Improving the Quality of Alerts and Predicting Intruder's Next Goal with Hidden Colored Petri-Net

Yu, Dong; Frincke, Deb A

doi:10.1016/j.comnet.2006.05.008

Title: Improving the Quality of Alerts and Predicting Intruder's Next Goal with Hidden Colored Petri-Net

Journal Article · Thu Jun 22 00:00:00 EDT 2006 · Computer Networks, 51(3):632-654

DOI:https://doi.org/10.1016/j.comnet.2006.05.008· OSTI ID:984681

Yu, Dong; Frincke, Deb A

Intrusion detection systems (IDS) often provide poor quality alerts, which are insufficient to support rapid identification of ongoing attacks or predict an intruder’s next likely goal. In this paper, we propose a novel approach to alert post-processing and correlation, the Hidden Colored Petri-Net (HCPN). Different from most other alert correlation methods, our approach treats the alert correlation problem as an inference problem rather than a filter problem. Our approach assumes that the intruder’s actions are unknown to the IDS and can be inferred only from the alerts generated by the IDS sensors. HCPN can describe the relationship between different steps carried out by intruders, model observations (alerts) and transitions (actions) separately, and associate each token element (system state) with a probability (or confidence). The model is an extension to Colored Petri-Net (CPN) .It is so called “hidden” because the transitions (actions) are not directly observable but can be inferred by looking through the observations (alerts). These features make HCPN especially suitable for discovering intruders’ actions from their partial observations (alerts,) and predicting intruders’ next goal. Our experiments on DARPA evaluation datasets and the attack scenarios from the Grand Challenge Problem (GCP) show that HCPN has promise as a way to reducing false positives and negatives, predicting intruder’s next possible action, uncovering intruders’ intrusion strategies after the attack scenario has happened, and providing confidence scores.

Cite

Export

Save

Research Organization:: Pacific Northwest National Lab. (PNNL), Richland, WA (United States)

Sponsoring Organization:: USDOE

DOE Contract Number:: AC05-76RL01830

OSTI ID:: 984681

Report Number(s):: PNNL-SA-49427; CNETDP; TRN: US201016%%1348

Journal Information:: Computer Networks, 51(3):632-654, Vol. 51, Issue 3; ISSN 0376-5075

Country of Publication:: United States

Language:: English

Similar Records

Modeling Cyber Conflicts Using an Extended Petri Net Formalism

Conference · Sat Jan 01 00:00:00 EST 2011 · OSTI ID:984681

Zakrzewska, Anita N; Ferragut, Erik M

SHARP-Net: Platform for Self-Healing and Attack Resilient PMU Networks

Conference · Thu May 07 00:00:00 EDT 2020 · OSTI ID:984681

Singh, Vivek Kumar; Vaughan, Evan; Rivera, Joshua

Sensing intruders using entanglement: a photonic quantum fence

Conference · Thu Jan 01 00:00:00 EST 2009 · OSTI ID:984681

Humble, Travis S; Bennink, Ryan S; Grice, Warren P; +1 more

Related Subjects

45 MILITARY TECHNOLOGY, WEAPONRY, AND NATIONAL DEFENSE
99 GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE
INTRUSION DETECTION SYSTEMS
ALARM SYSTEMS
QUALITY ASSURANCE
H CODES
FORECASTING
SABOTAGE
COMPUTERIZED SIMULATION
Intrusion Detection
Alert Correlation
Hidden Colored Petri-Net

Title: Improving the Quality of Alerts and Predicting Intruder's Next Goal with Hidden Colored Petri-Net

Citation Formats

Similar Records

Related Subjects