Sequential Pattern Mining for ICT Risk Assessment and Prevention

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10729)


Security risk assessment and prevention in ICT systems rely on the analysis of data on the joint behavior of the system and its (malicious) users. The Haruspex tool models intelligent, goal-oriented agents that reach their goals through attack sequences. Data is synthetically generated through a Monte Carlo method that runs multiple simulations of the attacks against the system. In this paper, we present a sequential pattern mining analysis of the database of attack sequences. The intended objective is twofold: (1) to exploit the extracted patterns for the design of attack counter-measures, and (2) for gaining a better understanding of the “degree of freedom” available for the attackers of a system. We formally motivate the need for using maximal sequential patterns, instead of frequent or closed sequential patterns, and report on the results on a specific case study.


Security risk assessment Attack sequences Sequential pattern mining Maximum coverage problem 


  1. 1.
    Baiardi, F., Corò, F., Tonelli, F., Sgandurra, D.: A scenario method to automatically assess ICT risk. In: Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP 2014), pp. 544–551. IEEE (2014)Google Scholar
  2. 2.
    Baiardi, F., Telmon, C., Sgandurra, D.: Haruspex: simulation-driven risk analysis for complex systems. ISACA J. 3, 46–51 (2012)Google Scholar
  3. 3.
    Baiardi, F., Tonelli, F., Bertolini, A.: CyVar: extending Var-At-Risk to ICT. In: Seehusen, F., Felderer, M., Großmann, J., Wendland, M.-F. (eds.) RISK 2015. LNCS, vol. 9488, pp. 49–62. Springer, Cham (2015). CrossRefGoogle Scholar
  4. 4.
    Brahmi, H., Yahia, S.B.: Discovering multi-stage attacks using closed multi-dimensional sequential pattern mining. In: Decker, H., Lhotská, L., Link, S., Basl, J., Tjoa, A.M. (eds.) DEXA 2013. LNCS, vol. 8056, pp. 450–457. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  5. 5.
    Fournier-Viger, P., Gomariz, A., Gueniche, T., Soltani, A., Wu, C., Tseng, V.S.: SPMF: a Java open-source pattern mining library. J. Mach. Learn. Res. 15, 3389–3393 (2014)zbMATHGoogle Scholar
  6. 6.
    Fournier-Viger, P., Lin, J.C.-W., Kiran, R.U., Koh, Y.S., Thomas, R.: A survey of sequential pattern mining. Data Sci. Pattern Recogn. 1, 54–77 (2017)Google Scholar
  7. 7.
    Hochbaum, D.S.: Approximating covering and packing problems: set cover, vertex cover, independent set, and related problems. In: Hochbaum, D.S. (ed.) Approximation Algorithms for NP-hard Problems, pp. 94–143. PWS Publishing Co. (1997)Google Scholar
  8. 8.
    Joint Task Force Transformation Initiative Interagency Working Group. SP 800–30 revision 1: Guide for conducting risk assessments. National Institute of Standards & Technology (2012)Google Scholar
  9. 9.
    Katipally, R., Gasior, W., Cui, X., Yang, L.: Multistage attack detection system for network administrators using data mining. In: Proceedings of the Cyber Security and Information Intelligence Research Workshop (CSIIRW 2010), pp. 51. ACM (2010)Google Scholar
  10. 10.
    Lam, H.T., Mörchen, F., Fradkin, D., Calders, T.: Mining compressing sequential patterns. Stat. Anal. Data Min. 7(1), 34–52 (2014)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Lee, W., Stolfo, S.J., Mok, K.W.: Adaptive intrusion detection: a data mining approach. Artif. Intell. Rev. 14(6), 533–567 (2000)CrossRefzbMATHGoogle Scholar
  12. 12.
    Mabroukeh, N.R., Ezeife, C.I.: A taxonomy of sequential pattern mining algorithms. ACM Comput. Surv. 43(1), 3:1–3:41 (2010)CrossRefGoogle Scholar
  13. 13.
    MITRE: Common Weakness Enumeration.
  14. 14.
    Mooney, C., Roddick, J.F.: Sequential pattern mining - approaches and algorithms. ACM Comput. Surv. 45(2), 19:1–19:39 (2013)CrossRefzbMATHGoogle Scholar
  15. 15.
    NIST: National Vulnerability Database.
  16. 16.
    Schiffman, M.: Common Vulnerability Scoring System.
  17. 17.
    Srinivas, P.G., Reddy, P.K., Trinath, A.V., Sripada, B., Kiran, R.U.: Mining coverage patterns from transactional databases. J. Intell. Inf. Syst. 45(3), 423–439 (2015)CrossRefGoogle Scholar
  18. 18.
    Tatti, N., Vreeken, J.: The long and the short of it: summarising event sequences with serial episodes. In: Proceedings of International Conference on Knowledge Discovery and Data Mining (KDD 2012), pp. 462–470. ACM (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.Dipartimento di InformaticaUniversità di PisaPisaItaly

Personalised recommendations