Characterization of Cyber Attacks through Variable Length Markov Models
Daniel S. Fava and Shanchieh J. Yang
Department of Computer Engineering
Rochester Institute of Technology
Abstract:
The increase in bandwidth, the emergence of wireless technologies, and the spread of the Internet throughout the world have created new forms of communication with effects on areas such as business, entertainment, and education. This pervasion of computer networks into human activity has amplified the importance of cyber security. Cyber security relies heavily on Intrusion Detection Systems (IDS), whose objective is to detect malicious network traffic and computer usage. IDS data can be correlated into cyber attack tracks, which consist of ordered collections of alerts triggered during a single multi-stage attack. The objective of this research is to enhance the current knowledge over attack behavior by developing a model that captures the sequential properties of attack tracks. Two sequence characterization models are discussed: Variable Length Markov Models (VLMMs), which are a type of finite-context models, and Hidden Markov Models (HMMs), which are also known as finite-state models. Consider each attack track as a sequence of symbols, s={x1, x2,..., xn}, where xi . and . is a set of possible values of one or more fields in an alert message. A VLMM is implemented to capture all possible fixed-order Markov properties of attack tracks in the training set. For each newly observed and unfolding attack track, s*={x*1, x*2,..., x*j}, the transition probabilities based on the finite contexts revealed in s* are combined. The combined probabilities of future attack actions (x*j+1) are then used for prediction. In addition, this work presents metrics that classify attack tracks based on entropy measuring the variability in attack actions, based on average log-loss measuring the rarity of attack sequences, and based on attack agility in terms of attacked machines.