Abstract
Security-oriented risk assessment tools are used to determine the impact of certain events on the security status of a network. Most existing approaches are generally limited to manual risk evaluations that are not suitable for real-time use. In this paper, we introduce an approach to network risk assessment that is novel in a number of ways. First of all, the risk level of a network is determined as the composition of the risks of individual hosts, providing a more precise, fine-grained model. Second, we use Hidden Markov models to represent the likelihood of transitions between security states. Third, we tightly integrate our risk assessment tool with an existing framework for distributed, large-scale intrusion detection, and we apply the results of the risk assessment to prioritize the alerts produced by the intrusion detection sensors. We also evaluate our approach on both simulated and real-world data.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Årnes, A., Sallhammar, K., Haslum, K., Brekne, T., Moe, M.E.G., Knapskog, S.J.: Real-time risk assessment with network sensors and intrusion detection systems. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-m., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS, vol. 3802, pp. 388–397. Springer, Heidelberg (2005)
CORAS IST-2000-25031 (2003), Web Site, http://www.nr.no/coras
Debar, H., Curry, D.A., Feinstein, B.S.: Intrusion detection message exchange format (IDMEF) – internet-draft (2005)
Desai, N.: IDS correlation of VA data and IDS alerts (June 2003), http://www.securityfocus.com/infocus/1708
Evans, S., Heinbuch, D., Kyule, E., Piorkowski, J., Wallner, J.: Risk-based systems security engineering: Stopping attacks with intention. IEEE Security and Privacy 02(6), 59–62 (2004)
Gehani, A., Kedem, G.: RheoStat: Real-time risk management. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 296–314. Springer, Heidelberg (2004)
Gula, R.: Correlating ids alerts with vulnerability information. Technical report, Tenable Network Security (December 2002)
Krügel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)
Kruegel, C., Robertson, W.: Alert verification: Determining the success of intrusion attempts. In: Proceedings of the 1st Workshop on the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004), Dortmund, Germany (July 2004)
Kruegel, C., Robertson, W., Vigna, G.: Using alert verification to identify successful intrusion attempts. Practice in Information Processing and Communication (PIK 2004) 27(4), 219–227 (2004)
Lincoln Laboratory. Lincoln laboratory scenario (DDoS) 1.0 (2000), http://www.ll.mit.edu/SST/ideval/data/2000/LLS_DDOS_1.0.html
Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)
Rabiner, L.R.: A tutorial on hidden markov models and selected applications in speech recognition. Readings in speech recognition, pp. 267–296 (1990)
Standards Australia and Standards New Zealand. AS/NZS 4360: 2004 risk management (2004)
Stonebumer, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems, special publication, pp. 800–830 (2002), http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Sun Microsystems, Inc. Installing, Administering, and Using the Basic Security Module. 2550 Garcia Ave., Mountain View, CA 94043 (December 1991)
Vigna, G., Kemmerer, R.A., Blix, P.: Designing a web of highly-configurable intrusion detection sensors. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 69–84. Springer, Heidelberg (2001)
Vigna, G., Valeur, F., Kemmerer, R.: Designing and implementing a family of intrusion detection systems. In: Proceedings of European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2003), Helsinki, Finland (September 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Årnes, A., Valeur, F., Vigna, G., Kemmerer, R.A. (2006). Using Hidden Markov Models to Evaluate the Risks of Intrusions. In: Zamboni, D., Kruegel, C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11856214_8
Download citation
DOI: https://doi.org/10.1007/11856214_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-39723-6
Online ISBN: 978-3-540-39725-0
eBook Packages: Computer ScienceComputer Science (R0)