Approach To Forecasting Multi-step Attack Based On Fuzzy-hidden Markov Model

As we enter the information age, the requirements of security of information transmission, information storage and information processing are of a much higher standard. The network security not only relates to the safety of the country, the development of economy and the progress of the science and technology, but also relates to the vital interests of every one. Network is a double-edged sword; it not only accelerates the informatization of society, but also brings a huge challenge for the information security issues. In recent years, the rate of network security crimes rises every year. Particularly, with the advent of online banking, mobile banking, e-commerce and other online services, and the network security issues caused by the construction of a variety of private networks, the following network security problems become hot issues as well.In this stage, the traditional passive defense can’t adapt to the dynamic changes of network security. After applying of the defense in depth of the military field to the security areas, active defense emerges. In this paper, through the study of the existed multi-step attacks prediction methods, the improved Apriori algorithm and fuzzy evaluation are applied to the hidden markov model, and the approach to forecasting multi-step attack based on fuzzy hidden markov model is proposed.After the semantic analysis of raw alerts and features analysis possessed by attacks, the raw alerts are fused into super alert according to the rules firstly. The real intentions of attackers are hidden and can’t be observed by observers directly. But the raw alerts can be observed directly. In this regard, hidden markov model is applied to multi-step attacks prediction methods, in which the alerts are as observation layer and the real intentions are as hidden layer. Then the attack scenario which the alerts belong to is recognized by the Forward algorithm of HMM and the next possible attack sequence is forecasted by Viterbi algorithm. Finally, the existed hidden markov model is trained by Baum-Welch algorithm of HMM and we get a new fuzzy hidden markov model. And the attack scenario which the alerts belong to is recognized by the Forward algorithm of HMM and the next possible attack sequence is forecasted by Viterbi algorithm again.The theoretical significance of this paper is that the approach to forecasting multi-step attack based on fuzzy hidden markov model can forecast the attack intentions in a dynamic, complex and uncertain network environment. And many problems in the field of attack prediction can be solved, for example, the attack behaviors difficult to predict, the matching degree of network attack difficult to determine. This method also provides a theoretical basis for the network security situation assessment, optimal allocation of defense resources, active defense and other issues. The practical significance of this paper is that the method of multi-step attacks’ recognition & prediction is one of the results of this paper. It can recognize the attack scenario which the alerts belong to and can forecast the next possible attack sequence. It becomes an important part of active defense and applies to the practice of active defense as well.The results of simulation experiments show that the hidden markov models which have been trained are better than the untrained in recognition and prediction. Compared with the existed multi-step attacks prediction methods, approach to forecasting multi-step attack is better in alerts processing, alerts correlation and so on.