Hidden Markov Models have been extensively used for determining computer systems under a Multi-Stage Network Attack (MSA), however, acquisition of optimal model training parameters remains a formidable challenge. This paper critically analyses the detection and prediction accuracy of a wide range of training and initialisation algorithms including the expectation–maximisation, spectral, Baum–Welch, differential evolution, K-means, and segmental K-means. The performance of these algorithms has been evaluated, both individually and in a hybrid approach, for detecting all the states and current state, and predicting the next state (NS), and the next observation (NO) of a given alert observation sequence. For generating this alert sequence, the Snort signature-based intrusion detection system was utilised, using either bespoke or default rules, to raise alerts while examining the DARPA 2000 MSA dataset. The investigation also sheds further light on alternative approaches for forecasting the possible NS and NO in an MSA campaign, as well as, the impact of window size on the prediction performance for all analysed techniques. The results and discussion emphasise on the appropriateness of various techniques for the prediction of NS and NO. Furthermore, NO prediction accuracy has indicated a performance increase of up to 44.95% in the proposed hybrid approaches.

隐马尔可夫模型已广泛用于确定多阶段网络攻击（MSA）下的计算机系统，但是，获取最佳模型训练参数仍然是一个艰巨的挑战。本文严格分析了各种训练和初始化算法的检测和预测准确性，包括期望最大化，频谱，Baum-Welch，差分演化，K均值和分段K-手段。这些算法的性能已单独或以混合方法进行了评估，以检测所有状态和当前状态，并预测给定警报观察序列的下一个状态（NS）和下一个观察值（NO）。为了生成此警报序列，使用了基于Snort签名的入侵检测系统（使用定制规则或默认规则）来在检查DARPA 2000 MSA数据集时发出警报。该调查还进一步揭示了预测MSA活动中可能的NS和NO的替代方法，以及窗口大小对所有分析技术的预测性能的影响。结果和讨论强调了各种技术用于预测NS和NO的适当性。此外，