A Transparent Learning Approach for Attack Prediction Based on User Behavior Analysis

  • Peizhi Shao
  • Jiuming Lu
  • Raymond K. WongEmail author
  • Wenzhuo Yang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9977)


User behavior can be used to determine vulnerable user actions and predict potential attacks. To our knowledge, much work has focused on finding vulnerable operations and disregarded reasoning/explanations of its results. This paper proposes a transparent learning approach for user behavior analysis to address this issue. A user rating system is proposed to determine a security level of each user from several aspects, augmented with explanations of potential attacks based on his/her vulnerable user actions. This user rating model can be constructed by a semi-supervised learning classifier, and a rule mining algorithm can be applied to find hidden patterns and relations between user operations and potential attacks. With this approach, an organization can be aware of its weakness, and can better prepare for proactive attack defense or reactive responses.


Transparent learning Machine learning User behavior analysis Cybersecurity 


  1. 1.
    Agrawal, R., Imieliński, T., Swami, A.: Mining association rules between sets of items in large databases. In: ACM Sigmod Record, vol. 22, pp. 207–216. ACM (1993)Google Scholar
  2. 2.
    Amiri, F., Yousefi, M.R., Lucas, C., Shakery, A., Yazdani, N.: Mutual information-based feature selection for intrusion detection systems. J. Netw. Comput. Appl. 34(4), 1184–1199 (2011)CrossRefGoogle Scholar
  3. 3.
    Ariu, D., Tronci, R., Giacinto, G.: HMMPayl: an intrusion detection system based on hidden Markov models. Comput. Secur. 30(4), 221–241 (2011)CrossRefGoogle Scholar
  4. 4.
    Asenjo, P.E.R.: Web user behavior analysis. Ph.D. thesis, Universidad De Chile (2011)Google Scholar
  5. 5.
    Baum, L.E., Eagon, J.A., et al.: An inequality with applications to statistical estimation for probabilistic functions of Markov processes and to a model for ecology. Bull. Amer. Math. Soc. 73(3), 360–363 (1967)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: National Diabetes Services Scheme (NDSS) (2011)Google Scholar
  7. 7.
    Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: EXPOSURE: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC) 16(4), 14 (2014)CrossRefGoogle Scholar
  8. 8.
    Bivens, A., Palagiri, C., Smith, R., Szymanski, B., Embrechts, M., et al.: Network-based intrusion detection using neural networks. Intell. Eng. Syst. Artif. Neural Netw. 12(1), 579–584 (2002)Google Scholar
  9. 9.
    Brahmi, H., Brahmi, I., Ben Yahia, S.: OMC-IDS: at the cross-roads of OLAP mining and intrusion detection. In: Tan, P.-N., Chawla, S., Ho, C.K., Bailey, J. (eds.) PAKDD 2012. LNCS (LNAI), vol. 7302, pp. 13–24. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30220-6_2 CrossRefGoogle Scholar
  10. 10.
    Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2015)CrossRefGoogle Scholar
  11. 11.
    Cannady, J.: Artificial neural networks for misuse detection. In: National Information Systems Security Conference, pp. 368–81 (1998)Google Scholar
  12. 12.
    Cohen, W.W.: Fast effective rule induction. In: Proceedings of the Twelfth International Conference on Machine Learning, pp. 115–123 (1995)Google Scholar
  13. 13.
    Digman, J.M.: Personality structure: emergence of the five-factor model. Annu. Rev. Psychol. 41(1), 417–440 (1990)CrossRefGoogle Scholar
  14. 14.
    Han, H., Lu, X.L., Ren, L.Y.: Using data mining to discover signatures in network-based intrusion detection. In: Proceedings of International Conference on Machine Learning and Cybernetics, vol. 1, pp. 13–17. IEEE (2002)Google Scholar
  15. 15.
    Jemili, F., Zaghdoud, M., Ahmed, M.B.: A framework for an adaptive intrusion detection system using Bayesian network. In: ISI, pp. 66–70 (2007)Google Scholar
  16. 16.
    Joshi, S.S., Phoha, V.V.: Investigating hidden Markov models capabilities in anomaly detection. In: Proceedings of the 43rd Annual Southeast Regional Conference, vol. 1, pp. 98–103. ACM (2005)Google Scholar
  17. 17.
    Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. In: Proceedings 19th Annual Computer Security Applications Conference, pp. 14–23. IEEE (2003)Google Scholar
  18. 18.
    Kruegel, C., Toth, T.: Using decision trees to improve signature-based intrusion detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 173–191. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45248-5_10 CrossRefGoogle Scholar
  19. 19.
    Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 120–132. IEEE (1999)Google Scholar
  20. 20.
    Li, Y., Xia, J., Zhang, S., Yan, J., Ai, X., Dai, K.: An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Syst. Appl. 39(1), 424–430 (2012)CrossRefGoogle Scholar
  21. 21.
    Lippmann, R.P., Cunningham, R.K.: Improving intrusion detection performance using keyword selection and neural networks. Comput. Netw. 34(4), 597–603 (2000)CrossRefGoogle Scholar
  22. 22.
    Michalski, R.S.: A theory and methodology of inductive learning. In: Michalski, R.S., Carbonell, J.G., Mitchell, T.M. (eds.) Machine Learning. Symbolic Computation, pp. 83–134. Springer, Heidelberg (1983)CrossRefGoogle Scholar
  23. 23.
    Muggleton, S., Feng, C., et al.: Efficient Induction of Logic Programs. Turing Institute (1990)Google Scholar
  24. 24.
    Norton, M., Roelker, D.: SNORT 2.0: Hi-performance multi-rule inspection engine. Sourcefire Network Security Inc (2002)Google Scholar
  25. 25.
    Panda, M., Patra, M.R.: Network intrusion detection using naive bayes. Int. J. Comput. Sci. Netw. Secur. 7(12), 258–263 (2007)Google Scholar
  26. 26.
    Pfleeger, S.L., Caputo, D.D.: Leveraging behavioral science to mitigate cyber security risk. Comput. Secur. 31(4), 597–611 (2012)CrossRefGoogle Scholar
  27. 27.
    Plotkin, G.: Automatic methods of inductive inference. Ph.D. thesis, The University of Edinburgh (1972)Google Scholar
  28. 28.
    Plotkin, G.D.: A further note on inductive generalization. In: Machine Intelligence, vol. 6, pp. 101–124. Edinburgh University Press (1971)Google Scholar
  29. 29.
    Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1(1), 81–106 (1986)Google Scholar
  30. 30.
    Quinlan, J.R.: C4. 5: Programs for Machine Learning. Elsevier, Amsterdam (2014)Google Scholar
  31. 31.
    Raiyn, J., et al.: A survey of cyber attack detection strategies. Int. J. Secur. Appl. 8(1), 247–256 (2014)Google Scholar
  32. 32.
    Reiss, F.: Transparent Machine Learning for Information Extraction: State-of-the-Art and the Future (2015).
  33. 33.
    Udantha, M., Ranathunga, S., Dias, G.: Modelling website user behaviors by combining the EM and DBSCAN algorithms. In: 2016 Moratuwa Engineering Research Conference (MERCon), pp. 168–173. IEEE (2016)Google Scholar
  34. 34.
    Uma, M., Padmavathi, G.: A survey on various cyber attacks and their classification. Int. J. Netw. Secur. 15(5), 390–396 (2013)Google Scholar
  35. 35.
    Witten, I.H., Frank, E.: Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, Burlington (2005)zbMATHGoogle Scholar
  36. 36.
    Zhengbing, H., Zhitang, L., Junqi, W.: A novel network intrusion detection system (NIDS) based on signatures search of data mining. In: First International Workshop on Knowledge Discovery and Data Mining (WKDD), pp. 10–16. IEEE (2008)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Peizhi Shao
    • 1
  • Jiuming Lu
    • 1
  • Raymond K. Wong
    • 1
    Email author
  • Wenzhuo Yang
    • 2
  1. 1.School of Computer Science and EngineeringUniversity of New South WalesKensingtonAustralia
  2. 2.School of Computer Science and EngineeringNanyang Technological UniversitySingaporeSingapore

Personalised recommendations