Skip to main content
SpringerLink
Log in

Using Hidden Markov Models to Evaluate the Risks of Intrusions

System Architecture and Model Validation

  • Conference paper
Book cover Recent Advances in Intrusion Detection (RAID 2006)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 4219))

Included in the following conference series:

Abstract

Security-oriented risk assessment tools are used to determine the impact of certain events on the security status of a network. Most existing approaches are generally limited to manual risk evaluations that are not suitable for real-time use. In this paper, we introduce an approach to network risk assessment that is novel in a number of ways. First of all, the risk level of a network is determined as the composition of the risks of individual hosts, providing a more precise, fine-grained model. Second, we use Hidden Markov models to represent the likelihood of transitions between security states. Third, we tightly integrate our risk assessment tool with an existing framework for distributed, large-scale intrusion detection, and we apply the results of the risk assessment to prioritize the alerts produced by the intrusion detection sensors. We also evaluate our approach on both simulated and real-world data.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Årnes, A., Sallhammar, K., Haslum, K., Brekne, T., Moe, M.E.G., Knapskog, S.J.: Real-time risk assessment with network sensors and intrusion detection systems. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS, vol. 3802, pp. 388–397. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  2. CORAS IST-2000-25031 (2003), Web Site, http://www.nr.no/coras

  3. Debar, H., Curry, D.A., Feinstein, B.S.: Intrusion detection message exchange format (IDMEF) – internet-draft (2005)

    Google Scholar 

  4. Desai, N.: IDS correlation of VA data and IDS alerts (June 2003), http://www.securityfocus.com/infocus/1708

  5. Evans, S., Heinbuch, D., Kyule, E., Piorkowski, J., Wallner, J.: Risk-based systems security engineering: Stopping attacks with intention. IEEE Security and Privacy 02(6), 59–62 (2004)

    Article  Google Scholar 

  6. Gehani, A., Kedem, G.: RheoStat: Real-time risk management. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 296–314. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  7. Gula, R.: Correlating ids alerts with vulnerability information. Technical report, Tenable Network Security (December 2002)

    Google Scholar 

  8. Krügel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  9. Kruegel, C., Robertson, W.: Alert verification: Determining the success of intrusion attempts. In: Proceedings of the 1st Workshop on the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004), Dortmund, Germany (July 2004)

    Google Scholar 

  10. Kruegel, C., Robertson, W., Vigna, G.: Using alert verification to identify successful intrusion attempts. Practice in Information Processing and Communication (PIK 2004) 27(4), 219–227 (2004)

    Google Scholar 

  11. Lincoln Laboratory. Lincoln laboratory scenario (DDoS) 1.0 (2000), http://www.ll.mit.edu/SST/ideval/data/2000/LLS_DDOS_1.0.html

  12. Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  13. Rabiner, L.R.: A tutorial on hidden markov models and selected applications in speech recognition. Readings in speech recognition, pp. 267–296 (1990)

    Google Scholar 

  14. Standards Australia and Standards New Zealand. AS/NZS 4360: 2004 risk management (2004)

    Google Scholar 

  15. Stonebumer, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems, special publication, pp. 800–830 (2002), http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

  16. Sun Microsystems, Inc. Installing, Administering, and Using the Basic Security Module. 2550 Garcia Ave., Mountain View, CA 94043 (December 1991)

    Google Scholar 

  17. Vigna, G., Kemmerer, R.A., Blix, P.: Designing a web of highly-configurable intrusion detection sensors. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 69–84. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  18. Vigna, G., Valeur, F., Kemmerer, R.: Designing and implementing a family of intrusion detection systems. In: Proceedings of European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2003), Helsinki, Finland (September 2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre for Quantifiable Quality of Service in Communication Systems, Norwegian University of Science and Technology, O.S. Bragstads plass 2E, N-7491, Trondheim, Norway

    André Årnes

  2. Department of Computer Science, University of California Santa Barbara, Santa Barbara, CA, 93106-5110, USA

    Fredrik Valeur, Giovanni Vigna & Richard A. Kemmerer

Authors
  1. André Årnes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fredrik Valeur
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Giovanni Vigna
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Richard A. Kemmerer
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Årnes, A., Valeur, F., Vigna, G., Kemmerer, R.A. (2006). Using Hidden Markov Models to Evaluate the Risks of Intrusions. In: Zamboni, D., Kruegel, C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11856214_8

Download citation

  • DOI: https://doi.org/10.1007/11856214_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-39723-6

  • Online ISBN: 978-3-540-39725-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation