北京邮电大学学报

  • EI核心期刊

北京邮电大学学报 ›› 2017, Vol. 40 ›› Issue (s1): 15-19.doi: 10.13190/j.jbupt.2017.s.004

• 论文 • 上一篇    下一篇

基于改进隐马尔可夫模型的复合攻击预测方法

饶志宏1, 徐锐2, 刘方2, 杨春亮1, 方恩博1   

  1. 1. 中国电子科技集团公司第三十研究所, 成都 610041;
    2. 中国电子科技网络信息安全有限公司, 成都 610041
  • 收稿日期:2016-10-31 出版日期:2017-09-28 发布日期:2017-09-28
  • 作者简介:饶志宏(1970-),男,高级工程师(研究员级),博士生,E-mail:charao@tom.com.
  • 基金资助:
    国家高技术研究发展计划(军口863计划)项目(2015AA7111006)

A Method of Predicting Multi-Step Attacks Based on Improved HMM Model

RAO Zhi-hong1, XU Rui2, LIU Fang2, YANG Chun-liang1, FANG En-bo1   

  1. 1. No. 30 Institute of China Electronic Technology Group Corporation, Chengdu 610041, China;
    2. China Electronics Technology Cyber Security Compang Limited, Chengdu 610041, China
  • Received:2016-10-31 Online:2017-09-28 Published:2017-09-28

摘要: 提出了一种基于改进的隐马尔可夫模型和维特比算法的复合攻击预测方法. 在训练数据较少时,采用最大似然估计得到的隐马尔可夫模型可能存在较大误差,针对这种情况,采用修正的概率矩阵计算方法以降低误差. 针对告警事件序列中存在误报的情况,在维特比算法中引入了一个判决门限,用于在告警事件存在误报的情况下对预测结果进行修正. 基于DARPA2000数据集对提出的方法进行了仿真和实验验证,实验结果表明该方法能有效地提高攻击预测的正确率.

关键词: 隐马尔可夫模型, 复合攻击, 维特比算法, 攻击意图, 告警序列

Abstract: An approach of predicting multi-step attacks based on improved hidden Markov model (HMM) and Viterbi algorithm was proposed. When the training data was sparse, poor probability estimates of the HMM were obtained by using maximum likelihood estimation. Thus, a modified calculation method of probability matrix was used to reduce error. When there existed false alerts in the alert sequence, a decision threshold was introduced in the Viterbi algorithm for correcting the forecast results. From the simulation and the experimental results based on the DARPA2000 data set, it is concluded that the proposed method can effectively improve the predicting accuracy.

Key words: hidden Markov model, multi-step attacks, Viterbi algorithm, attack intent, alert sequence

中图分类号: