1. Network Information Center, Zhejiang Gongshang University, Hangzhou 310018, China; 2.College of Computer and Information Engineering, Zhejiang Gongshang University, Hangzhou 310018, China; 3.Clark School of Engineering, University of Maryland, Maryland 20742, US
A network defense strategy based on the prediction of cyber attacker’s behaviors was given in order to effectively prevent cyber attacks. Intruders’ behaviors have strong randomness and uncertainty. A network of high-interaction honeypots was deployed to collect attack data, especially the behavior data of the attacker after successfully intruding on the host system. By using the attack data, the attack state-transition diagram was generated. Then combining with hidden markov model (HMM) which has fairly precise likelihood probability characteristic, a cyber attacker’s behaviors prediction model was designed. With the prediction model and a generally-used intrusion prevention system (IPS), a network defense strategy and its prototype system were proposed. The prototype system was deployed to the real network for attacking test. Through training and verifying with real data over 5 months, the model obtained 80% the prediction accuracy rate. The result shows that the network defense strategy has good network attack confrontation and can be effectively used to prevent cyber attacks.
[1] RAMSBROCK D, BERTHIER R, CUKIER M.Profiling Attacker Behavior Following SSH Compromises[C]∥ 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN07). Washington, DC, USA: IEEE Computer Society, 2007: 119-124.
[2] SALLES-LOUSTAU G, BERTHIER R, COLLANGE E, et al, Characterizing attackers and attacks: an empirical study[C] ∥ IEEE 17th Pacific Rim International Symposium on Dependable Computing. Washington, DC, USA: IEEE Computer Society, 2011: 174-183.
[3] ALOSEFER Y,RANA O. Automated state machines applied in client honeypots[C] ∥ 5th International Conference on Future Information Technology (Future-Tech).Washington, DC, USA: IEEE Computer Society, 2010: 18.
[4] ALOSEFER Y,RANA O. Predicting client-side attacks via behaviour analysis using honeypot data [C] ∥ NWeSP, 7th International Conference on Next Generation Web Services Practices. Washington, DC, USA: IEEE Computer Society, 2011: 31-36.
[5] 印鉴,张钢,陈忆群.基于Honeynet的网络入侵模式挖掘[J].计算机工程与应用,2004(11): 114-117.
YIN Jian, ZHANG Gang, CHEN Yi-qun. Intrusion mode mining on honeynet[J]. Computer Engineering and Applications, 2004(11): 114-117.
[6] SCHONLAU M, MOUCHEL W. Computer intrusion: Detecting masquerades[J]. Statistical Science, 2001, 16(1): 58-74.
[7] MAXION R A, TOWNSEND T N. Masquerade detection using truncated command lines[C] ∥ Proceedings of the International Conference on Dependable Systems and Networks. Washington, DC, USA: IEEE Computer Society, 2002: 219-228.
[8] LANE T, CARLA E B. An empirical study of two approaches to sequence learning for anomaly detection[J]. Machine Learning, 2003, 51(1): 73-107.
[9] YING J, KIRUBARAJAN T. A hidden Markov based algorithm for fault diagnosis with partial and imperfect tests [J]. IEEE Transactions on System, Man, and Cybernetics, 2000, 30(4): 463-473.
[10] RABINER L. A tutorial on hidden markov models and selected applications in speech recognition [J]. Proceedings of the IEEE, 1989, 77: 257-286.
[11] CURTIS A C. A methodology for using intelligent agents to provide automated intrusion response [C]∥ Proceedings of the IEEE Systems, Man, and Cybernetics Information Assurance and Security Work-shop. New York: IEEE, 2000: 110-116.
[12] 彭凌西,谢冬青,付颖芳,等.基于危险理论的自动入侵响应系统模型[J].通信学报,2012,33(1): 136-144.
PENG Ling-xi, XIE Dong-qing, FU Ying-fang, et al. Automated intrusion response system model based on danger theory[J].Journal on Communications, 2012, 33(1): 136-144.
