hidden Markov model which not depend on specific domain knowledge. Since this algorithm depends on a training process it is adaptable to different conditions. A key advantage of the proposed algorithm is the inclusion of contextual data such as source IP address, destination IP range, alert type and alert category in its prediction, which is crucial for an eventual response. Experiments conducted using a public data set generated over 2500 alert predictions and achieved accuracy of 81% and 77% for single step and five step predictions respectively for prediction of the next alert cluster. It also achieved an accuracy of prediction of 95% and 92% for single step and five step predictions respectively for prediction of the next alert category. The proposed methods achieved a prediction accuracy improvement of 5% for alert category over existing variable length Markov chain intrusion prediction methods, while providing more information for a possible defense.

Cryptography and Security

Zhi-Yong Liu,Hong Qiao

DOI: https://doi.org/10.1007/11734628_26

2006-01-01

Abstract:Network security is an important issue for Intelligence and Security Informatics (ISI) [1-3]. As a complementary measure for traditional network security tools such as firewalls, the intrusion detection system (IDS) is becoming increasingly important and widely-used [4]. Generally speaking, the IDS works by building a model based on the normal data patterns and treating the operations that deviated significantly from the model as malicious. In its early stage of development, the IDS takes certain statistics (e.g., mean and variance) of the audit data to discriminate between the normal usage and attacks. Such systems are easy to construct; however, they suffer from a poor generalization ability to detect unknown or new attacks. Recently other models such as the finite Markov mode [5] and support vector machines [6] have been introduced into IDS, providing finer-grained characterization of normal users' behavior. In this report we investigate the potential application of the Hidden Markov Model (HMM) for intrusion detection.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

Fei Gao,Jizhou Sun,Zunce Wei

DOI: https://doi.org/10.1109/CCECE.2003.1226038

2003-01-01

Abstract:Information security is an issue of serious global concern. The development of Internet increases the security risk of information systems greatly. This paper utilizes HMM (hidden Markov model) to realize the forecast ability of IDS (intrusion detection system). In this model, a command sequence or a control information sequence is regarded as a series of state transitions with a certain probability. The performance of several algorithms is compared such as F-BP (forward-back propagation) algorithm, Viterbi learning algorithm, EM (expectation maximization) algorithm, etc. In order to provide a soft boundary to the decision-making, fuzzy math is also introduced to this model. By this means, the intelligence of the IDS is improved and some decision-making abilities and reasoning abilities are offered to IDS. As well this paper reports the results about our project.

Ye Du,Huiqiang Wang,Yonggang Pang

DOI: https://doi.org/10.1109/wcica.2004.1342334

2004-01-01

Abstract:Intrusion detection has emerged as an important approach to security problems. The existing techniques are analyzed, and then an effective anomaly detection method based on HMMs (hidden Markov models) is proposed to learn patterns of Unix processes. Fixed-length sequences of system calls were extracted from traces of programs to train and test models. The RP (relative probability) value, which uses short sequences as inputs, is computed to classify normal and abnormal behaviors. The algorithm is simple and can be directly applied. Experiments on sendmail and lpr traces demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.

Kai Zhang,Fei Zhao,Shoushan Luo,Yang Xin,Hongliang Zhu

DOI: https://doi.org/10.1109/access.2019.2946261

IF: 3.9

2019-01-01

IEEE Access

Abstract:Since the rapid development of the internet, the emergence of network intrusion has become the focus of studies for scholars and security enterprises. As an important device for detecting and analyzing malicious behaviors in networks, IDS (Intrusion Detection Systems) is widely deployed in enterprises, organizations and plays a very important role in cyberspace security. The massive log data produced by IDS not only contains information about intrusion behaviors but also contains potential intrusion patterns. Through normalizing, correlating, and modeling data, we can obtain the patterns of different intrusion scenarios. Based on the previous works in the area of alert correlation and analyzing, this paper proposed a framework named IACF (Intrusion Action Based Correlation Framework), which improved the process of alert aggregating, action extraction, and scenario discovery, and applied a novel method for extracting intrusion sessions based on temporal metrics. The proposed framework utilized a new grouping method for raw alerts based on the concept of intrinsic strong correlations, rather than the conventional time windows and hyper alerts. For discovering high stable correlations between actions, redundant actions and action link modes are removed from sessions by a pruning algorithm to reduce the impact of false positives, finally, a correlation graph is constructed by fusing the pruned sessions, based on the correlation graph, a prediction method for the future attack is proposed. The experiment result shows that the framework is efficient in alert correlation and intrusion scenario construction.

Kai Zhang,Fei Zhao,Shoushan Luo,Yang Xin,Hongliang Zhu,Yuling Chen

DOI: https://doi.org/10.3390/app10072596

2020-01-01

Abstract:With the development of intrusion detection, a number of the intelligence algorithms (e.g., artificial neural networks) are introduced to enhance the performance of the intrusion detection systems. However, many intelligence algorithms should be trained before being used, and retrained regularly, which is not applicable for continuous online learning and analyzing. In this paper, a new online intrusion scenario discovery framework is proposed and the intelligence algorithm HTM (Hierarchical Temporal Memory) is employed to improve the performance of the online learning ability of the system. The proposed framework can discover and model intrusion scenarios, and the constructed model keeps evolving with the variance of the data. Additionally, a series of data preprocessing methods are introduced to enhance its adaptability to the noisy and twisted data. The experimental results show that the framework is effective in intrusion scenario discovery, and the discovered scenario is more concise and accurate than our previous work.

Soham Deshmukh,Rahul Rade,Faruk Kazi

DOI: https://doi.org/10.48550/arXiv.1905.11824

2021-06-07

Abstract:Cyber threat intelligence is one of the emerging areas of focus in information security. Much of the recent work has focused on rule-based methods and detection of network attacks using Intrusion Detection algorithms. In this paper we propose a framework for inspecting and modelling the behavioural aspect of an attacker to obtain better insight predictive power on his future actions. For modelling we propose a novel semi-supervised algorithm called Fusion Hidden Markov Model (FHMM) which is more robust to noise, requires comparatively less training time, and utilizes the benefits of ensemble learning to better model temporal relationships in data. This paper evaluates the performances of FHMM and compares it with both traditional algorithms like Markov Chain, Hidden Markov Model (HMM) and recently developed Deep Recurrent Neural Network (Deep RNN) architectures. We conduct the experiments on dataset consisting of real data attacks on a Cowrie honeypot system. FHMM provides accuracy comparable to deep RNN architectures at significant lower training time. Given these experimental results, we recommend using FHMM for modelling discrete temporal data for significantly faster training and better performance than existing methods.

Machine Learning,Cryptography and Security,Applications

Qiang Zhang,Dapeng Man,Wu Yang

DOI: https://doi.org/10.1109/kam.2009.315

2009-01-01

Abstract:Cyber security situation awareness is a new focus of information security. Its main functions include identifying the security status of cyberspace and understanding potential intrusion activities. To understand the potential intrusion activities, much work has focused on the prediction of concrete network attacks. However, we think the intents behind network attacks are more important and more meaningful. Consequently, we discuss the intent recognition problem in cyber security situation awareness here. In this paper, we first introduce some related work and conceptions. Then we present some background of hidden Markov models. Finally we demonstrate our intent recognition approach based on hidden Markov models, and a simulation example is simply analyzed in the end.

Haitian Liu,Rong Jiang,Bin Zhou,Xing Rong,Juan Li,Aiping Li

DOI: https://doi.org/10.1109/dsc55868.2022.00025

2022-01-01

Abstract:With the increasing severity of network threats, network security has become a global concern. Especially the Sequential network attacks (SNAs), are becoming increasingly prominent. Hidden Markov Model (HMM) is often used to model such problems. By revealing the early life cycle of SNAs, it helps to understand attacker strategies. Based on this, this paper proposes a new intrusion detection mechanism for SNA detection to meet the challenges of modeling and detecting multiple sequential network attack scenarios. We developed an architecture capable of identifying these organized attack processes. The system goes through three main stages. The first stage processes the alerts output by IDS and feeds them into different sub-alert sequences belonging to different attackers. The second stage uses the DTW&1NN algorithm to classify sub-alert sequences belonging to the same SNA scenario. The third stage of the proposed system is attack decoding, which utilizes a Hidden Markov Model (HMM) to determine the most likely sequence of SNA phases for a given sequence of relevant alerts. Finally, simulation experiments are carried out based on the public dataset of CSE-CIC-IDS2018 to verify the effectiveness of the proposed architecture.

Qb Yin,Lr Shen,Rb Zhang,Xy Li,Hq Wang

DOI: https://doi.org/10.1109/ICMLC.2003.1260114

2003-01-01

Abstract:The intrusion detection technologies of the network security are researched, and the technologies of pattern recognition are used to intrusion detection. Intrusion detection rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. Hidden Markov Model (HMM) has been successfully used in speech recognition and some classification areas. Since Anomaly Intrusion Detection can be treated as a classification problem, some basic ideas have been proposed on using HMM to model normal behavior. The experiments have showed that the method based on HMM is effective to detect anomalistic behaviors.

Fei Wang,Hongliang Zhu,Bin Tian,Yang Xin,Xinxin Niu,Yu Yang

DOI: https://doi.org/10.1109/icbnmt.2011.6155940

2011-01-01

Abstract:Intrusion-detection systems (IDSs) are essential tools for the security of computer systems. Anomaly detection, which uses knowledge about normal behaviors and attempts to detect intrusions by noting significant deviations, has been paid more and more attention. In this paper, we introduce a HMM-based method for anomaly detection. The proposed method is composed of two important stages: off-line training stage and on-line testing stage. In the off-line training stage, we train the normal behaviors by hidden Markov models (HMMs). In the on-line testing stage, we make the final decision based on the minimum risk Bayesian decision theory. We deploy the method on an IDS system to evaluate its performance, and the experimental results demonstrate that our method can achieve satisfying results.

Hongliang Zhu,Yang Xin,Fei Wang

DOI: https://doi.org/10.1109/ICBNMT.2011.6156020

2011-01-01

Abstract:Intrusion-detection systems (IDSs) are essential tools for the security of computer systems. Anomaly detection, which uses knowledge about normal behaviors and attempts to detect intrusions by noting significant deviations, has been paid more and more attention. In this paper, we introduce a novel framework for anomaly detection. In the proposed method, two widely used statistical learning method, Hidden Markov Model and Support Vector. Machine, are introduced to detect the abnormal events. Then, we fuse the detection results by some special rules. We deploy the method on an IDS system to evaluate its performance, and the experimental results demonstrate that. our method can achieve satisfying results.

Jiazhong Lu,Jin Lan,Yuanyuan Huang,Maojia Song,Xiaolei Liu,Liu, Xiaolei

DOI: https://doi.org/10.1007/s10723-023-09703-9

2023-10-29

Journal of Grid Computing

Abstract:Considering the robustness and accuracy of conventional intrusion detection models are easily influenced by adversarial attacks, this work proposes an anti-attack intrusion detection model based on a message-passing neural network with traffic spatiotemporal features. Our model can not only effectively distinguish and correlate upstream and downstream traffics, but also clearly embody the relationship between different traffics from the same source node and destination node by the established graph structure. We also improve the model by utilising the characteristics of the existing network attacks, which indicates that the traffic spatiotemporal characteristics could achieve high accuracy on attack traffic detection. Compared to the previous model, extensive experiments show that our proposed model outperforms other similar models in performance. For the multi-classification tasks, our model can effectively detect most of the network attacks and outperform traditional machine learning methods. In terms of model robustness, our model is less affected by adversarial attacks than traditional machine learning models.

computer science, information systems, theory & methods

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

Xu Zhang,Ting Wu,Qiuhua Zheng,Liang Zhai,Haizhong Hu,Weihao Yin,Yingpei Zeng,Chuanhui Cheng

DOI: https://doi.org/10.3390/s22082874

IF: 3.9

2022-04-08

Sensors

Abstract:Currently, hidden Markov-based multi-step attack detection models are mainly trained using the unsupervised Baum–Welch algorithm. The Baum–Welch algorithm is sensitive to the initial values of model parameters. However, its training uses random or average parameter initialization methods, which frequently results in the model training into a local optimum, thus, making the model unable to fit the alert logs well and thereby reducing the detection effectiveness of the model. To solve this issue, we propose a pre-training method for multi-step attack detection models based on the high semantic similarity of alerts in the same attack phase. The method first clusters the alerts based on their semantic information and pre-classifies the attack phase to which each alert belongs. Then, the distance of the alert vector to each attack stage is converted into the probability of generating alerts in each attack stage, replacing the initial value of Baum–Welch. The effectiveness of the proposed method is evaluated using the DARPA 2000 dataset, DEFCON21 CTF dataset, and ISCXIDS 2012 dataset. The experimental results show that the hidden Markov multi-step attack detection method based on pre-training of the proposed model parameters had higher detection accuracy than the Baum–Welch-based, K-means-based, and transfer learning differential evolution-based hidden Markov multi-step attack detection methods.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

LI Hui,ZHENG Qing-hua,HAN Chong-zhao,GUAN Xiao-hong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2005.04.013

2005-01-01

Abstract:A fuzzy multiple hypothesis intrusion scenarios building algorithm was proposed based on multiple hypothesis tracking(MHT)theory which originated from information fusion. The algorithm could automatically analyze and organize alarms produced by intrusion detection systems to form credible attack segments and finally generate intrusion scenarios. The whole process can be divided into three steps, which were hypothesis generation, fuzzy hypothesis assessment and hypothesis management. Experiments on the DARPA2000 IDS test dataset show that the algorithm is effective and efficient.

Qingtao Wu,Ruijuan Zheng,Guanfeng Li,Juwei Zhang

DOI: https://doi.org/10.1016/j.proeng.2011.08.643

2011-01-01

Abstract:It is difficult to detect the intention of an intruder, identify semantics of attacks and predict further attacks effectively using intrusion detection methods in the construction of high-level attack scene and disposal of sophisticated attack. An intrusion intention identification method based on dynamic Bayesian network is proposed for indeterminate problems that occur during sophisticated network attacks. This method applies dynamic Bayesian directed acyclic graphs to give real-time formulation of incidence among attack behaviors, intentions and attacks. It also applies probabilistic reasoning method to predict further attacks by an intruder. The result reflects varying histories of the intention of an intruder and demonstrates the effectiveness of the method.

Zijun Cheng,Degang Sun,Leiqi Wang,Qiujian Lv,Yan Wang

DOI: https://doi.org/10.1109/ISCC55528.2022.9912978

2022-01-01

Abstract:A multi-step attack scenario consisting of more than one attack step is difficult to predict because of various attack steps and complex combinations. The multi-step attack scenarios occurring simultaneously construct a mixed attack scenario, which is more common than a single attack scenario in practical systems. However, most of the existing multi-step attack prediction approaches only focus on a single attack scenario. In this paper, a framework MMSP is proposed for multi-step attack prediction in mixed scenarios. MMSP fractionates alerts by separating them into different scenarios and removing redundant samples. The attack scenarios fingerprint database of MMSP is built by modeling the attack steps regarding different scenarios based on the long short-term memory (LSTM) model. Each scenario corresponds to an LSTM model. A scenario matching method is also proposed to find potential attack scenarios hiding in the real-time alerts from the database. Finally, MMSP feeds fractionated alerts into the matched scenarios' LSTM models to predict attack steps. Extensive evaluations based on real-world datasets show that MMSP outperforms the state-of-the-art attack step prediction model in both single and mixed scenarios. MMSP achieves a 14.3%-38.1% improvement in accuracy for attack step prediction in the single scenario. In particular, MMSP can maintain a high level accuracy in mixed attack scenarios.