Performance Assessment of Network Intrusion-Alert Prediction

Abstract

In the current global cyber warfare landscape, cyber attacks on infrastructure are a serious threat. Although network administrators use intrusion detection systems (IDSs) to detect threats and anomalies, they usually only offer post-attacks alerts. If we could predict malicious activities, we could allow network administrators or security enhancing software to take appropriate actions in advance of damage occurring. Incoming intrusion detection alerts can be considered as a sequence. We used Pytbull to simulate cyber attacks within a testbed network environment and collected Snort generated intrusion detection alerts. We tested four sets of alert-prediction programs with this data Single-Scope Blending algorithm, a Simple Bayesian Mixture algorithm, a Multiple Simple Bayesian algorithm and a Variable Markov Model algorithm. The harmonic mean of the precision and recall (F-score) measured prediction accuracy. The Single-Scope Blending algorithm performed the best in these tests, especially in a multiple attacker environment.