Multi-Step Attack Detection Based on Pre-Trained Hidden Markov Models
Currently, hidden Markov-based multi-step attack detection models are mainly trained using the unsupervised Baum–Welch algorithm. The Baum–Welch algorithm is sensitive to the initial values of model parameters. However, its training uses random or average parameter initialization methods, which freq...
| Main Authors: | , , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI
2022
|
| Subjects: | |
| Online Access: | View Fulltext in Publisher |
| LEADER | 02731nam a2200433Ia 4500 | ||
|---|---|---|---|
| 001 | 0.3390-s22082874 | ||
| 008 | 220421s2022 CNT 000 0 und d | ||
| 020 | |a 14248220 (ISSN) | ||
| 245 | 1 | 0 | |a Multi-Step Attack Detection Based on Pre-Trained Hidden Markov Models |
| 260 | 0 | |b MDPI |c 2022 | |
| 856 | |z View Fulltext in Publisher |u https://doi.org/10.3390/s22082874 | ||
| 520 | 3 | |a Currently, hidden Markov-based multi-step attack detection models are mainly trained using the unsupervised Baum–Welch algorithm. The Baum–Welch algorithm is sensitive to the initial values of model parameters. However, its training uses random or average parameter initialization methods, which frequently results in the model training into a local optimum, thus, making the model unable to fit the alert logs well and thereby reducing the detection effectiveness of the model. To solve this issue, we propose a pre-training method for multi-step attack detection models based on the high semantic similarity of alerts in the same attack phase. The method first clusters the alerts based on their semantic information and pre-classifies the attack phase to which each alert belongs. Then, the distance of the alert vector to each attack stage is converted into the probability of generating alerts in each attack stage, replacing the initial value of Baum–Welch. The effectiveness of the proposed method is evaluated using the DARPA 2000 dataset, DEFCON21 CTF dataset, and ISCXIDS 2012 dataset. The experimental results show that the hidden Markov multi-step attack detection method based on pre-training of the proposed model parameters had higher detection accuracy than the Baum–Welch-based, K-means-based, and transfer learning differential evolution-based hidden Markov multi-step attack detection methods. © 2022 by the authors. Licensee MDPI, Basel, Switzerland. | |
| 650 | 0 | 4 | |a Attack detection |
| 650 | 0 | 4 | |a Baum-Welch |
| 650 | 0 | 4 | |a Baum-Welch algorithms |
| 650 | 0 | 4 | |a Detection models |
| 650 | 0 | 4 | |a Evolutionary algorithms |
| 650 | 0 | 4 | |a Hidden markov |
| 650 | 0 | 4 | |a Hidden Markov Model |
| 650 | 0 | 4 | |a Hidden Markov models |
| 650 | 0 | 4 | |a Hidden-Markov models |
| 650 | 0 | 4 | |a K-means clustering |
| 650 | 0 | 4 | |a Modeling parameters |
| 650 | 0 | 4 | |a multi-step attack detection |
| 650 | 0 | 4 | |a Multi-step attack detection |
| 650 | 0 | 4 | |a Multi-step attacks |
| 650 | 0 | 4 | |a Optimization |
| 650 | 0 | 4 | |a pre-training |
| 650 | 0 | 4 | |a Pre-training |
| 650 | 0 | 4 | |a Semantics |
| 700 | 1 | 0 | |a Cheng, C. |e author |
| 700 | 1 | 0 | |a Hu, H. |e author |
| 700 | 1 | 0 | |a Wu, T. |e author |
| 700 | 1 | 0 | |a Yin, W. |e author |
| 700 | 1 | 0 | |a Zeng, Y. |e author |
| 700 | 1 | 0 | |a Zhai, L. |e author |
| 700 | 1 | 0 | |a Zhang, X. |e author |
| 700 | 1 | 0 | |a Zheng, Q. |e author |
| 773 | |t Sensors | ||