New Goal Recognition Algorithms Using Attack Graphs

  • Reuth MirskyEmail author
  • Ya’ar ShalomEmail author
  • Ahmad MajadlyEmail author
  • Kobi GalEmail author
  • Rami PuzisEmail author
  • Ariel FelnerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11527)


Goal recognition is the task of inferring the goal of an actor given its observed actions. Attack graphs are a common representation of assets, vulnerabilities, and exploits used for analysis of potential intrusions in computer networks. This paper introduces new goal recognition algorithms on attack graphs. The main challenges involving goal recognition in cyber security include dealing with noisy and partial observations as well as the need for fast, near-real-time performance. To this end we propose improvements to existing planning-based algorithms for goal recognition, reducing their time complexity and allowing them to handle noisy observations. We also introduce two new metric-based algorithms for goal recognition. Experimental results show that the metric based algorithms improve performance when compared to the planning based algorithms, in terms of accuracy and runtime, thus enabling goal recognition to be carried out in near-real-time. These algorithms can potentially improve both risk management and alert correlation mechanisms for intrusion detection.


  1. 1.
    Al-Mamory, S., Zhang, H.: A survey on IDS alerts processing techniques. In: The 6th WSEAS International Conference on Information Security and Privacy (2007)Google Scholar
  2. 2.
    Ang, S., Chan, H., Jiang, A.X., Yeoh, W.: Game-theoretic goal recognition models with applications to security domains. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds.) Decision and Game Theory for Security. LNCS, vol. 10575, pp. 256–272. Springer, Cham (2017). Scholar
  3. 3.
    Avrahami-Zilberbrand, D., Kaminka, G.: Fast and complete symbolic plan recognition. In: International Joint Conference on Artificial Intelligence (2005)Google Scholar
  4. 4.
    Azer, M.A., El-Kassas, S.M., El-Soudani, M.S.: Security in ad hoc networks: from vulnerability to risk management. In: 2009 Third International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2009, pp. 203–209. IEEE (2009)Google Scholar
  5. 5.
    Backes, M., Hoffmann, J., Künnemann, R., Speicher, P., Steinmetz, M.: Simulated penetration testing and mitigation analysis. arXiv preprint arXiv:1705.05088 (2017)
  6. 6.
    Bisson, F., Kabanza, F., Benaskeur, A.R., Irandoust, H.: Provoking opponents to facilitate the recognition of their intentions. In: AAAI (2011)Google Scholar
  7. 7.
    Bui, H.: A general model for online probabilistic plan recognition. In: International Joint Conference on Artificial Intelligence, vol. 3, pp. 1309–1315 (2003)Google Scholar
  8. 8.
    Chyssler, T., Burschka, S., Semling, M., Lingvall, T., Burbeck, K.: Alarm reduction and correlation in intrusion detection systems. In: DIMVA, pp. 9–24 (2004)Google Scholar
  9. 9.
    Durkota, K., Lisỳ, V., Bosanskỳ, B., Kiekintveld, C.: Optimal network security hardening using attack graph games. In: International Joint Conference on Artificial Intelligence, pp. 526–532 (2015)Google Scholar
  10. 10.
    E-Martin, Y., R-Moreno, M., Smith, D.: A fast goal recognition technique based on interaction estimates. In: Twenty-Fourth International Joint Conference on Artificial Intelligence (2015)Google Scholar
  11. 11.
    Felner, A., Stern, R., Rosenschein, J., Pomeransky, A.: Searching for close alternative plans. AAMAS 14, 211–237 (2007). Scholar
  12. 12.
    Freedman, R., Zilberstein, S.: Integration of planning with recognition for responsive interaction using classical planners. In: AAAI, pp. 4581–4588 (2017)Google Scholar
  13. 13.
    Geib, C., Goldman, R.: Plan recognition in intrusion detection systems. In: 2001 Proceedings of the DARPA Information Survivability Conference and Exposition II, DISCEX 2001, vol. 1, pp. 46–55. IEEE (2001)Google Scholar
  14. 14.
    Geib, C., Maraist, J., Goldman, R.: A new probabilistic plan recognition algorithm based on string rewriting. In: ICAPS, pp. 91–98 (2008)Google Scholar
  15. 15.
    Goldman, R., Friedman, S., Rye, J.: Plan recognition for network analysis: preliminary report. In: AAAI Workshops on PAIR (2018)Google Scholar
  16. 16.
    Gonda, T., Shani, G., Puzis, R., Shapira, B.: Ranking vulnerability fixes using planning graph analysis. In: IWAISe: First International Workshop on Artificial Intelligence in Security, p. 41 (2017)Google Scholar
  17. 17.
    Hoffmann, J.: FF: the fast-forward planning system. AI Mag. 22(3), 57 (2001)Google Scholar
  18. 18.
    Hoffmann, J.: Simulated penetration testing: from “Dijkstra” to “Turing Test++”. In: ICAPS, pp. 364–372 (2015)Google Scholar
  19. 19.
    Hoffmann, J., Porteous, J., Sebastia, L.: Ordered landmarks in planning. J. Artif. Intell. Res. 22, 215–278 (2004)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Kabanza, F., Filion, J., Benaskeur, A.R., Irandoust, H.: Controlling the hypothesis space in probabilistic plan recognition. In: International Joint Conference on Artificial Intelligence, pp. 2306–2312 (2013)Google Scholar
  21. 21.
    Le Guillarme, N., Mouaddib, A., Gatepaille, S., Bellenger, A.: Adversarial intention recognition as inverse game-theoretic planning for threat assessment. In: ICTAI, pp. 698–705. IEEE (2016)Google Scholar
  22. 22.
    Lisỳ, V., Píbil, R., Stiborek, J., Bošanskỳ, B., Pěchouček, M.: Game-theoretic approach to adversarial plan recognition. In: ECAI, pp. 546–551. IOS Press (2012)Google Scholar
  23. 23.
    Masters, P., Sardina, S.: Cost-based goal recognition for path-planning. In: AAMAS, pp. 750–758 (2017)Google Scholar
  24. 24.
    Masters, P., Sardina, S.: Deceptive path-planning. In: International Joint Conference on Artificial Intelligence 2017, pp. 4368–4375. AAAI Press (2017)Google Scholar
  25. 25.
    Mirsky, R., Gal, Y., Tolpin, D.: Session analysis using plan recognition. In: Workshop on User Interfaces and Scheduling and Planning (UISP) (2017)Google Scholar
  26. 26.
    Mirsky, R., Stern, R., Gal, Y., Kalech, M.: Plan recognition design. In: AAAI, pp. 4971–4972 (2017)Google Scholar
  27. 27.
    Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Workshop on Visualization and Data Mining for Computer Security, pp. 109–118. ACM (2004)Google Scholar
  28. 28.
    Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distances. In: Computer Security Applications Conference (2004)Google Scholar
  29. 29.
    Noel, S., Jajodia, S.: Optimal IDS sensor placement and alert prioritization using attack graphs. J. Netw. Syst. Manag. 16(3), 259–275 (2008)CrossRefGoogle Scholar
  30. 30.
    Ou, X., Govindavajhala, S.: MulVAL: a logic-based network security analyzer. In: 14th USENIX Security Symposium. Citeseer (2005)Google Scholar
  31. 31.
    Pereira, R., Oren, N., Meneguzzi, F.: Landmark-based heuristics for goal recognition. In: AAAI (2017)Google Scholar
  32. 32.
    Pereira, R., Oren, N., Meneguzzi, F.: Plan optimality monitoring using landmarks and planning heuristics. In: PAIR Workshop in AAAI (2017)Google Scholar
  33. 33.
    Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secur. Comput. 9, 61–74 (2012)CrossRefGoogle Scholar
  34. 34.
    Qin, X., Lee, W.: Attack plan recognition and prediction using causal networks. In: 2004 20th Annual Computer Security Applications Conference, pp. 370–379. IEEE (2004)Google Scholar
  35. 35.
    Ramírez, M., Geffner, H.: Plan recognition as planning. In: AAAI (2009)Google Scholar
  36. 36.
    Ramírez, M., Geffner, H.: Probabilistic plan recognition using off-the-shelf classical planners. In: AAAI (2010)Google Scholar
  37. 37.
    Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 58–67. Springer, Heidelberg (2011). Scholar
  38. 38.
    Shmaryahu, D.: Constructing plan trees for simulated penetration testing. In: ICAPS (2016)Google Scholar
  39. 39.
    Shmaryahu, D., Shani, G., Hoffmann, J., Steinmetz, M.: Partially observable contingent planning for penetration testing. In: IWAISe: First International Workshop on Artificial Intelligence in Security, p. 33 (2017)Google Scholar
  40. 40.
    Shmaryahu, D., Shani, G., Hoffmann, J., Steinmetz, M.: Simulated penetration testing as contingent planning. In: ICAPS (2018)Google Scholar
  41. 41.
    Shvo, M., Sohrabi, S., Mcllraith, S.: An AI planning-based approach to the multi-agent plan recognition problem. In: PAIR Workshop in AAAI (2017)Google Scholar
  42. 42.
    Sohrabi, S., Riabov, A., Udrea, O.: Plan recognition as planning revisited. In: International Joint Conference on Artificial Intelligence, pp. 3258–3264 (2016)Google Scholar
  43. 43.
    Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: DISCEX, p. 1307. IEEE (2001)Google Scholar
  44. 44.
    Vered, M., Kaminka, G.: Heuristic online goal recognition in continuous domains. In: International Joint Conference on Artificial Intelligence, pp. 4447–4454 (2017)Google Scholar
  45. 45.
    Vered, M., Pereira, R., Magnaguagno, M., Kaminka, G., Meneguzzi, F.: Towards online goal recognition combining goal mirroring and landmarks. In: AAMAS (2018)Google Scholar
  46. 46.
    Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29(15), 2917–2933 (2006)CrossRefGoogle Scholar
  47. 47.
    Zhang, S., Li, J., Chen, X., Fan, L.: Building network attack graph for alert causal correlation. Comput. Secur. 27(5–6), 188–196 (2008)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Ben-Gurion University of the NegevBeershebaIsrael

Personalised recommendations