Intrusion Detection with Hypergraph-Based Attack Models

  • Antonella Guzzo
  • Andrea Pugliese
  • Antonino Rullo
  • Domenico Saccà
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8323)


In numerous security scenarios, given a sequence of logged activities, it is necessary to look for all subsequences that represent an intrusion, which can be meant as any “improper” use of a system, an attempt to damage parts of it, to gather protected information, to follow “paths” that do not comply with security rules, etc. In this paper we propose an hypergraph-based attack model for intrusion detection. The model allows the specification of various kinds of constraints on possible attacks and provides a high degree of flexibility in representing many different security scenarios. Besides discussing the main features of the model, we study the problems of checking the consistency of attack models and detecting attack instances in sequences of logged activities.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Albanese, M., Jajodia, S., Pugliese, A., Subrahmanian, V.S.: Scalable analysis of attack scenarios. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 416–433. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  2. 2.
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman & Co, New York (1979)zbMATHGoogle Scholar
  3. 3.
    Albanese, M., Pugliese, A., Subrahmanian, V.S.: Fast activity detection: Indexing for temporal stochastic automaton-based activity models. IEEE Trans. Knowl. Data Eng. 25(2), 360–373 (2013)CrossRefGoogle Scholar
  4. 4.
    Berge, C.: Hypergraphs: Combinatorics of Finite Sets. North-Holland (1989)Google Scholar
  5. 5.
    Vigna, G.: A topological characterization of tcp/ip security. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 914–939. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Vigna, G., Kemmerer, R.A.: Netstat: A network-based intrusion detection approach. In: ACSAC, pp. 25–34 (1998)Google Scholar
  7. 7.
    Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–127. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Baiardi, F., Suin, S., Telmon, C., Pioli, M.: Assessing the risk of an information infrastructure through security dependencies. In: López, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 42–54. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Pieters, W.: Ankh: Information threat analysis with actor-network hypergraphs. CTIT technical report series, Enschede, Centre for Telematics and Information Technology, University of Twente (2010)Google Scholar
  10. 10.
    Johnson, C.R., Montanari, M., Campbell, R.H.: Automatic management of logging infrastructure. In: National Centers of Academic Excellence - Workshop on Insider Threat, St Louis, MO, USA (2010)Google Scholar
  11. 11.
    Korff, M., Ribeiro, L.: Formal relationship between graph grammars and petri nets. In: Cuny, J., Engels, G., Ehrig, H., Rozenberg, G. (eds.) Graph Grammars 1994. LNCS, vol. 1073, pp. 288–303. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  12. 12.
    Alimonti, P., Feuerstein, E.: Petri nets, hypergraphs and conflicts (preliminary version). In: Mayr, E.W. (ed.) WG 1992. LNCS, vol. 657, pp. 293–309. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  13. 13.
    Basu, A., Blanning, R.W.: Metagraphs in workflow support systems. Decision Support Systems 25(3), 199–208 (1999)CrossRefGoogle Scholar
  14. 14.
    Basu, A., Blanning, R.W.: A formal approach to workflow analysis. Information Systems Research 11(1), 17–36 (2000)CrossRefGoogle Scholar
  15. 15.
    Basu, A., Blanning, R.W.: Workflow analysis using attributed metagraphs. In: HICSS (2001)Google Scholar
  16. 16.
    Basu, A., Blanning, R.W.: Metagraphs and Their Applications. Integrated Series in Information Systems. Springer, Dordrecht (2007)zbMATHGoogle Scholar
  17. 17.
    Basu, A., Blanning, R.W.: Metagraphs: a tool for modeling decision support systems. Manage. Sci. 40(12), 1579–1600 (1994)CrossRefzbMATHGoogle Scholar
  18. 18.
    Polyvyanyy, A., Weske, M.: Hypergraph-based modeling of ad-hoc business processes. In: Ardagna, D., Mecella, M., Yang, J. (eds.) BPM 2008 Workshops. LNBIP, vol. 17, pp. 278–289. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: ACM Conference on Computer and Communications Security, pp. 217–224 (2002)Google Scholar
  20. 20.
    Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distances. In: ACSAC, pp. 350–359 (2004)Google Scholar
  21. 21.
    Wang, L., Liu, A., Jajodia, S.: An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts. In: De Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 247–266. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Computer Communications 29(18), 3812–3824 (2006)CrossRefGoogle Scholar
  23. 23.
    Chen, Y., Boehm, B.W., Sheppard, L.: Value driven security threat modeling based on attack path analysis. In: HICSS, p. 280 (2007)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Antonella Guzzo
    • 1
  • Andrea Pugliese
    • 1
  • Antonino Rullo
    • 1
  • Domenico Saccà
    • 1
  1. 1.University of CalabriaItaly

Personalised recommendations