A novel method based on the Hidden Markov Model is proposed to predict multistep attacks using IDS alerts. We consider the hidden states as similar phases of a particular type of attack. As a result, it can be easily adapted to multistep attacks and foresee the next steps of an attacker. To achieve this goal, a preliminary off-line training phase based on observations will be required. These observations are obtained by matching the IDS alert information with a database previously built for this purpose using a clusterization method from the CVE global database to avoid overfitting. The training model is performed using both unsupervised and supervised algorithms. Once the training is completed and probability matrices are computed, the prediction module compute the best state sequence based on the state probability for each step of the multistep attack in progress using the Viterbi and forward-backward algorithms. The training model includes the mean number of alerts and the number of alerts in progress to assist in obtaining the final attack probability. The model is analyzed for DDoS phases because it is a great problem in all Internet services. The proposed method is validated into a virtual DDoS scenario using current vulnerabilities. The results proving the system's ability to perform real-time prediction.

中文翻译：

---

基于隐马尔可夫模型的实时多步攻击预测

提出了一种基于隐马尔可夫模型的新方法来使用 IDS 警报预测多步攻击。我们将隐藏状态视为特定类型攻击的相似阶段。因此，它可以轻松适应多步攻击并预见攻击者的下一步。为了实现这一目标，需要一个基于观察的初步离线训练阶段。这些观察结果是通过将 IDS 警报信息与先前为此目的使用 CVE 全局数据库中的聚类方法构建的数据库进行匹配来获得的，以避免过度拟合。训练模型是使用无监督和监督算法执行的。一旦训练完成并计算概率矩阵，预测模块使用 Viterbi 和前向后向算法，根据正在进行的多步攻击的每个步骤的状态概率计算最佳状态序列。训练模型包括平均警报数和正在进行的警报数，以帮助获得最终的攻击概率。该模型针对 DDoS 阶段进行了分析，因为它是所有 Internet 服务中的一个大问题。所提出的方法在使用当前漏洞的虚拟 DDoS 场景中得到验证。结果证明了系统执行实时预测的能力。该模型针对 DDoS 阶段进行了分析，因为它是所有 Internet 服务中的一个大问题。所提出的方法在使用当前漏洞的虚拟 DDoS 场景中得到验证。结果证明了系统执行实时预测的能力。该模型针对 DDoS 阶段进行了分析，因为它是所有 Internet 服务中的一个大问题。所提出的方法在使用当前漏洞的虚拟 DDoS 场景中得到验证。结果证明了系统执行实时预测的能力。