Attack Intention Recognition: A Review
Sensitive information faces critical risks when it is transmitted through computer networks. Existing protection systems are still limited in their capacities to ensure network information has sucient confidentiality, integrity, and availability. The rapid development in network technologies has only helped increase network attacks and hide their malicious intent. This paper analyzes attack types and classifies them according to their intent. A causal network approach is used to recognize attackers plans and predict their intentions. Attack intention is the ultimate attack goal which the attacker attempts to achieve by executing various methods or techniques, and recognizing it will help security administrators select an appropriate protection system.
Keywords: Cyber security, Network forensics, Attack intention recognition, Causal network approach
Information security over a network has become more challenging due to the expansion of technologies for hacking and anti-forensics. Sensitive information should be treated confidentially in any system as it represents a high risk to the owners if exposed to the public. Information is at risk due to several factors, including human and technical errors, accidents and disasters, fraud, commercial espionage, and malicious damage .
Activities such as unauthorized access, damage to computer data or programs, obstruction of the functions of computer systems or networks, interception of data, and computer espionage are categorized as cybercrimes [5, 6, 7, 13, 17]. Cybercrimes are broad in scope and are defined as attacks that involve the use of computers or networks to commit the crimes. According to [1, 2], cyber-attacks can be categorized into unauthorized access, malicious code (malware), and interruption of services. Figure 1 shows common types of network threats.
Network forensics, as a part of network security, works with laws and guiding principles established in the judi-
Figure 1: Common types of network threats.
cial system to deal with cyber criminals. Network forensics has two approaches: reactive and proactive. Reactive network forensics is a traditional approach that deals with cybercrime cases a period of time after an attack. The reactive forensic approach consumes considerable time during the investigation phase. Proactive network forensics is a new, di↵erent approach that focuses on investigating concurrently with an attack [3, 10]. Figure 2 shows a framework of the generic process model in network forensics that splits the phases into two groups. The first group relies on actual time and includes five phases: preparation, detection, incident response, collection, and preservation. The second group relies on the post-investigation phases.
Authors in  also classify the first group as proactive and the second group as reactive. The proactive phases have advantages in saving time and money during investigation, as they work concurrently with the occurrence of the cybercrime. By contrast, reactive phases begin with the examination phase to integrate the trace data and identify the attack indicators. The indicators are then prepared for the analysis phase, which reconstructs the attack indicators either by soft computing or statistical or data mining techniques to classify and correlate the
Figure 2: Generic process model.
attack patterns. Attack intention is the ultimate goal the attacker is attempting to achieve by executing various methods or techniques of attack. Even for an expert, it is di cult to predict methods of attack. An attacker will work toward his goal through a sequence of tactical steps using sophisticated techniques to hide and cover his patterns. Attack Intention Recognition (AIR) is the process of using known attack scenarios to observe an attackers behavior and infer his intention . With the rapid developments in networking technology, attacks have become more dangerous than ever, deploying sophisticated mechanisms to hide malicious behavior. Understanding attackers behavior will help security administrators recognize their intentions and better predict their activities. In the following section, work related to this research is critically analyzed. This study discusses using proactive AIR methods to identify attack plans to predict future actions. The remainder of the paper is organized as follows. Section 2 reviews related works. Section 3 critically discusses the most relevant works, and Section 4 concludes this paper.
Numerous studies have studied di↵erent approaches to AIR and its various methods of implementation [9, 10, 11, 14, 15, 16]. The approaches that focus on identifying attack intention are causal networks, path analysis, graphical attack, and Dynamic Bayesian Network (DBN). These approaches are described with further detail in the following subsection.
The researchers in  studied security alert correlation, which focuses on conducting probabilistic inference to correlate and analyze attack scenarios. From the analysis, they attempted to solve other issues: (1) to identify attackers tactics and intention and (2) to predict potential attacks. Recognizing attack plans is the process of deducing the aims of an attack from observations of its activities. Alert correlation analysis is significant for avoiding potential attacks and minimizing damage. To explicate all paths through a system which an intruder may use to accomplish his goal, attack plans or libraries are used, usually denoted by graphs. The security or vulnerability of a system is then computed by an attack tree analysis, which is based on the attacker’s aims. This type of analysis can be used as a baseline for threat detection, defense, and response. However, it is a manual and time consuming process and is less scalable for a large network.
An example of an attack tree of methods for stealing and externally exporting data stored on a server is shown in Algorithm 1. The sample indicates that to obtain confidential data, an attacker may use several methods such as downloading data directly from the server or eavesdropping on the network. To gain access to a server, it is necessary to acquire normal users or system administrators’ privileges (root).
To correlate isolated alerts, attack trees are adopted to define attack plan libraries. They are then converted to causal networks so that probability distribution can be assigned. The benefit to defining attack tree nodes by attack classes rather than specific attack is the reduced complexity of the computation for the probabilistic inference on the causal network. In implementation, a directed acyclic graph illustrates a causal network (Bayesian network), where each node symbolizes a variable with a certain set of states and directed edges denoting the cause of the dependent relationship among the variables. Probabilistic inference is applied to the causal network to evaluate goals by reviewing attack activities, thereby predicting potential future attacks. For the test, any scenarios that have similar end goals are grouped under one evidence set due to correlated aims. This method applies attack trees to the library of attack plans. From the results observed, attack scenarios automatically correlate isolated attacks and ensure network security is controlled.
Based on [9, 11], attack intention analysis is a predictive factor for facilitating the accurate investigation of a case. This paper proposed a technique combining Dempster-Shafer (D-S) evidence theory with a probabilistic method through a causal network to predict attack intentions. The purpose of this research is to support decision making by selecting and predicting actual attack intentions and determining the best response, regardless of feasibility.
|Generating an attack path graph requires the parameters of the host, privileges, intention, output of attack paths on a victim host on the network, and information on the network configuration. For each network, intentions can be determined based on either the vulnerabilities and topology of the network or the focus of its business. Attention is then given to larger probability intentions. This study proposes assessing the threat by rec-|
The experiment results show that the accuracy of prediction is related to the amount of evidence collected. The results also show that security can determine the highest priority value among intention probability values and make a decision that minimizes the use of time and money. However, this research has limitations. Identifying the attack intention is di cult if the malicious action is distinct from predefined attack classes. Distinguishing a deception from actual aims of attackers is also challenging. Another challenge is determining whether there is a single attacker or a collaborative group.
The researchers in  proposed a technique that uses attack path analysis and can provide protective measures at minimum cost. Knowing an attackers intention can help network guards make decisions as they can more easily predict potential attack paths and evaluate threats. When an attack scenario recognizes an intruders intention, it is detailed by an attack path. Usually, successful attacks comprise a series of vulnerability exploits that grant the privileges of the projected host and use them to attack the final target. To determine the attack path on a network, the attack path on a victim host should be specified. Figure 3 shows possible attack scenarios. Note that multiple vulnerabilities can be exploited to achieve the same goal. Each attack path starts from the access node (local node) and ends at the higher privilege node.
A complete set of the possible attack paths on a victim host can be calculated using a path finding algorithm. The algorithm uses vulnerabilities, privileges, and host information to produce a graph of the attack path. A graph comprising all possible attack paths is computed once a model of the network configuration and the victim host are input. In this paper, it is assumed that an attacker will not cover his tracks after reaching his ognizing an attackers intention and predicting the attack path. By applying the Bayesian rule, the threat situation of the entire network can be calculated when the intentions are known. To reach the network guards goal of protective measures at minimum cost, the minimum number of nodes is cut. Thus, an intrusive intention can be determined from the initial point using an attack path graph, which is a directed acyclic graph, to evaluate intention threat. In the experiment, intention probabilities can be computed based on the degree of di culty in exploiting vulnerabilities. An intention capable of greater damage represents a larger value of consequence. To ensure security of the network, all intentions of attack should be blocked. Conversely, given that attack paths remove the minimum number of nodes to disconnect the intrusive intention from the initial point, there is a probability that the removed nodes themselves are the target of attack. In such cases, the attack intention can go unrecognized.
The graphical model in  was used to recognize attack intention. The researchers attempted to verify the feasibility and validity of this method. A network security states graph, which is a directed graph, was used as a graphical model of attacks. In this model, the said graph is represented by nodes of security states that include both the states of the system and the attacker. The edges of the graph denote a relationship of state transition under the actions of attackers. No circuit is present in the graph as it is presumed that the attacker will not reintrude a host he has attacked. There is a pseudocode of algorithm that generates a network security states graph. This pseudocode shows the initial state of the network and uses available attack actions as input. To infer uncertain intentions, D-S evidence theory is used. A threat assessment is presented to evaluate the security level of a network based on the situation and the value of the intended target is determined. Figure 4 illustrates an example of a security states graph. Every S node is a state of network, and ” is an intention. The H links are hosts, and as are exploitations of vulnerabilities.
Figure 4: Example of security states graph.
Similar to the previous technique, this method also assumes that attackers have several attack plans to achieve the same intention. With D-S evidence theory, possibly every attack plan can be derived. It is useful for providing evidence and guiding decision making. The authors in  define attack graphs as an instrument that works out the hierarchical steps of an attack scenario by using vulnerabilities and configuration. Thus, the type attack, whether normal or anti-forensics, can be identified. Antiforensics, as described in this paper, uses methods such as deleting system logs after hacking into a computer to prevent tracking by authorities. Using the attack evidence graph, the existence of anti-forensics attacks can be determined. The tools and techniques used by the attacker can also be identified. However, with the current mechanisms used in anti-forensics, system configuration and vulnerability information are not enough to trace the path. This is because security depends on vulnerability data but attackers use anti-forensics to hinder this action. Moreover, this approach only aims to identify the intention of the unauthorized access to a network or host that an attacker may compromise. Thus, attackers with privileged access to network are an identified challenge in this approach.
As discussed in , the Dynamic Bayesian Networks (DBN) method is proposed for identifying intrusion intention. This research aims to improve on the limitation of current Intrusion Detection System (IDS) technology, which fails to apply a logical relationship between attack events. DBN is a technique for combining a static Bayesian network and a timestamp to form a new probabilistic model from the removal of order data. Figure 5 shows the DBN based on the intrusion intention identification model: (a) prior network, (b) transfer network, and (c) DBN model in time.
For the scenarios, given that a large aggregation of training data are available, the Markova Assumption is
Figure 5: Dynamic Bayesian network architecture.
used to assume the attack goal, depending only on intentions observed under restrictions plus the last completed goal and the latest attack behavior. The process in reaching the final attack goal, based on intrusion alarm messages, is shown in Figure 6.
Figure 6: Process of reaching the final attack goal.
The experiment assumes the goal with the most probability is the final attack goal of the intruder. In this process, the final target is identified when the attacker compromises another target first to gain privilege. The disadvantage of this approach is its dependency on the last completed goal and latest attack behavior.
This section compares the related works and analyzes their models. From the discussion above, it may be observed that there are similar methods used in di↵erent models such as D-S evidence theory, Bayesian rule, and directed acyclic graphs. D-S evidence theory focuses on uncertainty to conclude the intention of an attack . Bayesian rule applies probabilistic reasoning for threat assessment or determining the goal of the intrusion. Directed acyclic graphs track attacks. Directed acyclic graphs track attacks using several methods such as attack path, attack tree, or attack plan. However, attack trees have some drawbacks. They are manual processes, time consuming, and are limited to the attack plans in the library . That said, the library can be expanded through the participation of security experts. Besides competence in attack recognition, the other advantages of the aforementioned approaches are discussed. Graphical models use network security states graphs. The algorithm proposed infers intent and conducts threat assessment. Similar to the graphical approach, causal networks also use graph-based techniques to correlate isolated attack scenarios after observing their relationships in attack plans. It is proposed for pinpointing attack plans and predicting upcoming attacks. However, causal networks have an added value: by applying probabilistic inference to evaluate the likelihood of attack goals and forecast upcoming attacks based on causal networks converted from attack trees. An attack path analysis model approach to constructing attack path graphs can also recognize the intrusive intention and simultaneously calculate the threat of intention. This approach can find protective measures at minimum cost with the theory of minimum cut. Moreover, a DBN adopts probabilistic reasoning for estimating an attack. This technique can identify the intrusion intention with various alarm messages and predict incoming attacks in real-time. That said, each of the aforementioned approaches has certain limitations. These limitations are summarized in Table 1.
Table 1: Disadvantages of attack intention recognition models
Although attack path analysis, graphical model, and causal network approaches all apply graphs in their methods, causal networks have another added value in that they compare attack path analyses and graphical models. Besides providing graph-based techniques to correlate isolated attack scenarios, they apply probabilistic inference to evaluate the likelihood of attack goals and forecast upcoming attacks based on causal networks converted from attack trees. Thus, the causal network approach will be adopted to solve the problems in this research.
This paper reviews various approaches toward attack intention recognition, including causal networks, path analysis, graphical attack, and DBNs with Markova assumptions. These approaches are all interrelated, di↵ering from each other due to the aims of researchers. Basing on the review performed on the existing works and the critical analysis of their advantages and disadvantages, we conclude that using a causal network approach is e↵ective for detecting network attacks that have similar intentions. For future study, an experiment will be performed to evaluate the e ciency of detecting an attacks intention. This can entail testing various methods for detecting attack intentions and seeing how each method performs in a true lab environment under real world scenarios.
RDU grant number RDU1403162, Faculty of Computer System & Software Engineering, Universiti Malaysia Pahang supported this work.
Why Work with Us
Top Quality and Well-Researched Papers
We ensure that our writers and editors work within the work guidelines and follow all paper instructions to the letter. When placing an order, you choose the academic field and expert level (high school, college, university, or professional). Our team then assigns your paper to a writer with a respective qualification or degree to ensure that you receive quality work.
Professional and Experienced Academic Writers
We employ professional writers with more than two years of experience in academic and business writing. Most of our writers and editors are native English speakers to ensure quality and professional work. We are confident that our team of professional writers can handle all types of business and academic writing work.
Free Unlimited Revisions
We provide a free revision service for all orders. If you feel that our writers missed something, you can request a revision of your paper at no additional cost. When we deliver your work, you have seven days to go through it and request a revision or modification if you are not satisfied. You can also contact our support team directly for any clarifications and queries on revision.
Prompt Delivery and 100% Money-Back-Guarantee
We ensure that all papers are delivered on time. In case we need more time to master your paper requirements and deliver quality work, we may contact you and discuss a deadline extension. If a deadline extension is not feasible, depending on the work and submission deadlines, we guarantee a 100% refund.
Original & Confidential
To ensure that we deliver plagiarism-free work, we use various writing and plagiarism checking tools. Our professional editors' team carefully goes through all work and references used in papers to ensure proper referencing and that original work has been done. We also guarantee confidentiality in all the services that we provide.
24/7 Customer Support
Our support team is available round the clock for any customer queries and communication. We guarantee 24/7 customer support and assistance. Feel free to contact us at any time of day for questions and follow-ups.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.
You do not have to spend sleepless nights worrying about your paper. We got you covered. We offer all kinds of writing services.
Regardless of the type of academic paper you need and its urgency, we have writers on call ready to work on your paper. Feel free to choose the field, educational level, and type of paper you want, and we will deliver it at an affordable price. We are here for all your academic and business paper needs. With our round the clock service, we guarantee that you will receive your work on time.
Admission Essays & Business Writing Help
Admission essays are written by students wishing to join a college, graduate school or university, as applications for enrollment. We guarantee quality admission essays and business papers with our professional writing and customer care support services.
We have experienced academic writers and editors who are on standby to make all the necessary changed to your paper at your request. We ensure that your paper is polished and appropriately formatted (APA, Harvard, Chicago/Turabian, MLA formats) before it is delivered.
We provide revision support, where you can request a revision of a delivered paper if you feel that it can be improved or repolished. Your paper is checked by an experienced writer or editor for revamping and improvement upon a revision request. Revision service is free, and you can use it as many times as you wish until you are satisfied with your paper.