Hidden Markov models for advanced persistent threats

Abstract : Advanced Persistent Threats (APT), attack campaigns performed by competent and resourceful actors, are a serious security risk and tools suited to their detection are needed. These attack campaigns do leave traces in the system, and it is possible to reconstruct part of the attack campaign from these traces. In this article, we describe a stochastic model for the evolution of an APT. It is based on hidden Markov models (HMM) and is accompanied by a score. The aim of this model is to validate whether the evolution of the partially reconstructed attack campaigns are indeed consistent with the evolution of an APT. In addition, the introduced score is designed to take into account the inevitable presence of undetected attacks in the attack campaigns. It also allows comparing attack campaigns of varying length, which is necessary to be able to compare attack campaigns. We validate and illustrate both the model and the score using data obtained from experts.
Complete list of metadatas

Cited literature [12 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-01549196
Contributor : Guillaume Brogi <>
Submitted on : Friday, October 6, 2017 - 10:28:35 AM
Last modification on : Wednesday, April 24, 2019 - 4:20:35 PM

File

article.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-01549196, version 2

Collections

Citation

Guillaume Brogi, Elena Di Bernardino. Hidden Markov models for advanced persistent threats. 2017. ⟨hal-01549196v2⟩

Share

Metrics

Record views

329

Files downloads

916