Abstract Intrusion detection systems perform well with single attack phase but not complex multi-step attacks which largely reduce their reliability. Multi-stage attack plan recognition aims at inferring attack plans and predicting upcoming attacks by analyzing the causal relationship between attack phases. Recent research often uses machine learning to deal with attack issues. However, some problems still exist. When probabilistic inference is applied to construct a causal network, researchers fail to take temporal sequence association into consideration, which makes it difficult for the model to deal with incomplete data. While the hidden Markov model can be used to recognize an attack plan, it cannot predict multiple intents nor their probabilities. This paper proposes a probability model based on the hidden Markov model and probabilistic inference responding to malicious events at runtime. This model uses online parameter updating rules which make it better suited to the rapidly changing cyber environment. Experimental results show that this model can achieve better performance compared to only using a single method and detect attack intent in an earlier stage.

中文翻译：

---

使用隐马尔可夫和概率推理的攻击计划识别

摘要 入侵检测系统在单攻击阶段表现良好，但在复杂的多步骤攻击中表现不佳，这在很大程度上降低了其可靠性。多阶段攻击计划识别旨在通过分析攻击阶段之间的因果关系来推断攻击计划并预测即将发生的攻击。最近的研究经常使用机器学习来处理攻击问题。但是，仍然存在一些问题。在应用概率推理构建因果网络时，研究人员没有考虑时间序列关联，这使得模型难以处理不完整的数据。虽然隐马尔可夫模型可用于识别攻击计划，但它无法预测多个意图及其概率。本文提出了一种基于隐马尔可夫模型和运行时响应恶意事件的概率推理的概率模型。该模型使用在线参数更新规则，使其更适合快速变化的网络环境。实验结果表明，与仅使用单一方法相比，该模型可以实现更好的性能，并在早期阶段检测攻击意图。