Skip to main content

Using Hidden Markov Models to Evaluate the Risks of Intrusions

System Architecture and Model Validation

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNISA,volume 4219)

Abstract

Security-oriented risk assessment tools are used to determine the impact of certain events on the security status of a network. Most existing approaches are generally limited to manual risk evaluations that are not suitable for real-time use. In this paper, we introduce an approach to network risk assessment that is novel in a number of ways. First of all, the risk level of a network is determined as the composition of the risks of individual hosts, providing a more precise, fine-grained model. Second, we use Hidden Markov models to represent the likelihood of transitions between security states. Third, we tightly integrate our risk assessment tool with an existing framework for distributed, large-scale intrusion detection, and we apply the results of the risk assessment to prioritize the alerts produced by the intrusion detection sensors. We also evaluate our approach on both simulated and real-world data.

Keywords

  • Risk assessment
  • Intrusion detection
  • Hidden Markov modeling

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/11856214_8
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   74.99
Price excludes VAT (USA)
  • ISBN: 978-3-540-39725-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.00
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Årnes, A., Sallhammar, K., Haslum, K., Brekne, T., Moe, M.E.G., Knapskog, S.J.: Real-time risk assessment with network sensors and intrusion detection systems. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS, vol. 3802, pp. 388–397. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  2. CORAS IST-2000-25031 (2003), Web Site, http://www.nr.no/coras

  3. Debar, H., Curry, D.A., Feinstein, B.S.: Intrusion detection message exchange format (IDMEF) – internet-draft (2005)

    Google Scholar 

  4. Desai, N.: IDS correlation of VA data and IDS alerts (June 2003), http://www.securityfocus.com/infocus/1708

  5. Evans, S., Heinbuch, D., Kyule, E., Piorkowski, J., Wallner, J.: Risk-based systems security engineering: Stopping attacks with intention. IEEE Security and Privacy 02(6), 59–62 (2004)

    CrossRef  Google Scholar 

  6. Gehani, A., Kedem, G.: RheoStat: Real-time risk management. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 296–314. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  7. Gula, R.: Correlating ids alerts with vulnerability information. Technical report, Tenable Network Security (December 2002)

    Google Scholar 

  8. Krügel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  9. Kruegel, C., Robertson, W.: Alert verification: Determining the success of intrusion attempts. In: Proceedings of the 1st Workshop on the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004), Dortmund, Germany (July 2004)

    Google Scholar 

  10. Kruegel, C., Robertson, W., Vigna, G.: Using alert verification to identify successful intrusion attempts. Practice in Information Processing and Communication (PIK 2004) 27(4), 219–227 (2004)

    Google Scholar 

  11. Lincoln Laboratory. Lincoln laboratory scenario (DDoS) 1.0 (2000), http://www.ll.mit.edu/SST/ideval/data/2000/LLS_DDOS_1.0.html

  12. Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  13. Rabiner, L.R.: A tutorial on hidden markov models and selected applications in speech recognition. Readings in speech recognition, pp. 267–296 (1990)

    Google Scholar 

  14. Standards Australia and Standards New Zealand. AS/NZS 4360: 2004 risk management (2004)

    Google Scholar 

  15. Stonebumer, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems, special publication, pp. 800–830 (2002), http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

  16. Sun Microsystems, Inc. Installing, Administering, and Using the Basic Security Module. 2550 Garcia Ave., Mountain View, CA 94043 (December 1991)

    Google Scholar 

  17. Vigna, G., Kemmerer, R.A., Blix, P.: Designing a web of highly-configurable intrusion detection sensors. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 69–84. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  18. Vigna, G., Valeur, F., Kemmerer, R.: Designing and implementing a family of intrusion detection systems. In: Proceedings of European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2003), Helsinki, Finland (September 2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Årnes, A., Valeur, F., Vigna, G., Kemmerer, R.A. (2006). Using Hidden Markov Models to Evaluate the Risks of Intrusions. In: Zamboni, D., Kruegel, C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11856214_8

Download citation

  • DOI: https://doi.org/10.1007/11856214_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-39723-6

  • Online ISBN: 978-3-540-39725-0

  • eBook Packages: Computer ScienceComputer Science (R0)