Abstract With the increasing complexity and scale of networks, the computer attacks increase year by year and becomes more complicated. The defenders not only need to detect malicious activity through a large number of alerts generated by intrusion detection system, but also need to use these alerts to assess security state and predict attack, so as to take proactive response to reduce the damage of cyber-attacks. In this process, it is necessary to preprocess the huge amounts of raw alerts to get the appropriate granularity, so as to improve the accuracy of the subsequent assessment and prediction model. At the same time, the security evaluation model needs to have a good explainability and comprehensive attack prediction ability, including attack event and attack step prediction, in order to provide a better decision reference for proactive response. In addition, the model should be able to adapt to zero-day attacks. To address these issues, in this paper, we propose NSAPs, a novel scheme for network security state assessment and attack prediction. First, we extract attack steps based on quantitative alert quality to reduce the amount of data. Second, we extract attack events with medium granularity from attack steps based on Semi-Markov Conditional Random Fields (semi-CRFs). The semi-CRFs can use as much alert information as possible to correlate alerts and can also take advantage of the contextual information between the attack events. Therefore, the NSAPs can provide a comprehensive attack prediction with a good explainability. Third, the extracted attack events are used as the input of the Hidden Markov Model (HMM) to assess security state. At the same time, we propose a HMM matching method based on the longest common subsequence of the attack events which makes the model adapt to the unknown alters well. Finally, we combine probability values from semi-CRFs and HMM to predict attacks. Our evaluation results indicate that the assessment and prediction of proposed scheme are more accurate and comprehensive compared with existing approaches.

中文翻译：

---

NSAPs：网络安全状态评估和攻击预测的新方案

摘要 随着网络的复杂性和规模的不断增加，计算机攻击事件逐年增多并变得更加复杂。防御者不仅需要通过入侵检测系统产生的大量警报来检测恶意活动，还需要利用这些警报来评估安全状态和预测攻击，从而采取主动响应，降低网络攻击的危害. 在这个过程中，需要对海量的原始告警进行预处理，得到合适的粒度，从而提高后续评估预测模型的准确性。同时，安全评估模型需要具有良好的可解释性和全面的攻击预测能力，包括攻击事件和攻击步骤预测，为主动应对提供更好的决策参考。此外，该模型应该能够适应零日攻击。为了解决这些问题，在本文中，我们提出了 NSAPs，一种用于网络安全状态评估和攻击预测的新方案。首先，我们根据定量警报质量提取攻击步骤以减少数据量。其次，我们从基于半马尔可夫条件随机场（半 CRF）的攻击步骤中提取中等粒度的攻击事件。半 CRF 可以使用尽可能多的警报信息来关联警报，还可以利用攻击事件之间的上下文信息。因此，NSAPs 可以提供具有良好可解释性的全面攻击预测。第三，提取的攻击事件作为隐马尔可夫模型（HMM）的输入来评估安全状态。同时，我们提出了一种基于攻击事件最长公共子序列的HMM匹配方法，使模型能够很好地适应未知的变化。最后，我们结合来自半 CRF 和 HMM 的概率值来预测攻击。我们的评估结果表明，与现有方法相比，所提出方案的评估和预测更加准确和全面。