Hidden Markov models for advanced persistent threats

Abstract : Advanced Persistent Threats (APT), attack campaigns performed by competent and resourceful actors, are a serious security risk and tools suited to their detection are needed. These attack campaigns do leave traces in the system, and it is possible to reconstruct part of the attack campaign from these traces. In this article, we describe a stochastic model for the evolution of an APT. It is based on hidden Markov models (HMM) and is accompanied by a score. The aim of this model is to validate whether the evolution of the partially reconstructed attack campaigns are indeed consistent with the evolution of an APT. In addition, the introduced score is designed to take into account the inevitable presence of undetected attacks in the attack campaigns. It also allows comparing attack campaigns of varying length, which is necessary to be able to compare attack campaigns. We validate and illustrate both the model and the score using data obtained from experts.
Type de document :
Pré-publication, Document de travail
Liste complète des métadonnées

Littérature citée [12 références]  Voir  Masquer  Télécharger

Contributeur : Guillaume Brogi <>
Soumis le : vendredi 6 octobre 2017 - 10:28:35
Dernière modification le : samedi 9 février 2019 - 01:24:52


Fichiers produits par l'(les) auteur(s)


  • HAL Id : hal-01549196, version 2



Guillaume Brogi, Elena Di Bernardino. Hidden Markov models for advanced persistent threats. 2017. 〈hal-01549196v2〉



Consultations de la notice


Téléchargements de fichiers