Real-Time Multistep Attack Prediction Based on Hidden Markov Models

Abstract

A novel method based on the Hidden Markov Model is proposed to predict multistep attacks using IDS alerts. We consider the hidden states as similar phases of a particular type of attack. As a result, it can be easily adapted to multistep attacks and foresee the next steps of an attacker. To achieve this goal, a preliminary off-line training phase based on observations will be required. These observations are obtained by matching the IDS alert information with a database previously built for this purpose using a clusterization method from the CVE global database to avoid overfitting. The training model is performed using both unsupervised and supervised algorithms. Once the training is completed and probability matrices are computed, the prediction module compute the best state sequence based on the state probability for each step of the multistep attack in progress using the Viterbi and forward-backward algorithms. The training model includes the mean number of alerts and the number of alerts in progress to assist in obtaining the final attack probability. The model is analyzed for DDoS phases because it is a great problem in all Internet services. The proposed method is validated into a virtual DDoS scenario using current vulnerabilities. The results proving the system's ability to perform real-time prediction.