Biqiong Chen,Yanhua Liu,Shijin Li,Xiaoling Gao

DOI: https://doi.org/10.1145/3371676.3371680

2019-01-01

Abstract:With the rapid development of network technology, network security problems are gradually increasing, and the network attack situation is very severe. In a complex attack scenario, timely detection of potential attack behaviors and timely identification and pre-judgment of attack intentions are important components of security risks. However, the attack behavior in the network presents complexity, multi-step and uncertainty, which brings new technical challenges to attack intent analysis. Aiming at the problem that the attack intention of multi-step complex attack is difficult to identify, this paper proposes an attack intention analysis method based on attack path graph. Firstly, aiming at the multi-step complex attack behavior analysis problem, the key asset assessment technology is used to find out the key assets in the network system, and the hypothetical attack intention is generated according to the security protection requirements of the network system. Then, it is difficult to manually construct the attack path map in the large-scale network, and the automatic generation of the attack path map is realized. Finally, a method of network attack intent identification is proposed and a calculation method of attack intent probability is designed, which improves the efficiency and accuracy of attack intent recognition.

Qingtao Wu,Ruijuan Zheng,Guanfeng Li,Juwei Zhang

DOI: https://doi.org/10.1016/j.proeng.2011.08.643

2011-01-01

Abstract:It is difficult to detect the intention of an intruder, identify semantics of attacks and predict further attacks effectively using intrusion detection methods in the construction of high-level attack scene and disposal of sophisticated attack. An intrusion intention identification method based on dynamic Bayesian network is proposed for indeterminate problems that occur during sophisticated network attacks. This method applies dynamic Bayesian directed acyclic graphs to give real-time formulation of incidence among attack behaviors, intentions and attacks. It also applies probabilistic reasoning method to predict further attacks by an intruder. The result reflects varying histories of the intention of an intruder and demonstrates the effectiveness of the method.

Qiumei Cheng,Chunming Wu,Bin Hu,Dezhang Kong,Boyang Zhou

DOI: https://doi.org/10.1109/globecom38437.2019.9013291

2019-01-01

Abstract:The intrusion response system is dedicated to automatically respond to sophisticated network intrusions, which is a sequential decision-making problem for autonomous agents. The current Markov decision process (MDP) or stochastic games based solutions suffer from several weaknesses: (i) The MDPbased approach is unable to explicitly model the opponents; (ii) The Nash equilibrium approach of stochastic games cannot handle the condition with multi equilibria. Existing studies have not considered the cognitive ability of the agent and lack of explicit opponent modeling. Inspired by recursive reasoning, this paper introduces a theory of mind (ToM)-based stochastic game-theoretic approach to reason about the beliefs and behaviors of the attackers. Each agent maintains different order ToM beliefs concerning his opponent with explicit opponent modeling. In order to accurately predict the attacker's action with nested beliefs, we utilize the Bayesian attack graph (BAG) to model multi-step attacks scenarios. In addition, the agent is allowed to learn from new information to adjust his beliefs and learning speed. Simulation results validate that ToM modeling performs well in the intrusion response system than random defense actions. Besides, a defender with first-order ToM beliefs always wins an attacker with zero-order ToM beliefs.

WU Qing-tao,WANG Qi-jing,ZHENG Rui-juan

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.08.043

2011-01-01

Abstract:It is difficult to detect the intention of an intruder,identify semantics of attacks and predict further attacks effectively using intrusion detection methods in the construction of high-level attack scenario and disposal of sophisticated attack.Aiming at the uncertain question in the attack process,this paper presents an intrusion intention recognition method based on Dynamic Bayesian Networks(DBN).Directed Acyclic Graph(GAG) is used to express the connection between attack behavior,attack plan and objectives,and the probabilistic reasoning method is used to predict next attack.Experiments reflect the change law of intrusion intention in the attack process,and proves the feasibility and validity.

Jian-Wei ZHUGE,Xin-Hui HAN,Zhi-Yuan YE,Wei ZOU

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.08.013

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Based on the classical plan recognition methods in the domain of artificial intelligence, and considering the characteristics of attack plan recognition problem in the domain of network security operation, this paper extends the goal graph model, introducing the observation node to distinguish the planner’s actions and the recognizer’s observations against the actions, replacing the unitary action nodes using the hierarchy composed with detail actions and abstract actions, maintaining the precondition and effect conditions between the actions and security states in the abstract action level according to the abstract attack patterns, therefore, proposes the Extended Goal Graph(EGG) model. Furthermore, this paper proposes an attack plan recognition algorithm based on the Extended Goal Graph, the algorithm can recognize the hidden attack intention and plan from the large volume of low level intrusion detection system alerts correctly and effectively. Through the experiments using DARPA 2000 intrusion scenario correlation benchmark dataset and in-the-wild botnet scenarios data captured in the honeynet, the results show the completeness and soundness of the algorithm, as well as its advantage beyond the alert correlation systems such as TIAA [5] .

Jie Feng,Zhichao Yuan,Shan Yao,Chunhe Xia,Qing Wei

DOI: https://doi.org/10.1109/iccis.2011.156

2011-01-01

Abstract:Attack intention recognition is the process of inferring an attacker's intention from the observed attack behaviors, which is based on some attack scenario. The common methods of modeling attack scenario are attack tree and attack graph, but these methods are not suitable for attack intention recognition. In this paper, we focus on the method of generating attack scenarios. We propose a novel model of attack scenario for attack intention recognition. Then the generating algorithm is given to generate attack scenario. We demonstrate the validity of this method with an experimental network at last.

BAI Hao,WANG Kun-sheng,HU Chang-zhen,ZHANG Gang,JING Xiao-chuan

DOI: https://doi.org/10.15918/j.tbit1001-0645.2010.08.015

2010-01-01

Abstract:Limitations existed with current methods for attack intention recognition.For instance,they lacked compensatory intrusion evidences,cost enormous system resources and had low precision.To avoid the above flaws,a novel and effective method is proposed.The method generated compensatory intrusion evidences by fusing data from IDS and other security kits like scanner.Then,Bayesian-based attack scenarios were constructed where frequent attack patterns were identified using an efficient data-mining algorithm based on frequent patterns.Finally,attack paths were rebuilt by re-correlating frequent attack patterns mined in the scenarios to judge possible attack strategies precisely.The experimental results demonstrate the capability of the proposed method in rebuilding attack paths,recognizing attack intentions as well as in saving system resources.

Guang Kou,Shuo Wang,Guangming Tang

DOI: https://doi.org/10.1049/cje.2018.10.007

IF: 1.019

2019-01-01

Chinese Journal of Electronics

Abstract:This paper analyzed the existing network security situation evaluation methods and discovered that they cannot accurately reflect the features of large-scale, synergetic, multi-stage gradually shown by network attack behaviors. For this purpose, the association between attack intention and network configuration information was deep analyzed. Then a network security situation evaluation method based on attack intention recognition was proposed. Unlike traditional method, the evaluation method was based on intruder. This method firstly made causal analysis of attack event and discovered and simplified intrusion path to recognize every attack phases, then realized situation evaluation based on the attack phases. Lastly attack intention was recognized and next attack phase was forecasted based on achieved attack phases, combined with vulnerability and network connectivity. A simulation experiments for the proposed network security situation evaluation model is performed by network examples. The experimental results show that this method is more accurate on reflecting the truth of attack. And the method does not need training on the historical sequence, so the method is more effective on situation forecasting.

engineering, electrical & electronic

Shi Jin,Guo Shan

2008-01-01

Journal of Software

Abstract:System incentive and alternation of attacker's strategies are not taken into full consideration in current intrusion response research.An intrusion response model(intrusion response based on attack graph,IRAG)based on the attack graph is proposed to solve this problem.IRAG model deals well with the attack's intent and alternation of strategies,and takes account of incentives of system and attacker across-the-board.The experimental results show that the IRAG model can effectively improve the accuracy and effectiveness of alert response.

DOI: https://doi.org/10.36652/0869-4931-2024-78-5-230-234

2024-01-01

Abstract:Attack graphs are a popular area of research that display all the paths an trespasser can take to penetrate a network. Existing graph generation methods rely heavily on expert opinion regarding network vulnerabilities and topology. An intrusion detection system based on graph-directed analytics of the big data analytics, which is based on machine learning, is proposed, which made it possible to obtain good accuracy results and a high level of attack detection during its testing. Keywords attack, graph, detection, machine learning, network

Xiang Yu,Zhihong Tian,Jing Qiu,Shen Su,Xiaoran Yan

DOI: https://doi.org/10.32604/cmc.2019.05821

2019-01-01

Abstract:With the development of Information technology and the popularization of Internet, whenever and wherever possible, people can connect to the Internet optionally. Meanwhile, the security of network traffic is threatened by various of online malicious behaviors. The aim of an intrusion detection system (IDS) is to detect the network behaviors which are diverse and malicious. Since a conventional firewall cannot detect most of the malicious behaviors, such as malicious network traffic or computer abuse, some advanced learning methods are introduced and integrated with intrusion detection approaches in order to improve the performance of detection approaches. However, there are very few related studies focusing on both the effective detection for attacks and the representation for malicious behaviors with graph. In this paper, a novel intrusion detection approach IDBFG (Intrusion Detection Based on Feature Graph) is proposed which first filters normal connections with grid partitions, and then records the patterns of various attacks with a novel graph structure, and the behaviors in accordance with the patterns in graph are detected as intrusion behaviors. The experimental results on KDD-Cup 99 dataset show that IDBFG performs better than SVM (Supprot Vector Machines) and Decision Tree which are trained and tested in original feature space in terms of detection rates, false alarm rates and run time.

Wu Tao,Wang Chong-Jun,Xie Jun-Yuan

2010-01-01

Abstract:Intrusion detection,as an active measure to assure information security,has been receiving intensive attention and has recently become the focus of the computer security especially the network security research communities.In order to avoid being detected,however,intrusion events have evolved to become intelligent and distributive,making them good at concealing their purposes and so penetrating the intrusion detection system.To deal with this problem,as this paper does,techniques involving artificial intelligence and machine learning are brought in.This paper models intrusion and its detection as two multi-agent systems that have conflict interests,and holds the opinion that to intrude is just to device and execut attacking plans aiming to achieve certain objectives,the key of intrusion detection then is to analyze the observed opopnent's actions perceived as abnormal and reveal their intentions,which is then a classical intention recognition problem.Be is justifiable,we noticed that the traditional KEY-HOLE observing method for intention recognition is not suitable to be used here,because the environment for intrusion detection usually has an attack-defense nature thus is dynamic and can be extremely complex,making it expectable that failures to report intrusions and false reports of intrusions do happen,as a result acquiring a complete and true action sequence of the intruder is impossible.Under this circumstance,to design a strategy so robust that can recognize the intruder's intention using just an action sequence which not only contains only part of the intruder's complete action squence and also unknownly includs some misclassified actions is desperated needed,and this is exactly what this paper may contribute.Further than proposing the two multi-agent systems model,this paper sees the intrusion process as a Partially Observable Markov Decision Process(POMDP),and then estimates the intruder's intention as the output of the process.In this cae intention of the intruder can be recognized through an incomplete and defective action sequence it has just taken.The effectiveness of the proposed method is proved by experiments on data set contributed by DARPA.

Jie Lei,Zhi-Tang Li

DOI: https://doi.org/10.1109/chinacom.2007.4469413

2007-01-01

Abstract:An intrusion detection system (IDS) generates alerts indicating what malicious behaviors are going on against the protected network system. When comparing the real-time reported IDS alerts with the network attack graph which provides all possible sequences of exploits that an intruder may use to penetrate the system, some prediction on future attacks can be made. In this paper we proposed a novel approach to predicting future attacks. First an attack graph is generated through data mining and the predictability of every attack scenario which represents how probable there would be oncoming attacks following the attack scenario can be estimated. Then in real-time intrusion detection environment the IDS alerts are correlated into attack scenarios and ranked by their predictability scores. Finally the attack scenarios with high predictability are used as the evidence to make prediction on future attacks. The effectiveness of the approach has been validated with a honeynet system.

Zhuo Ning,Jian Gong

DOI: https://doi.org/10.1007/978-3-540-72590-9_122

2007-01-01

Abstract:Intrusion plan prediction and recognition is a critical and challenging task for NIDS. Among several approaches proposed so far, probability inference using causal network seems to be one of the most promising mechanisms. Our analysis shows that the polytree is limited in its expressiveness, and belief updating in max-k-connected networks is hard for all k >= 2 [12]. To find a tradeoff between expressive power and inference efficiency, this paper extends the structure of causal network from polytree to max-1-connected Bayesian network, and proposes a new intrusion plan prediction algorithm IPR on it. We evaluate the approach using LLOS1.0, and the results demonstrate that IPR can predict the occurrence probability of DDOS when Sandmind attack occurs to gain root privilege, and then confirm the prediction in the beginning of Syn flooding.

L Feng,XH Guan,SG Guo,Y Gao,PN Liu

DOI: https://doi.org/10.1016/j.cose.2004.01.016

IF: 5.105

2004-01-01

Computers & Security

Abstract:Identifying the intentions or attempts of the monitored agents through observations is very vital in computer network security. In this paper, a plan recognition method for predicting the anomaly events and the intentions of possible intruders to a computer system is developed based on the observation of system call sequences. The probability of the goal state for a system call sequence is defined as the prediction index to determine if the intention is normal. An efficient algorithm based on the dynamic Bayesian network theory with parameter compensation is derived and then applied to update the index recursively. Extensive empirical testing is performed on the data sets published in the literature and those collected in an actual computer system at our lab. The testing results showed that this method can identify the intrusion behaviors from the observed system call sequences with good accuracy.

HU He,HU Chang-zhen,YAO Shu-ping

2012-01-01

Abstract:To help network administrators to pre-identify potential vulnerabilities and security threats,an active response strategy selecting method based on attack graph was presented.In this method,the network attack graph model forecast aggressive behavior,and analysed attack path with quantitative metrics.The method used the observations during the attack process to match attack graph and updates the belief state.Finally,the partial observable Markov game(POMG) algorithm was used to choose optimal active response strategy.Experimental results show that the active response strategy selection method based on attack graph can improve the accuracy and effectiveness of the response.

Zhi-tang Li,Jie Lei,Li Wang,Dong Li

DOI: https://doi.org/10.1109/fskd.2007.15

2007-01-01

Abstract:A network attack graph provides a global view of all possible sequences of exploits which an intruder may use to penetrate a system. Attack graphs can be generated by model checking techniques or intrusion alert correlation. In this paper we proposed a data mining approach to generating attack graphs. Through association rule mining, the algorithm generates multi-step attack patterns from historical intrusion alerts which comprise the attack graphs. The algorithm also calculates the predictability of each attack scenario in the attack graph which represents the probability for the corresponding attack scenario to be the precursor of future attacks. Then the real-time intrusion alerts can be correlated to attack scenarios and ranked by the predictability scores. The ranking result can help identify the appropriate evidence for intrusion prediction from a large volume of raw intrusion alerts. The approach is validated by DARPA 2000 and DARPA 1999 intrusion detection evaluation datasets.

Hao Bai,Kunsheng Wang,Changzhen Hu,Gang Zhang,Xiaochuan Jing

DOI: https://doi.org/10.1007/s11704-010-0321-y

2010-01-01

Abstract:Recognizing attack intention is crucial for security analysis. In recent years, a number of methods for attack intention recognition have been proposed. However, most of these techniques mainly focus on the alerts of an intrusion detection system and use algorithms of low efficiency that mine frequent attack patterns without reconstructing attack paths. In this paper, a novel and effective method is proposed, which integrates several techniques to identify attack intentions. Using this method, a Bayesian-based attack scenario is constructed, where frequent attack patterns are identified using an efficient data-mining algorithm based on frequent patterns. Subsequently, attack paths are rebuilt by recorrelating frequent attack patterns mined in the scenario. The experimental results demonstrate the capability of our method in rebuilding attack paths, recognizing attack intentions as well as in saving system resources. Specifically, to the best of our knowledge, the proposed method is the first to correlate complementary intrusion evidence with frequent pattern mining techniques based on the FP-Growth algorithm to rebuild attack paths and to recognize attack intentions.

Zhi-tang Li,Jie Lei,Li Wang,Dong Li

DOI: https://doi.org/10.1109/nas.2007.15

2007-01-01

Abstract:In this paper a novel approach to assessing the threat of network intrusions is proposed. Unlike the present approaches which assess the attack threat either from a backward perspective (how probable a security state can be reached) or from the perspective of the attacks themselves (how much an attack would cause damage to the network), this approach assesses the attack threat from a forwarding perspective (how probable it would be the precursor of future attacks). First, to every attack type and some attack scenarios, their probabilities of having following attacks(PFAs) are calculated by a data mining algorithm. Then the threats of real time intrusions are assessed by these probabilities. The result of the threat assessment can help identify the intrusion alerts which would be the best evidence for the coming attacks from tremendous amount of intrusion alerts, thus this approach can be used for intrusion prediction. The approach is validated by DARPA 2000 and DARPA 1999 intrusion detection evaluation datasets.

冯力,管晓宏,郭三刚,高艳,刘培妮

DOI: https://doi.org/10.3321/j.issn:0254-4164.2004.08.010

2004-01-01

Chinese Journal of Computers

Abstract:Plan recognition is a prediction theory for identifying and determining the intentions or the attempts of the agents monitored through observation data. In this paper, a plan recognition based method is presented to predict the anomaly events and intensions of potential intruders to a computer system using the system call sequences as observation data. The method is established on a dynamic Bayesian network with parameter compensation and an algorithm is developed to update this network. The experimental results show that this method has a good accuracy in predicting the intrusion intensions from the system call sequences.