Skip to Main content Skip to Navigation
Preprints, Working Papers, ...

Hidden Markov models for advanced persistent threats

Abstract : Advanced Persistent Threats (APT), attack campaigns performed by competent and resourceful actors, are a serious security risk and tools suited to their detection are needed. These attack campaigns do leave traces in the system, and it is possible to reconstruct part of the attack campaign from these traces. In this article, we describe a stochastic model for the evolution of an APT. It is based on hidden Markov models (HMM) and is accompanied by a score. The aim of this model is to validate whether the evolution of the partially reconstructed attack campaigns are indeed consistent with the evolution of an APT. In addition, the introduced score is designed to take into account the inevitable presence of undetected attacks in the attack campaigns. It also allows comparing attack campaigns of varying length, which is necessary to be able to compare attack campaigns. We validate and illustrate both the model and the score using data obtained from experts.
Complete list of metadata

Cited literature [12 references]  Display  Hide  Download
Contributor : Guillaume Brogi <>
Submitted on : Friday, October 6, 2017 - 10:28:35 AM
Last modification on : Wednesday, April 24, 2019 - 4:20:35 PM


Files produced by the author(s)


  • HAL Id : hal-01549196, version 2



Guillaume Brogi, Elena Di Bernardino. Hidden Markov models for advanced persistent threats. 2017. ⟨hal-01549196v2⟩



Record views


Files downloads