Attacker Behaviour Profiling using Stochastic Ensemble of Hidden Markov Models

Cyber threat intelligence is one of the emerging areas of focus in information security. Much of the recent work has focused on rule-based methods and detection of network attacks using Intrusion Detection algorithms. In this paper we propose a framework for inspecting and modelling the behavioural aspect of an attacker to obtain better insight predictive power on his future actions. For modelling we propose a novel semi-supervised algorithm called Fusion Hidden Markov Model (FHMM) which is more robust to noise, requires comparatively less training time, and utilizes the benefits of ensemble learning to better model temporal relationships in data. This paper evaluates the performances of FHMM and compares it with both traditional algorithms like Markov Chain, Hidden Markov Model (HMM) and recently developed Deep Recurrent Neural Network (Deep RNN) architectures. We conduct the experiments on dataset consisting of real data attacks on a Cowrie honeypot system. FHMM provides accuracy comparable to deep RNN architectures at significant lower training time. Given these experimental results, we recommend using FHMM for modelling discrete temporal data for significantly faster training and better performance than existing methods.

[1]  Ing-Ray Chen,et al.  Behavior-Rule Based Intrusion Detection Systems for Safety Critical Smart Grid Applications , 2013, IEEE Transactions on Smart Grid.

[2]  Mohammad Zulkernine,et al.  Random-Forests-Based Network Intrusion Detection Systems , 2008, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[3]  Qiang Chen,et al.  Computer intrusion detection through EWMA for autocorrelated and uncorrelated data , 2003, IEEE Trans. Reliab..

[4]  G. Mohay,et al.  A Technique for Detecting New Attacks in Low-Interaction Honeypot Traffic , 2009, 2009 Fourth International Conference on Internet Monitoring and Protection.

[5]  Adam Prügel-Bennett,et al.  Evolving the structure of hidden Markov models , 2006, IEEE Transactions on Evolutionary Computation.

[6]  Geoffrey E. Hinton,et al.  Learning representations by back-propagating errors , 1986, Nature.

[7]  Luiz Eduardo Soares de Oliveira,et al.  Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded Systems , 2017, IEEE Transactions on Computers.

[8]  D. Haussler,et al.  Hidden Markov models in computational biology. Applications to protein modeling. , 1993, Journal of molecular biology.

[9]  Zoubin Ghahramani,et al.  An Introduction to Hidden Markov Models and Bayesian Networks , 2001, Int. J. Pattern Recognit. Artif. Intell..

[10]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[11]  Charles Elkan,et al.  Expectation Maximization Algorithm , 2010, Encyclopedia of Machine Learning.

[12]  Marc Dacier,et al.  Empirical analysis and statistical modeling of attack processes based on honeypots , 2007, ArXiv.

[13]  Muhammad Al-Qurishi,et al.  Leveraging Analysis of User Behavior to Identify Malicious Activities in Large-Scale Social Networks , 2018, IEEE Transactions on Industrial Informatics.

[14]  Robert J. Elliott,et al.  On Finite-State Stochastic Modeling and Secure Estimation of Cyber-Physical Systems , 2017, IEEE Transactions on Automatic Control.

[15]  Oliver Brdiczka,et al.  Proactive Insider Threat Detection through Graph Learning and Psychological Context , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[16]  Marc Dacier,et al.  A framework for attack patterns' discovery in honeynet data , 2008 .

[17]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[18]  Peter Willett,et al.  Asymmetric Threat Modeling Using HMMs: Bernoulli Filtering and Detectability Analysis , 2016, IEEE Transactions on Signal Processing.

[19]  Soham Deshmukh,et al.  Temporal and Stochastic Modelling of Attacker Behaviour , 2018, Advances in Data Science.

[20]  Wei Hu,et al.  AdaBoost-Based Algorithm for Network Intrusion Detection , 2008, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[21]  Mathias Johansson,et al.  Bayesian Model Selection for Markov, Hidden Markov, and Multinomial Models , 2007, IEEE Signal Processing Letters.

[22]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[23]  Arun Kejariwal,et al.  A Novel Technique for Long-Term Anomaly Detection in the Cloud , 2014, HotCloud.

[24]  Alvaro A. Cárdenas,et al.  Big Data Analytics for Security , 2013, IEEE Security & Privacy.

[25]  Shouhuai Xu,et al.  Characterizing Honeypot-Captured Cyber Attacks: Statistical Framework and Case Study , 2013, IEEE Transactions on Information Forensics and Security.

[26]  Alex Bateman,et al.  An introduction to hidden Markov models. , 2007, Current protocols in bioinformatics.

[27]  Hongbo Zhu,et al.  Deceptive Attack and Defense Game in Honeypot-Enabled Networks for the Internet of Things , 2016, IEEE Internet of Things Journal.

[28]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[29]  Jonathon Shlens,et al.  A Tutorial on Principal Component Analysis , 2014, ArXiv.

[30]  Jason R. C. Nurse,et al.  A New Take on Detecting Insider Threats: Exploring the Use of Hidden Markov Models , 2016, MIST@CCS.

[31]  Wu Yang,et al.  Using HMM for Intent Recognition in Cyber Security Situation Awareness , 2009, 2009 Second International Symposium on Knowledge Acquisition and Modeling.

[32]  Chirag N. Modi,et al.  Virtualization layer security challenges and intrusion detection/prevention systems in cloud computing: a comprehensive review , 2017, The Journal of Supercomputing.

[33]  Rubayyi Alghamdi,et al.  Hidden Markov Models (HMMs) and Security Applications , 2016 .

[34]  Hafiz Farooq Ahmad,et al.  Cyber security: Threats, reasons, challenges, methodologies and state of the art solutions for industrial applications , 2013, 2013 IEEE Eleventh International Symposium on Autonomous Decentralized Systems (ISADS).