NSAPs: A novel scheme for network security state assessment and attack prediction

Abstract With the increasing complexity and scale of networks, the computer attacks increase year by year and becomes more complicated. The defenders not only need to detect malicious activity through a large number of alerts generated by intrusion detection system, but also need to use these alerts to assess security state and predict attack, so as to take proactive response to reduce the damage of cyber-attacks. In this process, it is necessary to preprocess the huge amounts of raw alerts to get the appropriate granularity, so as to improve the accuracy of the subsequent assessment and prediction model. At the same time, the security evaluation model needs to have a good explainability and comprehensive attack prediction ability, including attack event and attack step prediction, in order to provide a better decision reference for proactive response. In addition, the model should be able to adapt to zero-day attacks. To address these issues, in this paper, we propose NSAPs, a novel scheme for network security state assessment and attack prediction. First, we extract attack steps based on quantitative alert quality to reduce the amount of data. Second, we extract attack events with medium granularity from attack steps based on Semi-Markov Conditional Random Fields (semi-CRFs). The semi-CRFs can use as much alert information as possible to correlate alerts and can also take advantage of the contextual information between the attack events. Therefore, the NSAPs can provide a comprehensive attack prediction with a good explainability. Third, the extracted attack events are used as the input of the Hidden Markov Model (HMM) to assess security state. At the same time, we propose a HMM matching method based on the longest common subsequence of the attack events which makes the model adapt to the unknown alters well. Finally, we combine probability values from semi-CRFs and HMM to predict attacks. Our evaluation results indicate that the assessment and prediction of proposed scheme are more accurate and comprehensive compared with existing approaches.

[1]  Abbas Ghaemi Bafghi,et al.  A Systematic Mapping Study on Intrusion Alert Analysis in Intrusion Detection Systems , 2018, ACM Comput. Surv..

[2]  Andrew McCallum,et al.  Conditional Random Fields: Probabilistic Models for Segmenting and Labeling Sequence Data , 2001, ICML.

[3]  Víctor A. Villagrá,et al.  Real-Time Multistep Attack Prediction Based on Hidden Markov Models , 2020, IEEE Transactions on Dependable and Secure Computing.

[4]  Giovanni Vigna,et al.  Using Hidden Markov Models to Evaluate the Risks of Intrusions , 2006, RAID.

[5]  Jorge Nocedal,et al.  A Limited Memory Algorithm for Bound Constrained Optimization , 1995, SIAM J. Sci. Comput..

[6]  Ulrik Franke,et al.  Cyber situational awareness - A systematic review of the literature , 2014, Comput. Secur..

[7]  Gail-Joon Ahn,et al.  vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems , 2018, CCS.

[8]  Hongjing Wu,et al.  Virtualized Security Function Placement for Security Service Chaining in Cloud , 2018, 2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS).

[9]  Leyla Bilge,et al.  RiskTeller: Predicting the Risk of Cyber Incidents , 2017, CCS.

[10]  Gang Wang,et al.  Crowdsourcing Cybersecurity: Cyber Attack Detection using Social Media , 2017, CIKM.

[11]  Yuchen Zhang,et al.  Security Metric Methods for Network Multistep Attacks Using AMC and Big Data Correlation Analysis , 2018, Secur. Commun. Networks.

[12]  Sherif Abdelwahed,et al.  A Model-Integrated Approach to Designing Self-Protecting Systems , 2020, IEEE Transactions on Software Engineering.

[13]  Paul Rimba,et al.  Data-Driven Cybersecurity Incident Prediction: A Survey , 2019, IEEE Communications Surveys & Tutorials.

[14]  Kuang-Ching Wang,et al.  Poster: On the Safety and Efficiency of Virtual Firewall Elasticity Control , 2017, SACMAT.

[15]  Hassan Takabi,et al.  A comprehensive approach for network attack forecasting , 2016, Comput. Secur..

[16]  José M. Fernandez,et al.  ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework , 2013, FPS.

[17]  Gianluca Stringhini,et al.  ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks , 2019, USENIX Security Symposium.

[18]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[19]  Xiapu Luo,et al.  MVPSys: Toward practical multi-view based false alarm reduction system in network intrusion detection , 2016, Comput. Secur..

[20]  Pierre Parrend,et al.  A systematic survey on multi-step attack detection , 2018, Comput. Secur..

[21]  Yi Liu,et al.  A New Approach for Delivering Customized Security Everywhere: Security Service Chain , 2017, Secur. Commun. Networks.

[22]  Zheng Yan,et al.  Data Fusion for Network Intrusion Detection: A Review , 2018, Secur. Commun. Networks.

[23]  Raimir Holanda Filho,et al.  Model-Based Quantitative Network Security Metrics: A Survey , 2017, IEEE Communications Surveys & Tutorials.

[24]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[25]  Gianluca Stringhini,et al.  Tiresias: Predicting Security Events Through Deep Learning , 2018, CCS.

[26]  William W. Cohen,et al.  Semi-Markov Conditional Random Fields for Information Extraction , 2004, NIPS.

[27]  Michel Dagenais,et al.  Real Time Intrusion Prediction based on Optimized Alerts with Hidden Markov Model , 2012, J. Networks.

[28]  Likun Qiu,et al.  Feature Representation Models for Cyber Attack Event Extraction , 2016, 2016 IEEE/WIC/ACM International Conference on Web Intelligence Workshops (WIW).

[29]  Tong Zhang,et al.  Accelerating Stochastic Gradient Descent using Predictive Variance Reduction , 2013, NIPS.

[30]  Muttukrishnan Rajarajan,et al.  Intrusion alert prioritisation and attack detection using post-correlation analysis , 2015, Comput. Secur..

[31]  Dongmei Zhao,et al.  The Application of Baum-Welch Algorithm in Multistep Attack , 2014, TheScientificWorldJournal.

[32]  Mohammed Samaka,et al.  A survey on service function chaining , 2016, J. Netw. Comput. Appl..

[33]  Elias Bou-Harb,et al.  Survey of Attack Projection, Prediction, and Forecasting in Cyber Security , 2019, IEEE Communications Surveys & Tutorials.

[34]  Acar Tamersoy,et al.  Smoke Detector: Cross-Product Intrusion Detection With Weak Indicators , 2017, ACSAC.

[35]  Yongzheng Zhang,et al.  Quantitative threat situation assessment based on alert verification , 2016, Secur. Commun. Networks.

[36]  Shanchieh Jay Yang,et al.  Projecting Cyberattacks Through Variable-Length Markov Models , 2008, IEEE Transactions on Information Forensics and Security.

[37]  Bo Han,et al.  ParaBox: Exploiting Parallelism for Virtual Network Functions in Service Chaining , 2017, SOSR.

[38]  Marcus Pendleton,et al.  A Survey on Systems Security Metrics , 2016, ACM Comput. Surv..

[39]  Srinivasan Seshan,et al.  PSI: Precise Security Instrumentation for Enterprise Networks , 2017, NDSS.

[40]  Andrew McCallum,et al.  An Introduction to Conditional Random Fields , 2010, Found. Trends Mach. Learn..

[41]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[42]  Alexander Hofmann,et al.  Online Intrusion Alert Aggregation with Generative Data Stream Modeling , 2011, IEEE Transactions on Dependable and Secure Computing.

[43]  Jingfeng Xue,et al.  An Approach for Internal Network Security Metric Based on Attack Probability , 2018, Secur. Commun. Networks.

[44]  Ding Li,et al.  NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage , 2019, NDSS.