Using Hidden Markov Models to Evaluate the Risks of Intrusions

System Architecture and Model Validation
  • André Årnes
  • Fredrik Valeur
  • Giovanni Vigna
  • Richard A. Kemmerer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4219)


Security-oriented risk assessment tools are used to determine the impact of certain events on the security status of a network. Most existing approaches are generally limited to manual risk evaluations that are not suitable for real-time use. In this paper, we introduce an approach to network risk assessment that is novel in a number of ways. First of all, the risk level of a network is determined as the composition of the risks of individual hosts, providing a more precise, fine-grained model. Second, we use Hidden Markov models to represent the likelihood of transitions between security states. Third, we tightly integrate our risk assessment tool with an existing framework for distributed, large-scale intrusion detection, and we apply the results of the risk assessment to prioritize the alerts produced by the intrusion detection sensors. We also evaluate our approach on both simulated and real-world data.


Risk assessment Intrusion detection Hidden Markov modeling 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Årnes, A., Sallhammar, K., Haslum, K., Brekne, T., Moe, M.E.G., Knapskog, S.J.: Real-time risk assessment with network sensors and intrusion detection systems. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS, vol. 3802, pp. 388–397. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    CORAS IST-2000-25031 (2003), Web Site,
  3. 3.
    Debar, H., Curry, D.A., Feinstein, B.S.: Intrusion detection message exchange format (IDMEF) – internet-draft (2005)Google Scholar
  4. 4.
    Desai, N.: IDS correlation of VA data and IDS alerts (June 2003),
  5. 5.
    Evans, S., Heinbuch, D., Kyule, E., Piorkowski, J., Wallner, J.: Risk-based systems security engineering: Stopping attacks with intention. IEEE Security and Privacy 02(6), 59–62 (2004)CrossRefGoogle Scholar
  6. 6.
    Gehani, A., Kedem, G.: RheoStat: Real-time risk management. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 296–314. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Gula, R.: Correlating ids alerts with vulnerability information. Technical report, Tenable Network Security (December 2002)Google Scholar
  8. 8.
    Krügel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Kruegel, C., Robertson, W.: Alert verification: Determining the success of intrusion attempts. In: Proceedings of the 1st Workshop on the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004), Dortmund, Germany (July 2004)Google Scholar
  10. 10.
    Kruegel, C., Robertson, W., Vigna, G.: Using alert verification to identify successful intrusion attempts. Practice in Information Processing and Communication (PIK 2004) 27(4), 219–227 (2004)Google Scholar
  11. 11.
    Lincoln Laboratory. Lincoln laboratory scenario (DDoS) 1.0 (2000),
  12. 12.
    Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Rabiner, L.R.: A tutorial on hidden markov models and selected applications in speech recognition. Readings in speech recognition, pp. 267–296 (1990)Google Scholar
  14. 14.
    Standards Australia and Standards New Zealand. AS/NZS 4360: 2004 risk management (2004)Google Scholar
  15. 15.
    Stonebumer, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems, special publication, pp. 800–830 (2002),
  16. 16.
    Sun Microsystems, Inc. Installing, Administering, and Using the Basic Security Module. 2550 Garcia Ave., Mountain View, CA 94043 (December 1991)Google Scholar
  17. 17.
    Vigna, G., Kemmerer, R.A., Blix, P.: Designing a web of highly-configurable intrusion detection sensors. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 69–84. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Vigna, G., Valeur, F., Kemmerer, R.: Designing and implementing a family of intrusion detection systems. In: Proceedings of European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2003), Helsinki, Finland (September 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • André Årnes
    • 1
  • Fredrik Valeur
    • 2
  • Giovanni Vigna
    • 2
  • Richard A. Kemmerer
    • 2
  1. 1.Centre for Quantifiable Quality of Service in Communication SystemsNorwegian University of Science and TechnologyTrondheimNorway
  2. 2.Department of Computer ScienceUniversity of California Santa BarbaraSanta BarbaraUSA

Personalised recommendations