Learning to Learn Sequential Network Attacks Using Hidden Markov Models
The global surge of cyber-attacks in the form of sequential network attacks has propelled the need for robust intrusion detection and prediction systems. Such attacks are difficult to reveal using current intrusion detection systems, since each individual attack phase may appear benign when examined...
Main Authors: | , , |
---|---|
Format: | Article |
Language: | English |
Published: |
IEEE
2020-01-01
|
Series: | IEEE Access |
Subjects: | |
Online Access: | https://ieeexplore.ieee.org/document/9146155/ |
id |
doaj-0f58d375c47948db9dc59a3a36485aaf |
---|---|
record_format |
Article |
spelling |
doaj-0f58d375c47948db9dc59a3a36485aaf2021-03-30T04:42:32ZengIEEEIEEE Access2169-35362020-01-01813448013449710.1109/ACCESS.2020.30112939146155Learning to Learn Sequential Network Attacks Using Hidden Markov ModelsTimothy Chadza0https://orcid.org/0000-0002-4647-0329Konstantinos G. Kyriakopoulos1https://orcid.org/0000-0002-7498-4589Sangarapillai Lambotharan2https://orcid.org/0000-0001-5255-7036Wolfson School of Mechanical, Electrical, and Manufacturing Engineering, Loughborough University, Loughborough, U.K.Wolfson School of Mechanical, Electrical, and Manufacturing Engineering, Loughborough University, Loughborough, U.K.Wolfson School of Mechanical, Electrical, and Manufacturing Engineering, Loughborough University, Loughborough, U.K.The global surge of cyber-attacks in the form of sequential network attacks has propelled the need for robust intrusion detection and prediction systems. Such attacks are difficult to reveal using current intrusion detection systems, since each individual attack phase may appear benign when examined outside of its context. In addition, there are challenges in building supervised learning models for such attacks, since there are limited labelled datasets available. Hence, there is a need for updating already built models to specific operational environments and for addressing the concept drift. A hidden Markov model (HMM) is a popular framework for sequential modelling, however, in addition to the above challenges, the model parameters are difficult to optimise. This paper proposes a transfer learning (TL) approach that exploits already learned knowledge, gained from a labelled source dataset, and adapts it on a different, unlabelled target dataset. The datasets may be from a different but related domain. Five unsupervised HMM techniques are developed utilising a TL approach and evaluated against conventional machine learning approaches. Baum-Welch (BW), Viterbi training, gradient descent, differential evolution (DE) and simulated annealing, are deployed for the detection of attack stages in the network traffic, as well as, forecasting both the next most probable attack stage and its method of manifestation. Specifically, for the prediction of the three next most likely states and observations, TL with DE achieved a maximum accuracy improvement of 48.3%, and 27.4%, respectively. Finally, the actual detection prediction for the three next most probable states and methods of manifestation reaches 78.9% and 96.3% using TL with BW and DE, respectively.https://ieeexplore.ieee.org/document/9146155/Transfer learninghidden Markov modelViterbi decodingforward-backwardsequential network attacks |
collection |
DOAJ |
language |
English |
format |
Article |
sources |
DOAJ |
author |
Timothy Chadza Konstantinos G. Kyriakopoulos Sangarapillai Lambotharan |
spellingShingle |
Timothy Chadza Konstantinos G. Kyriakopoulos Sangarapillai Lambotharan Learning to Learn Sequential Network Attacks Using Hidden Markov Models IEEE Access Transfer learning hidden Markov model Viterbi decoding forward-backward sequential network attacks |
author_facet |
Timothy Chadza Konstantinos G. Kyriakopoulos Sangarapillai Lambotharan |
author_sort |
Timothy Chadza |
title |
Learning to Learn Sequential Network Attacks Using Hidden Markov Models |
title_short |
Learning to Learn Sequential Network Attacks Using Hidden Markov Models |
title_full |
Learning to Learn Sequential Network Attacks Using Hidden Markov Models |
title_fullStr |
Learning to Learn Sequential Network Attacks Using Hidden Markov Models |
title_full_unstemmed |
Learning to Learn Sequential Network Attacks Using Hidden Markov Models |
title_sort |
learning to learn sequential network attacks using hidden markov models |
publisher |
IEEE |
series |
IEEE Access |
issn |
2169-3536 |
publishDate |
2020-01-01 |
description |
The global surge of cyber-attacks in the form of sequential network attacks has propelled the need for robust intrusion detection and prediction systems. Such attacks are difficult to reveal using current intrusion detection systems, since each individual attack phase may appear benign when examined outside of its context. In addition, there are challenges in building supervised learning models for such attacks, since there are limited labelled datasets available. Hence, there is a need for updating already built models to specific operational environments and for addressing the concept drift. A hidden Markov model (HMM) is a popular framework for sequential modelling, however, in addition to the above challenges, the model parameters are difficult to optimise. This paper proposes a transfer learning (TL) approach that exploits already learned knowledge, gained from a labelled source dataset, and adapts it on a different, unlabelled target dataset. The datasets may be from a different but related domain. Five unsupervised HMM techniques are developed utilising a TL approach and evaluated against conventional machine learning approaches. Baum-Welch (BW), Viterbi training, gradient descent, differential evolution (DE) and simulated annealing, are deployed for the detection of attack stages in the network traffic, as well as, forecasting both the next most probable attack stage and its method of manifestation. Specifically, for the prediction of the three next most likely states and observations, TL with DE achieved a maximum accuracy improvement of 48.3%, and 27.4%, respectively. Finally, the actual detection prediction for the three next most probable states and methods of manifestation reaches 78.9% and 96.3% using TL with BW and DE, respectively. |
topic |
Transfer learning hidden Markov model Viterbi decoding forward-backward sequential network attacks |
url |
https://ieeexplore.ieee.org/document/9146155/ |
work_keys_str_mv |
AT timothychadza learningtolearnsequentialnetworkattacksusinghiddenmarkovmodels AT konstantinosgkyriakopoulos learningtolearnsequentialnetworkattacksusinghiddenmarkovmodels AT sangarapillailambotharan learningtolearnsequentialnetworkattacksusinghiddenmarkovmodels |
_version_ |
1724181291025301504 |