Abstract
A novel method based on the Hidden Markov Model is proposed to predict multistep attacks using IDS alerts. We consider the hidden states as similar phases of a particular type of attack. As a result, it can be easily adapted to multistep attacks and foresee the next steps of an attacker. To achieve this goal, a preliminary off-line training phase based on observations will be required. These observations are obtained by matching the IDS alert information with a database previously built for this purpose using a clusterization method from the CVE global database to avoid overfitting. The training model is performed using both unsupervised and supervised algorithms. Once the training is completed and probability matrices are computed, the prediction module compute the best state sequence based on the state probability for each step of the multistep attack in progress using the Viterbi and forward-backward algorithms. The training model includes the mean number of alerts and the number of alerts in progress to assist in obtaining the final attack probability. The model is analyzed for DDoS phases because it is a great problem in all Internet services. The proposed method is validated into a virtual DDoS scenario using current vulnerabilities. The results proving the system's ability to perform real-time prediction.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IEEE Transactions on Dependable and Secure Computing
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
