Real time intrusion prediction based on optimized alerts with Hidden Markov model

Cyber attacks and malicious activities are rapidly becoming a major threat to proper secure organization. Many security tools may be installed in distributed systems and monitor all events in a network. Security managers often have to process huge numbers of alerts per day, produced by such tools. Intrusion prediction is an important technique to help response systems reacting properly before the network is compromised. In this paper, we propose a framework to predict multi-step attacks before they pose a serious security risk. Hidden Markov Model (HMM) is used to extract the interactions between attackers and networks. Since alerts correlation plays a critical role in prediction, a modulated alert severity through correlation concept is used instead of just individual alerts and their severity. Modulated severity generates prediction alarms for the most interesting steps of multi-step attacks and improves the accuracy. Our experiments on the Lincoln Laboratory 2000 data set show that our algorithm perfectly predicts multistep attacks before they can compromise the network. © 2012 ACADEMY PUBLISHER.