Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Cyber Security Cryptography and Machine Learning

CSCML 2019: Cyber Security Cryptography and Machine Learning pp 260–278Cite as

New Goal Recognition Algorithms Using Attack Graphs

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11527))

Abstract

Goal recognition is the task of inferring the goal of an actor given its observed actions. Attack graphs are a common representation of assets, vulnerabilities, and exploits used for analysis of potential intrusions in computer networks. This paper introduces new goal recognition algorithms on attack graphs. The main challenges involving goal recognition in cyber security include dealing with noisy and partial observations as well as the need for fast, near-real-time performance. To this end we propose improvements to existing planning-based algorithms for goal recognition, reducing their time complexity and allowing them to handle noisy observations. We also introduce two new metric-based algorithms for goal recognition. Experimental results show that the metric based algorithms improve performance when compared to the planning based algorithms, in terms of accuracy and runtime, thus enabling goal recognition to be carried out in near-real-time. These algorithms can potentially improve both risk management and alert correlation mechanisms for intrusion detection.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   74.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Al-Mamory, S., Zhang, H.: A survey on IDS alerts processing techniques. In: The 6th WSEAS International Conference on Information Security and Privacy (2007)

    Google Scholar 

  2. Ang, S., Chan, H., Jiang, A.X., Yeoh, W.: Game-theoretic goal recognition models with applications to security domains. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds.) Decision and Game Theory for Security. LNCS, vol. 10575, pp. 256–272. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68711-7_14

    Chapter  MATH  Google Scholar 

  3. Avrahami-Zilberbrand, D., Kaminka, G.: Fast and complete symbolic plan recognition. In: International Joint Conference on Artificial Intelligence (2005)

    Google Scholar 

  4. Azer, M.A., El-Kassas, S.M., El-Soudani, M.S.: Security in ad hoc networks: from vulnerability to risk management. In: 2009 Third International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2009, pp. 203–209. IEEE (2009)

    Google Scholar 

  5. Backes, M., Hoffmann, J., Künnemann, R., Speicher, P., Steinmetz, M.: Simulated penetration testing and mitigation analysis. arXiv preprint arXiv:1705.05088 (2017)

  6. Bisson, F., Kabanza, F., Benaskeur, A.R., Irandoust, H.: Provoking opponents to facilitate the recognition of their intentions. In: AAAI (2011)

    Google Scholar 

  7. Bui, H.: A general model for online probabilistic plan recognition. In: International Joint Conference on Artificial Intelligence, vol. 3, pp. 1309–1315 (2003)

    Google Scholar 

  8. Chyssler, T., Burschka, S., Semling, M., Lingvall, T., Burbeck, K.: Alarm reduction and correlation in intrusion detection systems. In: DIMVA, pp. 9–24 (2004)

    Google Scholar 

  9. Durkota, K., Lisỳ, V., Bosanskỳ, B., Kiekintveld, C.: Optimal network security hardening using attack graph games. In: International Joint Conference on Artificial Intelligence, pp. 526–532 (2015)

    Google Scholar 

  10. E-Martin, Y., R-Moreno, M., Smith, D.: A fast goal recognition technique based on interaction estimates. In: Twenty-Fourth International Joint Conference on Artificial Intelligence (2015)

    Google Scholar 

  11. Felner, A., Stern, R., Rosenschein, J., Pomeransky, A.: Searching for close alternative plans. AAMAS 14, 211–237 (2007). https://doi.org/10.1007/s10458-006-9006-1

    Article  Google Scholar 

  12. Freedman, R., Zilberstein, S.: Integration of planning with recognition for responsive interaction using classical planners. In: AAAI, pp. 4581–4588 (2017)

    Google Scholar 

  13. Geib, C., Goldman, R.: Plan recognition in intrusion detection systems. In: 2001 Proceedings of the DARPA Information Survivability Conference and Exposition II, DISCEX 2001, vol. 1, pp. 46–55. IEEE (2001)

    Google Scholar 

  14. Geib, C., Maraist, J., Goldman, R.: A new probabilistic plan recognition algorithm based on string rewriting. In: ICAPS, pp. 91–98 (2008)

    Google Scholar 

  15. Goldman, R., Friedman, S., Rye, J.: Plan recognition for network analysis: preliminary report. In: AAAI Workshops on PAIR (2018)

    Google Scholar 

  16. Gonda, T., Shani, G., Puzis, R., Shapira, B.: Ranking vulnerability fixes using planning graph analysis. In: IWAISe: First International Workshop on Artificial Intelligence in Security, p. 41 (2017)

    Google Scholar 

  17. Hoffmann, J.: FF: the fast-forward planning system. AI Mag. 22(3), 57 (2001)

    Google Scholar 

  18. Hoffmann, J.: Simulated penetration testing: from “Dijkstra” to “Turing Test++”. In: ICAPS, pp. 364–372 (2015)

    Google Scholar 

  19. Hoffmann, J., Porteous, J., Sebastia, L.: Ordered landmarks in planning. J. Artif. Intell. Res. 22, 215–278 (2004)

    Article  MathSciNet  Google Scholar 

  20. Kabanza, F., Filion, J., Benaskeur, A.R., Irandoust, H.: Controlling the hypothesis space in probabilistic plan recognition. In: International Joint Conference on Artificial Intelligence, pp. 2306–2312 (2013)

    Google Scholar 

  21. Le Guillarme, N., Mouaddib, A., Gatepaille, S., Bellenger, A.: Adversarial intention recognition as inverse game-theoretic planning for threat assessment. In: ICTAI, pp. 698–705. IEEE (2016)

    Google Scholar 

  22. Lisỳ, V., Píbil, R., Stiborek, J., Bošanskỳ, B., Pěchouček, M.: Game-theoretic approach to adversarial plan recognition. In: ECAI, pp. 546–551. IOS Press (2012)

    Google Scholar 

  23. Masters, P., Sardina, S.: Cost-based goal recognition for path-planning. In: AAMAS, pp. 750–758 (2017)

    Google Scholar 

  24. Masters, P., Sardina, S.: Deceptive path-planning. In: International Joint Conference on Artificial Intelligence 2017, pp. 4368–4375. AAAI Press (2017)

    Google Scholar 

  25. Mirsky, R., Gal, Y., Tolpin, D.: Session analysis using plan recognition. In: Workshop on User Interfaces and Scheduling and Planning (UISP) (2017)

    Google Scholar 

  26. Mirsky, R., Stern, R., Gal, Y., Kalech, M.: Plan recognition design. In: AAAI, pp. 4971–4972 (2017)

    Google Scholar 

  27. Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Workshop on Visualization and Data Mining for Computer Security, pp. 109–118. ACM (2004)

    Google Scholar 

  28. Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distances. In: Computer Security Applications Conference (2004)

    Google Scholar 

  29. Noel, S., Jajodia, S.: Optimal IDS sensor placement and alert prioritization using attack graphs. J. Netw. Syst. Manag. 16(3), 259–275 (2008)

    Article  Google Scholar 

  30. Ou, X., Govindavajhala, S.: MulVAL: a logic-based network security analyzer. In: 14th USENIX Security Symposium. Citeseer (2005)

    Google Scholar 

  31. Pereira, R., Oren, N., Meneguzzi, F.: Landmark-based heuristics for goal recognition. In: AAAI (2017)

    Google Scholar 

  32. Pereira, R., Oren, N., Meneguzzi, F.: Plan optimality monitoring using landmarks and planning heuristics. In: PAIR Workshop in AAAI (2017)

    Google Scholar 

  33. Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secur. Comput. 9, 61–74 (2012)

    Article  Google Scholar 

  34. Qin, X., Lee, W.: Attack plan recognition and prediction using causal networks. In: 2004 20th Annual Computer Security Applications Conference, pp. 370–379. IEEE (2004)

    Google Scholar 

  35. Ramírez, M., Geffner, H.: Plan recognition as planning. In: AAAI (2009)

    Google Scholar 

  36. Ramírez, M., Geffner, H.: Probabilistic plan recognition using off-the-shelf classical planners. In: AAAI (2010)

    Google Scholar 

  37. Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 58–67. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21323-6_8

    Chapter  Google Scholar 

  38. Shmaryahu, D.: Constructing plan trees for simulated penetration testing. In: ICAPS (2016)

    Google Scholar 

  39. Shmaryahu, D., Shani, G., Hoffmann, J., Steinmetz, M.: Partially observable contingent planning for penetration testing. In: IWAISe: First International Workshop on Artificial Intelligence in Security, p. 33 (2017)

    Google Scholar 

  40. Shmaryahu, D., Shani, G., Hoffmann, J., Steinmetz, M.: Simulated penetration testing as contingent planning. In: ICAPS (2018)

    Google Scholar 

  41. Shvo, M., Sohrabi, S., Mcllraith, S.: An AI planning-based approach to the multi-agent plan recognition problem. In: PAIR Workshop in AAAI (2017)

    Google Scholar 

  42. Sohrabi, S., Riabov, A., Udrea, O.: Plan recognition as planning revisited. In: International Joint Conference on Artificial Intelligence, pp. 3258–3264 (2016)

    Google Scholar 

  43. Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: DISCEX, p. 1307. IEEE (2001)

    Google Scholar 

  44. Vered, M., Kaminka, G.: Heuristic online goal recognition in continuous domains. In: International Joint Conference on Artificial Intelligence, pp. 4447–4454 (2017)

    Google Scholar 

  45. Vered, M., Pereira, R., Magnaguagno, M., Kaminka, G., Meneguzzi, F.: Towards online goal recognition combining goal mirroring and landmarks. In: AAMAS (2018)

    Google Scholar 

  46. Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29(15), 2917–2933 (2006)

    Article  Google Scholar 

  47. Zhang, S., Li, J., Chen, X., Fan, L.: Building network attack graph for alert causal correlation. Comput. Secur. 27(5–6), 188–196 (2008)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Ben-Gurion University of the Negev, Beersheba, Israel

    Reuth Mirsky, Ya’ar Shalom, Ahmad Majadly, Kobi Gal, Rami Puzis & Ariel Felner

Authors
  1. Reuth Mirsky
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ya’ar Shalom
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ahmad Majadly
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kobi Gal
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Rami Puzis
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ariel Felner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Reuth Mirsky , Ya’ar Shalom , Ahmad Majadly , Kobi Gal , Rami Puzis or Ariel Felner .

Editor information

Editors and Affiliations

  1. Ben-Gurion University of the Negev, Beer-Sheva, Israel

    Shlomi Dolev

  2. Ben-Gurion University of the Negev, Beer-Sheva, Israel

    Danny Hendler

  3. Tata Consultancy Services, Chennai, India

    Sachin Lodha

  4. Columbia University and Google, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mirsky, R., Shalom, Y., Majadly, A., Gal, K., Puzis, R., Felner, A. (2019). New Goal Recognition Algorithms Using Attack Graphs. In: Dolev, S., Hendler, D., Lodha, S., Yung, M. (eds) Cyber Security Cryptography and Machine Learning. CSCML 2019. Lecture Notes in Computer Science(), vol 11527. Springer, Cham. https://doi.org/10.1007/978-3-030-20951-3_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-20951-3_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-20950-6

  • Online ISBN: 978-3-030-20951-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation