Assessing Attack Threat by the Probability of Following Attacks

In this paper a novel approach to assessing the threat of network intrusions is proposed. Unlike the present approaches which assess the attack threat either from a backward perspective (how probable a security state can be reached) or from the perspective of the attacks themselves (how much an attack would cause damage to the network), this approach assesses the attack threat from a forwarding perspective (how probable it would be the precursor of future attacks). First, to every attack type and some attack scenarios, their probabilities of having following attacks(PFAs) are calculated by a data mining algorithm. Then the threats of real time intrusions are assessed by these probabilities. The result of the threat assessment can help identify the intrusion alerts which would be the best evidence for the coming attacks from tremendous amount of intrusion alerts, thus this approach can be used for intrusion prediction. The approach is validated by DARPA 2000 and DARPA 1999 intrusion detection evaluation datasets.