Using hidden markov models to evaluate the risks of intrusions

Authors:
André Årnes;Fredrik Valeur;Giovanni Vigna;Richard A. Kemmerer
Affiliations:
Centre for Quantifiable Quality of Service in Communication Systems, Norwegian University of Science and Technology, Trondheim, Norway;Department of Computer Science, University of California Santa Barbara, Santa Barbara, CA;Department of Computer Science, University of California Santa Barbara, Santa Barbara, CA;Department of Computer Science, University of California Santa Barbara, Santa Barbara, CA
Venue:
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Year:
2006

Citing 8
Cited 6

A tutorial on hidden Markov models and selected applications in speech recognition

Readings in speech recognition
Designing a Web of Highly-Configurable Intrusion Detection Sensors

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Designing and implementing a family of intrusion detection systems

Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Risk-based Systems Security Engineering: Stopping Attacks with Intention

IEEE Security and Privacy
A mission-impact-based approach to INFOSEC alarm correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Real-time risk assessment with network sensors and intrusion detection systems

CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
Polymorphic worm detection using structural information of executables

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
SP 800-30. Risk Management Guide for Information Technology Systems

SP 800-30. Risk Management Guide for Information Technology Systems

Distributed and control theoretic approach to intrusion detection

IWCMC '07 Proceedings of the 2007 international conference on Wireless communications and mobile computing
A model-based semi-quantitative approach for evaluating security of enterprise networks

Proceedings of the 2008 ACM symposium on Applied computing
Multisensor Real-Time Risk Assessment Using Continuous-Time Hidden Markov Models

Computational Intelligence and Security
Asset priority risk assessment using hidden markov models

Proceedings of the 10th ACM conference on SIG-information technology education
A framework for security quantification of networked machines

COMSNETS'10 Proceedings of the 2nd international conference on COMmunication systems and NETworks
Assessing security risk to a network using a statistical model of attacker community competence

ICICS'09 Proceedings of the 11th international conference on Information and Communications Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security-oriented risk assessment tools are used to determine the impact of certain events on the security status of a network. Most existing approaches are generally limited to manual risk evaluations that are not suitable for real-time use. In this paper, we introduce an approach to network risk assessment that is novel in a number of ways. First of all, the risk level of a network is determined as the composition of the risks of individual hosts, providing a more precise, fine-grained model. Second, we use Hidden Markov models to represent the likelihood of transitions between security states. Third, we tightly integrate our risk assessment tool with an existing framework for distributed, large-scale intrusion detection, and we apply the results of the risk assessment to prioritize the alerts produced by the intrusion detection sensors. We also evaluate our approach on both simulated and real-world data.