Hidden Markov models for advanced persistent threats

Abstract : Advanced Persistent Threats (APT), attack campaigns performed by competent and resourceful actors, are a serious security risk and tools suited to their detection are needed. These attack campaigns do leave traces in the system, and it is possible to reconstruct part of the attack campaign from these traces. In this article, we describe a stochastic model for the evolution of an APT. It is based on hidden Markov models (HMM) and is accompanied by a score. The aim of this model is to validate whether the evolution of the partially reconstructed attack campaigns are indeed consistent with the evolution of an APT. In addition, the introduced score is designed to take into account the inevitable presence of undetected attacks in the attack campaigns. It also allows comparing attack campaigns of varying length, which is necessary to be able to compare attack campaigns. We validate and illustrate both the model and the score using data obtained from experts.
Type de document :
Pré-publication, Document de travail
2017
Liste complète des métadonnées

Littérature citée [12 références]  Voir  Masquer  Télécharger

https://hal.archives-ouvertes.fr/hal-01549196
Contributeur : Guillaume Brogi <>
Soumis le : vendredi 6 octobre 2017 - 10:28:35
Dernière modification le : mardi 10 juillet 2018 - 17:02:04

Fichier

article.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-01549196, version 2

Collections

Citation

Guillaume Brogi, Elena Di Bernardino. Hidden Markov models for advanced persistent threats. 2017. 〈hal-01549196v2〉

Partager

Métriques

Consultations de la notice

181

Téléchargements de fichiers

283