Title: Hidden Markov models for advanced persistent threats

Authors: Guillaume Brogi; Elena Di Bernardino

Addresses: Akheros, France; Département IMATH, Conservatoire National des Arts et Métiers, EA4629, Paris, France ' Département IMATH, Conservatoire National des Arts et Métiers, EA4629, Paris, France

Abstract: Advanced persistent threats (APT) are a serious security risk and tools suited to their detection are needed. These attack campaigns do leave traces in the system, and it is possible to reconstruct part of the attack campaign from these traces. In this article, we describe a hidden Markov model for the evolution of an APT. The aim of this model is to validate whether the evolution of the partially reconstructed attack campaigns are indeed consistent with the evolution of an APT. Since APTs are hard to detect, we also introduce a score to take into account potentially undetected attacks. In addition, the score also allows comparing the fit of APTs of different lengths. We validate and illustrate both the model and the score using data obtained from experts.

Keywords: intrusion detection; advanced persistent threats; APT; attack campaign; machine learning; hidden Markov models; HMM; score; missing observations; undetected attacks; expert knowledge.

DOI: 10.1504/IJSN.2019.103147

International Journal of Security and Networks, 2019 Vol.14 No.4, pp.181 - 190

Received: 26 Mar 2018
Accepted: 09 Feb 2019
Published online: 21 Oct 2019 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article