Abstract
Goal recognition is the task of inferring the goal of an actor given its observed actions. Attack graphs are a common representation of assets, vulnerabilities, and exploits used for analysis of potential intrusions in computer networks. This paper introduces new goal recognition algorithms on attack graphs. The main challenges involving goal recognition in cyber security include dealing with noisy and partial observations as well as the need for fast, near-real-time performance. To this end we propose improvements to existing planning-based algorithms for goal recognition, reducing their time complexity and allowing them to handle noisy observations. We also introduce two new metric-based algorithms for goal recognition. Experimental results show that the metric based algorithms improve performance when compared to the planning based algorithms, in terms of accuracy and runtime, thus enabling goal recognition to be carried out in near-real-time. These algorithms can potentially improve both risk management and alert correlation mechanisms for intrusion detection.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Al-Mamory, S., Zhang, H.: A survey on IDS alerts processing techniques. In: The 6th WSEAS International Conference on Information Security and Privacy (2007)
Ang, S., Chan, H., Jiang, A.X., Yeoh, W.: Game-theoretic goal recognition models with applications to security domains. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds.) Decision and Game Theory for Security. LNCS, vol. 10575, pp. 256–272. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68711-7_14
Avrahami-Zilberbrand, D., Kaminka, G.: Fast and complete symbolic plan recognition. In: International Joint Conference on Artificial Intelligence (2005)
Azer, M.A., El-Kassas, S.M., El-Soudani, M.S.: Security in ad hoc networks: from vulnerability to risk management. In: 2009 Third International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2009, pp. 203–209. IEEE (2009)
Backes, M., Hoffmann, J., Künnemann, R., Speicher, P., Steinmetz, M.: Simulated penetration testing and mitigation analysis. arXiv preprint arXiv:1705.05088 (2017)
Bisson, F., Kabanza, F., Benaskeur, A.R., Irandoust, H.: Provoking opponents to facilitate the recognition of their intentions. In: AAAI (2011)
Bui, H.: A general model for online probabilistic plan recognition. In: International Joint Conference on Artificial Intelligence, vol. 3, pp. 1309–1315 (2003)
Chyssler, T., Burschka, S., Semling, M., Lingvall, T., Burbeck, K.: Alarm reduction and correlation in intrusion detection systems. In: DIMVA, pp. 9–24 (2004)
Durkota, K., Lisỳ, V., Bosanskỳ, B., Kiekintveld, C.: Optimal network security hardening using attack graph games. In: International Joint Conference on Artificial Intelligence, pp. 526–532 (2015)
E-Martin, Y., R-Moreno, M., Smith, D.: A fast goal recognition technique based on interaction estimates. In: Twenty-Fourth International Joint Conference on Artificial Intelligence (2015)
Felner, A., Stern, R., Rosenschein, J., Pomeransky, A.: Searching for close alternative plans. AAMAS 14, 211–237 (2007). https://doi.org/10.1007/s10458-006-9006-1
Freedman, R., Zilberstein, S.: Integration of planning with recognition for responsive interaction using classical planners. In: AAAI, pp. 4581–4588 (2017)
Geib, C., Goldman, R.: Plan recognition in intrusion detection systems. In: 2001 Proceedings of the DARPA Information Survivability Conference and Exposition II, DISCEX 2001, vol. 1, pp. 46–55. IEEE (2001)
Geib, C., Maraist, J., Goldman, R.: A new probabilistic plan recognition algorithm based on string rewriting. In: ICAPS, pp. 91–98 (2008)
Goldman, R., Friedman, S., Rye, J.: Plan recognition for network analysis: preliminary report. In: AAAI Workshops on PAIR (2018)
Gonda, T., Shani, G., Puzis, R., Shapira, B.: Ranking vulnerability fixes using planning graph analysis. In: IWAISe: First International Workshop on Artificial Intelligence in Security, p. 41 (2017)
Hoffmann, J.: FF: the fast-forward planning system. AI Mag. 22(3), 57 (2001)
Hoffmann, J.: Simulated penetration testing: from “Dijkstra” to “Turing Test++”. In: ICAPS, pp. 364–372 (2015)
Hoffmann, J., Porteous, J., Sebastia, L.: Ordered landmarks in planning. J. Artif. Intell. Res. 22, 215–278 (2004)
Kabanza, F., Filion, J., Benaskeur, A.R., Irandoust, H.: Controlling the hypothesis space in probabilistic plan recognition. In: International Joint Conference on Artificial Intelligence, pp. 2306–2312 (2013)
Le Guillarme, N., Mouaddib, A., Gatepaille, S., Bellenger, A.: Adversarial intention recognition as inverse game-theoretic planning for threat assessment. In: ICTAI, pp. 698–705. IEEE (2016)
Lisỳ, V., Píbil, R., Stiborek, J., Bošanskỳ, B., Pěchouček, M.: Game-theoretic approach to adversarial plan recognition. In: ECAI, pp. 546–551. IOS Press (2012)
Masters, P., Sardina, S.: Cost-based goal recognition for path-planning. In: AAMAS, pp. 750–758 (2017)
Masters, P., Sardina, S.: Deceptive path-planning. In: International Joint Conference on Artificial Intelligence 2017, pp. 4368–4375. AAAI Press (2017)
Mirsky, R., Gal, Y., Tolpin, D.: Session analysis using plan recognition. In: Workshop on User Interfaces and Scheduling and Planning (UISP) (2017)
Mirsky, R., Stern, R., Gal, Y., Kalech, M.: Plan recognition design. In: AAAI, pp. 4971–4972 (2017)
Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Workshop on Visualization and Data Mining for Computer Security, pp. 109–118. ACM (2004)
Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distances. In: Computer Security Applications Conference (2004)
Noel, S., Jajodia, S.: Optimal IDS sensor placement and alert prioritization using attack graphs. J. Netw. Syst. Manag. 16(3), 259–275 (2008)
Ou, X., Govindavajhala, S.: MulVAL: a logic-based network security analyzer. In: 14th USENIX Security Symposium. Citeseer (2005)
Pereira, R., Oren, N., Meneguzzi, F.: Landmark-based heuristics for goal recognition. In: AAAI (2017)
Pereira, R., Oren, N., Meneguzzi, F.: Plan optimality monitoring using landmarks and planning heuristics. In: PAIR Workshop in AAAI (2017)
Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secur. Comput. 9, 61–74 (2012)
Qin, X., Lee, W.: Attack plan recognition and prediction using causal networks. In: 2004 20th Annual Computer Security Applications Conference, pp. 370–379. IEEE (2004)
Ramírez, M., Geffner, H.: Plan recognition as planning. In: AAAI (2009)
Ramírez, M., Geffner, H.: Probabilistic plan recognition using off-the-shelf classical planners. In: AAAI (2010)
Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 58–67. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21323-6_8
Shmaryahu, D.: Constructing plan trees for simulated penetration testing. In: ICAPS (2016)
Shmaryahu, D., Shani, G., Hoffmann, J., Steinmetz, M.: Partially observable contingent planning for penetration testing. In: IWAISe: First International Workshop on Artificial Intelligence in Security, p. 33 (2017)
Shmaryahu, D., Shani, G., Hoffmann, J., Steinmetz, M.: Simulated penetration testing as contingent planning. In: ICAPS (2018)
Shvo, M., Sohrabi, S., Mcllraith, S.: An AI planning-based approach to the multi-agent plan recognition problem. In: PAIR Workshop in AAAI (2017)
Sohrabi, S., Riabov, A., Udrea, O.: Plan recognition as planning revisited. In: International Joint Conference on Artificial Intelligence, pp. 3258–3264 (2016)
Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: DISCEX, p. 1307. IEEE (2001)
Vered, M., Kaminka, G.: Heuristic online goal recognition in continuous domains. In: International Joint Conference on Artificial Intelligence, pp. 4447–4454 (2017)
Vered, M., Pereira, R., Magnaguagno, M., Kaminka, G., Meneguzzi, F.: Towards online goal recognition combining goal mirroring and landmarks. In: AAMAS (2018)
Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29(15), 2917–2933 (2006)
Zhang, S., Li, J., Chen, X., Fan, L.: Building network attack graph for alert causal correlation. Comput. Secur. 27(5–6), 188–196 (2008)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Mirsky, R., Shalom, Y., Majadly, A., Gal, K., Puzis, R., Felner, A. (2019). New Goal Recognition Algorithms Using Attack Graphs. In: Dolev, S., Hendler, D., Lodha, S., Yung, M. (eds) Cyber Security Cryptography and Machine Learning. CSCML 2019. Lecture Notes in Computer Science(), vol 11527. Springer, Cham. https://doi.org/10.1007/978-3-030-20951-3_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-20951-3_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-20950-6
Online ISBN: 978-3-030-20951-3
eBook Packages: Computer ScienceComputer Science (R0)