Nurbol,XIE Nan-nan,LIU Zhi-yu,HU Liang,CHAI Sheng

DOI: https://doi.org/10.3969/j.issn.0372-2112.2013.06.010

2013-01-01

Abstract:In network intrusion detection ,the modes of attack are more and more complex and diversified .Network multi-stage attack has been the main form of current attack .Intelligent planning was used in artificial intelligence ,makes the fields knowl-edge as planning domain ,and the issues to be solved as planning problems .In this paper ,intelligent planning was used in recognition of multi-stage attack ,and based on this ,a multi-stage planning problem recognize model was proposed ,in order to provide an useful exploration of network attack data formal description .The model is described in PDDL ,and evaluation shows the proposed model have well availability .

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

王月海,洪炳镕

DOI: https://doi.org/10.3321/j.issn:0367-6234.2004.07.005

2004-01-01

Abstract:The existing plan recognition models are efficient only in collaborative field, so a plan recognition approach based on Bayesian belief network model is proposed to suit the adversarial multi-agent environment. Several typical rules of robotic soccer were studied and experiments were done by using the robot soccer simulation game. The simulation results show that the collaborations of the whole team and the ratio of winning game were both improved remarkably.

Jian-Wei ZHUGE,Xin-Hui HAN,Zhi-Yuan YE,Wei ZOU

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.08.013

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Based on the classical plan recognition methods in the domain of artificial intelligence, and considering the characteristics of attack plan recognition problem in the domain of network security operation, this paper extends the goal graph model, introducing the observation node to distinguish the planner’s actions and the recognizer’s observations against the actions, replacing the unitary action nodes using the hierarchy composed with detail actions and abstract actions, maintaining the precondition and effect conditions between the actions and security states in the abstract action level according to the abstract attack patterns, therefore, proposes the Extended Goal Graph(EGG) model. Furthermore, this paper proposes an attack plan recognition algorithm based on the Extended Goal Graph, the algorithm can recognize the hidden attack intention and plan from the large volume of low level intrusion detection system alerts correctly and effectively. Through the experiments using DARPA 2000 intrusion scenario correlation benchmark dataset and in-the-wild botnet scenarios data captured in the honeynet, the results show the completeness and soundness of the algorithm, as well as its advantage beyond the alert correlation systems such as TIAA [5] .

Safaa O. Al-Mamory,Zhai Jianhong,Zhang Hongli

2008-01-01

Abstract:Building attack scenario is one of the most important aspects in network security. This paper proposed a system which collects intrusion alerts, clusters them as sub-attacks using alerts abstraction, aggregates the similar sub-attacks, and then correlates and generates correlation graphs. The scenarios were represented by alert classes instead of alerts themselves so as to reduce the required rules and have the ability of detecting new variations of attacks. The proposed system is capable of passing some of the missed attacks. To evaluate system effectiveness, it was tested with different datasets which contain multi-step attacks. Compressed and easily understandable correlation graphs which reflect attack scenarios were generated. The proposed system can correlate related alerts, uncover the attack strategies, and detect new variations of attacks.

Mengfan Xu,Xinghua Li,Jian-feng Ma,Cheng Zhong,Weidong Yang

DOI: https://doi.org/10.1109/icc.2019.8761487

2019-01-01

Abstract:Multi-stage attack is a new trend of cyber attack. It is difficult for existing schemes to identify multiple stages in an attack period and associate independent stages. To address these issues, we design a long and short-term memory network (LSTM) based on multi-feature layer. First, we introduce stage features layer, the historical data is stored and calculated to identify the different stages of variable durations in multi-stage attacks. Then, the time-series features layer is used to associate the independent attack stages to analyze whether the current data falls in an attack period. Extensive experiments indicate that our proposed scheme has a lower false positive rate than existing schemes by at least 65.83%, and the false negative rate is reduced by at least 65.26%.

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

LI Hui,ZHENG Qing-hua,HAN Chong-zhao,GUAN Xiao-hong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2005.04.013

2005-01-01

Abstract:A fuzzy multiple hypothesis intrusion scenarios building algorithm was proposed based on multiple hypothesis tracking(MHT)theory which originated from information fusion. The algorithm could automatically analyze and organize alarms produced by intrusion detection systems to form credible attack segments and finally generate intrusion scenarios. The whole process can be divided into three steps, which were hypothesis generation, fuzzy hypothesis assessment and hypothesis management. Experiments on the DARPA2000 IDS test dataset show that the algorithm is effective and efficient.

HUANG He,JIANG Xing-hao,CHEN Xiu-zhen,LI Jian-hua

DOI: https://doi.org/10.3969/j.issn.1008-0570.2008.27.012

2008-01-01

Abstract:This paper presents an attack plan recognition system which is based on multi-alert fusion. Based on the vindicability of system status and causality between System alert and IDS alert, this system calculate the confidence of each alert by using Bayesian networks, and then reason about attack plans with the high-reliable evidence we got.

李之棠,王莉,李东

2008-01-01

Abstract:Large volume of security data makes it important to develop an advanced alert correlation system that can reduce alert redundancy,intelligently correlate security alerts and detect attack strategies.The existing methods of attack strategy recognition all have limited capabilities in detecting new and complete attack scenarios.The paper proposes a new method of recognizing attack plans by applying a new attack sequential pattern analysis technique to construct attack sequential pattern models from intrusion alert data offline.Then online alert sequential pattern matching and correlativity calculation are performed to recognize real attack strategies of the attacker.Experiments show that the method can effectively recognize attack plans online and can accordingly predict next most possible attack behavior.

Wei Ma,Yunyun Hou,Mingyu Jin,Pengpeng Jian

DOI: https://doi.org/10.1371/journal.pone.0300821

IF: 3.7

2024-03-26

PLoS ONE

Abstract:Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system's normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

multidisciplinary sciences

TIAN Zhi-hong,ZHANG Wei-zhe,ZHANG Yong-zheng,ZHANG Hong-li,LI Yang,JIANG Wei

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.013

2007-01-01

Abstract:To construct attack scenarios and predict intrusion intents automatically,a real-time alert correlation approach based on capability transition model was proposed.By highly abstracting the reasoning evidences,the process complexity is effectively reduced.Experiment results on the DARPA2000 IDS test dataset indicate that the method is effective and efficient.

BAI Hao,WANG Kun-sheng,HU Chang-zhen,ZHANG Gang,JING Xiao-chuan

DOI: https://doi.org/10.15918/j.tbit1001-0645.2010.08.015

2010-01-01

Abstract:Limitations existed with current methods for attack intention recognition.For instance,they lacked compensatory intrusion evidences,cost enormous system resources and had low precision.To avoid the above flaws,a novel and effective method is proposed.The method generated compensatory intrusion evidences by fusing data from IDS and other security kits like scanner.Then,Bayesian-based attack scenarios were constructed where frequent attack patterns were identified using an efficient data-mining algorithm based on frequent patterns.Finally,attack paths were rebuilt by re-correlating frequent attack patterns mined in the scenarios to judge possible attack strategies precisely.The experimental results demonstrate the capability of the proposed method in rebuilding attack paths,recognizing attack intentions as well as in saving system resources.

Shuai Chunyan,Jiang Jianhui,Ouyang Xin,Chen Linbo,Yang Yang

2012-01-01

Abstract:At present most intrusion detection systems ignored the logic relationships between attacks,so it leads to high false positive rate.In this paper multi-attribute of attack behaviors are analyzed and attacks are classified into different classes. A related attack knowledge database is built. The paper creates attack association rules and absent attack inference rules, and applies an alert hierarchical associate algorithm to correlate alerts based on the causative relationships between attacks. Experiments are conducted to verify the correctness and effectiveness of the proposed algorithm.

YU Zhong,YU Hui,LI Wei-hua

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.06.035

2007-01-01

Abstract:Through analyzing and studying the characteristics of large-scale network intrusion detection,a system structure which based on multi-agents alliance was proposed.In which,we use the plan knowledge chart to describe the intruder's attack attention,and through analyzing its strategy,proposed a method of work division and coordination amongst the multi-agents alliance.

Di Zhao,Jiqiang Liu,Jialin Wang,Wenjia Niu,Endong Tong,Tong Chen,Gang Li

DOI: https://doi.org/10.48550/arXiv.1905.03454

2019-05-09

Abstract:"Feint Attack", as a new type of APT attack, has become the focus of attention. It adopts a multi-stage attacks mode which can be concluded as a combination of virtual attacks and real attacks. Under the cover of virtual attacks, real attacks can achieve the real purpose of the attacker, as a result, it often caused huge losses inadvertently. However, to our knowledge, all previous works use common methods such as Causal-Correlation or Cased-based to detect outdated multi-stage attacks. Few attentions have been paid to detect the "Feint Attack", because the difficulty of detection lies in the diversification of the concept of "Feint Attack" and the lack of professional datasets, many detection methods ignore the semantic relationship in the attack. Aiming at the existing challenge, this paper explores a new method to solve the problem. In the attack scenario, the fuzzy clustering method based on attribute similarity is used to mine multi-stage attack chains. Then we use a few-shot deep learning algorithm (SMOTE&CNN-SVM) and bidirectional Recurrent Neural Network model (Bi-RNN) to obtain the "Feint Attack" chains. "Feint Attack" is simulated by the real attack inserted in the normal causal attack chain, and the addition of the real attack destroys the causal relationship of the original attack chain. So we used Bi-RNN coding to obtain the hidden feature of "Feint Attack" chain. In the end, our method achieved the goal to detect the "Feint Attack" accurately by using the LLDoS1.0 and LLDoS2.0 of DARPA2000 and CICIDS2017 of Canadian Institute for Cybersecurity.

Cryptography and Security,Machine Learning

Qian Wang,Weilong Wang,Yan Wang,Jiadong Ren,Bing Zhang

DOI: https://doi.org/10.1109/tase.2024.3395355

IF: 6.636

2024-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Multi-stage network attack (MSA) is a serious threat to data security. The high-dimensionality of the alert data along with the diverse features, leads to poor detection performance for MSA. Consequently, this paper proposes a multi-stage network attack detection algorithm based on Gaussian mixture hidden Markov model and transfer learning. Firstly, a sequence modeling framework of Gaussian mixture hidden Markov models is proposed. It uses a Gaussian mixture model to cluster high-dimensional alert data and a hidden Markov model to fully consider the temporal structure of MSA, the alert features of each stage, and transitions between stages. Secondly, optimized Baum-Welch and Viterbi algorithms are proposed, combined with the forward-backward algorithm to train the parameter of the Gaussian mixture hidden Markov model and detect the attack sequence of MSA. Finally, an improved transfer learning method is proposed, which addresses the sparsity of labeled data in MSA scenarios, a Kullback-Leibler (KL) divergence value is added as a penalty term to narrow the distribution differences between the source and target domains and solves the bias problem in the transfer learning process. The proposed algorithm is validated on the datasets DARPA 2000 and CSE-CIC-IDS2018, and the effectiveness and superiority is verified on multiple evaluation indicators. Note to Practitioners —Network attacks gradually show the large-scale, coordinated and multi-stage characteristics. Complex multi-step attacks with strong concealment and persistence have become the development trend of network attacks, which seriously threaten and infringe the secure storage and transmission of information. Most existing studies use hidden Markov model (HMM) to model multi-stage network attacks. HMM is usually more suitable for multi-step attacks occurring in a specific sequence within a continuous time interval. However, in actual multi-stage network attacks, attackers do not need to follow the exact sequence of multi-step attacks, and the intervals between successive stages of an attack can be hours, days, or even months. Attackers may also perform interleaved attacks to hide attacks. Therefore, this paper proposes a multi-stage network attack detection algorithm based on Gaussian hybrid hidden Markov and transfer learning. The optimized Gaussian hybrid hidden Markov model is used to model the alert data of multi-stage network attacks, and the improved transfer learning method is adopted to apply the knowledge learned from the source domain to the multi-stage network attack detection model of the target domain. The experimental results show that the proposed algorithm can effectively process the alert data of different attack stages under complex multi-stage network attacks, distinguish the real threat alert, false alert and irrelevant alert, and improve the performance of detecting multi-stage network attacks. The method presented in this paper can provide a valuable solution for complex multi-stage network attack detection such as advanced persistent threat (APT). Future work will further combine adversarial generation network methods to avoid the interference of adversarial attack samples, and explore more ways to improve the performance of multi-step attack detection.

Li Zhang,Zhao Li,Huali Ren,Xiao Yu,Yuxi Ma,Quanxin Zhang

DOI: https://doi.org/10.1002/int.22874

IF: 8.993

2022-01-01

International Journal of Intelligent Systems

Abstract:The broad application of artificial intelligence (AI) shows more and more vulnerabilities. Adversaries have more opportunities to attack AI systems. For example, unmanned vehicles may be interfered with by adversaries in path planning, resulting in unmanned vehicles being unable to move according to the planned route, and even serious safety problems. On the other side, the portrait technology can extract highly refined characteristics of different attack strategies, so that unmanned vehicles can defend themselves based on the characteristics of each attack. Existing research lacks intelligent attack research on path planning in the field of unmanned vehicles, and lacks portraits of attack behaviors in this scenario. This paper combines multiagent reinforcement learning technology, time-series segmentation clustering technology, and knowledge graph technology to study the portrait technology of adversary intelligent attack behavior in the field of unmanned vehicle path planning. First, the simulation results of unmanned vehicle path planning are obtained, and the steps of adversary attack behavior are extracted by using Toeplitz inverse covariance-based clustering time-series segmentation cluster technology. Second, the knowledge graph is used to save the attack strategy, so as to form the attack behavior portrait of unmanned vehicle path planning. The test on the Neo4j platform shows that our method is universal, can effectively describe the attack steps for unmanned vehicle path planning, and provides the basis for attack detection to establish the defense system of unmanned vehicles.

Nurbol Luktarhan,Xue Jia,Liang Hu,Nannan Xie

DOI: https://doi.org/10.1007/978-3-642-33469-6_37

2012-01-01

Abstract:With the growing amount and kinds of network intrusion, multi-stage attack is becoming the one of the main methos of the network security threaten. The hidden Markov model is a kind of probabilistic model, which is widely used in speech recognition, text and image processing. In this paper, a Multi-stage Attack Detection Algorithm Based on Hidden Markov Model is proposed.And inorder to improve the performance of this algorithm,aother algorithm aims at false positive filter is also put forward. Experiments show that the algorithm has good perfomance in multi-stage attack detection.

Jianyi Liu,Bowen Liu,Ru Zhang,Cong Wang

DOI: https://doi.org/10.1007/978-3-030-24265-7_6

2019-01-01

Abstract:In order to find attack patterns from a large number of redundant alert logs, build multi-step attack scenarios, and eliminate the false alerts of the alert logs, this paper proposes a new multi-step attack scenario construction model, which is divided into two parts: offline mode and online mode. In the offline mode, the known real attack alert log is used to train the neural network for removing error alerts, and eventually to generate a Bayesian network attack graph by alert aggregation processing and causal association attack sequence. In the online mode, a large number of online alert logs are used to update the neural network and the Bayesian network attack graph generated by the previous offline mode, so that the iterative attack graph is more complete and accurate. In the end, we extract a variety of multi-step attack scenarios from the Bayesian network attack graph to achieve the purpose of eliminating false alerts in the redundant IDS alert logs. In order to verify the validity of the algorithm, we use the DARPA 2000 dataset to test, and the results show that the algorithm has higher accuracy.