Hidden Markov Models and Alert Correlations for the Prediction of Advanced Persistent Threats

dc.cclicenceCC-BYen
dc.contributor.authorGhafir, Ibrahim
dc.contributor.authorKyriakopoulos, Konstantinos G.
dc.contributor.authorLambotharan, Sangarapillai
dc.contributor.authorAparicio-Navarro, Francisco J.
dc.contributor.authorAsSadhan, Basil
dc.contributor.authorBinSalleeh, Hamad
dc.contributor.authorDiab, Diab M.
dc.date.acceptance2019-07-10
dc.date.accessioned2019-07-30T13:21:35Z
dc.date.available2019-07-30T13:21:35Z
dc.date.issued2019-07-22
dc.description.abstractCyber security has become a matter of a global interest and several attacks target industrial companies and governmental organisations. The Advanced Persistent Threats (APTs) have emerged as a new and complex version of Multi-Stage Attacks (MSAs), targeting selected companies and organisations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker’s strategies and aims. This work proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases, the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts which are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilises the Hidden Markov Model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91:80%. Additionally, it predicts the next step of the APT campaign with an accuracy of 66:50%, 92:70% and 100% based on two, three and four correlated alerts, respectively.en
dc.funderEPSRC (Engineering and Physical Sciences Research Council)en
dc.funder.otherUK-Gulf Institutional Link Grant IL 279339985en
dc.identifier.citationGhafir, I. et al., (2019). Hidden Markov Models and Alert Correlations for the Prediction of Advanced Persistent Threats. IEEE Access, pp.1–1.en
dc.identifier.doihttps://doi.org/10.1109/access.2019.2930200
dc.identifier.issn2169-3536
dc.identifier.urihttps://www.dora.dmu.ac.uk/handle/2086/18257
dc.language.isoenen
dc.peerreviewedYesen
dc.projectidEP/R006385/1en
dc.publisherIEEEen
dc.subjectAdvanced Persistent Threaten
dc.subjectIntrusion Detection Systemen
dc.subjectAlert Correlationen
dc.subjectHidden Markov Modelen
dc.subjectAttack Predictionen
dc.titleHidden Markov Models and Alert Correlations for the Prediction of Advanced Persistent Threatsen
dc.typeArticleen

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
final version - HMM_and_Alert_Correlations_for_the_Prediction_of_APTs.pdf
Size:
587.8 KB
Format:
Adobe Portable Document Format
Description:
Camera Ready
License bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
4.2 KB
Format:
Item-specific license agreed upon to submission
Description: