Show simple item record

dc.contributor.authorGhafir, Ibrahim
dc.contributor.authorKyriakopoulos, K.G.
dc.contributor.authorLambotharan, S.
dc.contributor.authorAparicio-Navarro, F.J.
dc.contributor.authorAssadhan, B.
dc.contributor.authorBinsalleeh, H.
dc.contributor.authorDiab, D.M.
dc.date.accessioned2020-01-24T12:13:25Z
dc.date.accessioned2020-01-31T10:40:51Z
dc.date.available2020-01-24T12:13:25Z
dc.date.available2020-01-31T10:40:51Z
dc.date.issued2019-07
dc.identifier.citationGhafir I, Kyriakopoulos KG, Lambotharan S et al (2019) Hidden Markov models and alert correlations for the prediction of advanced persistent threats. IEEE Access. 7: 99508-99520.en_US
dc.identifier.urihttp://hdl.handle.net/10454/17613
dc.descriptionYesen_US
dc.description.abstractCyber security has become a matter of a global interest, and several attacks target industrial companies and governmental organizations. The advanced persistent threats (APTs) have emerged as a new and complex version of multi-stage attacks (MSAs), targeting selected companies and organizations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker's strategies and aims. This paper proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases; the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts that are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilizes the hidden Markov model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91.80%. In addition, it predicts the next step of the APT campaign with an accuracy of 66.50%, 92.70%, and 100% based on two, three, and four correlated alerts, respectively.en_US
dc.description.sponsorshipThe Gulf Science, Innovation and Knowledge Economy Programme of the U.K. Government under UK-Gulf Institutional Link Grant IL 279339985 and in part by the Engineering and Physical Sciences Research Council (EPSRC), U.K., under Grant EP/R006385/1.en_US
dc.language.isoenen_US
dc.rightsThis work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/en_US
dc.subjectAdvanced persistent threaten_US
dc.subjectIntrusion detection systemen_US
dc.subjectAlert correlationen_US
dc.subjectHidden Markov modelen_US
dc.subjectAttack predictionen_US
dc.titleHidden Markov models and alert correlations for the prediction of advanced persistent threatsen_US
dc.status.refereedYesen_US
dc.date.application2019-07-22
dc.typeArticleen_US
dc.type.versionPublished versionen_US
dc.identifier.doihttps://doi.org/10.1109/ACCESS.2019.2930200
dc.date.updated2020-01-24T12:13:27Z
refterms.dateFOA2020-01-31T10:41:17Z
dc.date.accepted2019-07-10


Item file(s)

Thumbnail
Name:
HiddenMarkovModelsandAlertCorr ...
Size:
7.165Mb
Format:
PDF
Description:
To keep suppressed
Thumbnail
Name:
Ghafir_IEEE_Access_Final.pdf
Size:
6.985Mb
Format:
PDF

This item appears in the following Collection(s)

Show simple item record