The increase in scale of cyber networks and the rise in sophistication of cyber-attacks have introduced several challenges in intrusion detection. The primary challenge is the requirement to detect complex multi-stage attacks in realtime by processing the immense amount of traffic produced by present-day networks. In this paper we present PRISM, a hierarchical intrusion detection architecture that uses a novel attacker behavior model-based sampling technique to minimize the realtime traffic processing overhead. PRISM has a unique multi-layered architecture that monitors network traffic distributedly to provide efficiency in processing and modularity in design. PRISM employs a Hidden Markov Model-based prediction mechanism to identify multi-stage attacks and ascertain the attack progression for a proactive response. Furthermore, PRISM introduces a stream management procedure that rectifies the issue of alert reordering when collected from distributed alert reporting systems. To evaluate the performance of PRISM, multiple metrics have been proposed, and various experiments have been conducted on a multi-stage attack dataset. The results exhibit up to 7.5x improvement in processing overhead as compared to a standard centralized IDS without the loss of prediction accuracy while demonstrating the ability to predict different attack stages promptly.
翻译:网络网络规模的扩大和网络攻击的复杂程度的提高在入侵探测方面带来了若干挑战。主要挑战是要求通过处理当今网络产生的大量交通量,实时发现复杂的多阶段袭击。本文介绍的是使用新型攻击者行为模型取样技术来尽量减少实时交通处理间接费用的分级入侵探测结构PRISM。PRISM有一个独特的多层次结构,对网络交通进行分散监测,以提供处理效率和设计模块化。PRISM使用基于隐藏的Markov模型的预测机制,以查明多阶段袭击并确定袭击进展,以便采取主动反应。此外,PRISM还引入了流管理程序,在从分布式警报报告系统收集时纠正警报重新排序问题。为评价PRISM的性能,提出了多项指标,并在多阶段袭击数据集上进行了各种试验。结果显示,在处理间接费用方面比标准集中的IDS提高了7.5倍的改进,而没有丧失预测准确性,同时展示了迅速预测不同袭击阶段的能力。