2008, Volume 10, Issue 8
Strategic Study of CAE >> 2008, Volume 10, Issue 8
Hybrid Bayesian Network Method for Predicting Intrusion
1. School of Computer Science and Engineering of Southeast University, Nanjing 210018, China;
2. School of Computer Science and Telecommunication Engineering, Jiangsu University, Zhenjiang 212013, Jiangsu, China;
3. Key Lab of Computer Network and Information Security of Education Ministry, Xidian University, Xi'an 710071, China
Next Previous
Abstract
To solve the open problem of predicting intrusion in Reactive Intrusion Tolerance System, a hybrid Bayesian network method is presented in this paper. Firstly, an intrusion model is presented, which pays its emphasis on the influence of the intrusion upon the system and describes the intrusion as the state transition process of the attackers' capability. The intrusion model is appropriate to trig the reactive intrusion tolerance system. We proposed the constructing algorithm and the proof of its feasibility. Secondly, a hybrid Bayesian network model based on this intrusion model is presented to show the casual relation of the attack behavior and secure state. The model is divided into two layers: attack behavior layer and secure state layer, in which the attack edges and state nodes of intrusion model are used as nodes in behavior layer and state layer respectively. In this hybrid Bayesian network model, the connections of the same layer are continuous, but that of the different layer are converge. The algorithm for computing the joint probability distribution of the hybrid Bayesian network is presented. In the end, the efficiency of the intrusion model and hybrid Bayesian network in predicting intrusion is shown by the experiment with our belief propagation algorithm, and the advantages of this predicting method over the related work are shown by analysis and comparisons.
Keywords
intrusion tolerance ; alert correlation ; intrusion model ; intrusion prediction
Figures
图 1
图 2
图 3
图 4
图 5
图 6
图 7
References
[ 1 ] VerissimoPE, NevesNF, CorreiaMP.Intrusion-tolerant Architectures:ConceptsandDesign[ J] .LectureNotesinComputerScience, 2003, 2677:90-109 link1
[ 2 ] 崔竞松,王丽娜,张焕国,等.一种并行容侵系统研究模型———RC模型[J].计算机学报,2004,27(4):500-506 link1
[ 3 ] MarshA, SchneiderB.CODEX:a robustandsecure secret distribution System[J] .IEEE Transactions on Dependable and Secure Computing, 2004, 1 ( 1) :34 -47 link1
[ 4 ] KursaweK.Asynchronous Byzantine Group Communication.21st IEEE Symposiumon Reliable Distributed Systems[C] .Osaka, Japan, 2002:352-357 link1
[ 5 ] LiuPeng, JingJiwu.The Design and Implementation of a SelfHealing Database System[ J] .Journal of Intelligent Information Systems, 2004, 23 ( 3) :247-269 link1
[ 6 ] WangRong, WangFeiyi, GregoryB.Design and implementation of acceptance monitor for building intrusion tolerant systems[J] . Software-Practice and Experience, 2003, 33 ( 14) :1399 -1417 link1
[ 7 ] JulischK.Mining alarm clusters to improve alarm handling efficiency[A] .17th Annual Computer Security Applications Conference( ACSAC′01) [ C] .NewYork, 2001:12-21 link1
[ 8 ] UndercofferJ, PinkstonJ.Modeling computer attacks:a targetcentric ontology for intrusion detection[A] .The Sixth In ternational Symposiumon Recent Advancesin Intrusion Detection[ C] . Pittsburgh, PA, USA, 2003 link1
[ 9 ] CheungS, LindqvistU, MartinW.Modeling multi-step cyber attacks for scenario recognition[ A] .DARPA Information Survivability Conference and Exposition[ C] .Washington, DC, 2003 link1
[10] ZhouJimmy, HeckmanM, ReynoldsB, etal, Modeling network intrusion detection alerts for correlation[ J] .ACM Transactions on Information and System Security, 2007, 10( 1 ) :1-31 link1
[11] NingPeng, CuiYun, ReevesDS, etal.Techniques and tools for analyzing intrusion alerts[ J] .ACM Transactions on Information and System Security, 2004, 7 ( 2) :274-318 link1
[12] Ramasubramanian P, Kannan A.Quick propneural network short term forecasting framework for a database intrusion prediction system[ J] .Lecture Notes in Artificial Interlligence, 2004, 3070:847 -852
[13] Qin Xin zhou, Li Wenke.Attack plan recognition and prediction using causal networks[ A] .Proceeding of 20th Annual Security Application Conference( ACSAC´ 04) [ C] .Tucson, Arizona, December2004 link1
[14] Wang Ling yu, Liu Anyi, Sushil J.An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts[ A] .Proceedings of the 10th European Symposium on Research in Computer Security( ESORICS2005 ) [ C] .Germany: Springer Press, 2005:247-266 link1
京公网安备 11010502051620号
