Attack plan recognition using hidden Markov and probabilistic inference

Intrusion detection systems perform well with single attack phase but not complex multi-step attacks which largely reduce their reliability. Multi-stage attack plan recognition aims at inferring attack plans and predicting upcoming attacks by analyzing the causal relationship between attack phases. Recent re-search often uses machine learning to deal with attack issues. However, some problems still exist. When probabilistic inference is applied to construct a causal network, researchers fail to take temporal sequence association into consideration, which makes it difficult for the model to deal with incomplete data. While the hidden Markov model can be used to recognize an attack plan, it cannot predict multiple intents nor their probabilities. This paper proposes a probability model based on the hidden Markov model and probabilistic inference responding to malicious events at runtime. This model uses online parameter updating rules which make it better suited to the rapidly changing cyber environment. Experimental results show that this model can achieve better performance compared to only using a single method and detect attack intent in an earlier stage. (c) 2020 Elsevier Ltd. All rights reserved.