TY - GEN
T1 - Predicting Next Phases of Multi-Stage Network Attacks
T2 - 27th Iberoamerican Congress on Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications, CIARP 2024
AU - Severín, Antonia
AU - Canales, Claudio
AU - Torres, Romina
AU - Roudergue, César
AU - Salas, Rodrigo
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.
PY - 2025
Y1 - 2025
N2 - Multi-Stage Network Attacks (MSNAs) are complex, coordinated sequences of malicious activities that can unfold over extended periods-lasting hours, days, or even months. Detecting and mitigating these attacks is challenging due to their prolonged nature, and the cost of defense increases significantly depending on the stage at which the attack is detected. Organizations often face multiple concurrent MSNAs, and limited resources necessitate a strategic approach to prioritize threats, particularly those closest to their final stages. This study investigates existing methodologies for predicting the next phase of an already detected MSNA attack. We evaluate three distinct models—Hidden Markov Models (HMM), Random Forest (RF), and Long Short-Term Memory (LSTM) networks—using two well-known datasets, DARPA and CTF22, to analyze attack sequences and intrusion detection system (IDS) alert data. Our comparative analysis of the models’ predictive performance, based on the F1 score, shows that HMM performed best (67.5%) on the DARPA dataset, while RF excelled on the CTF dataset (75.1%). These findings provide valuable insights for prioritizing responses to critical network threats and improving the strategic allocation of defensive resources.
AB - Multi-Stage Network Attacks (MSNAs) are complex, coordinated sequences of malicious activities that can unfold over extended periods-lasting hours, days, or even months. Detecting and mitigating these attacks is challenging due to their prolonged nature, and the cost of defense increases significantly depending on the stage at which the attack is detected. Organizations often face multiple concurrent MSNAs, and limited resources necessitate a strategic approach to prioritize threats, particularly those closest to their final stages. This study investigates existing methodologies for predicting the next phase of an already detected MSNA attack. We evaluate three distinct models—Hidden Markov Models (HMM), Random Forest (RF), and Long Short-Term Memory (LSTM) networks—using two well-known datasets, DARPA and CTF22, to analyze attack sequences and intrusion detection system (IDS) alert data. Our comparative analysis of the models’ predictive performance, based on the F1 score, shows that HMM performed best (67.5%) on the DARPA dataset, while RF excelled on the CTF dataset (75.1%). These findings provide valuable insights for prioritizing responses to critical network threats and improving the strategic allocation of defensive resources.
KW - Cybersecurity
KW - Deep Learning
KW - Hidden Markov Models
KW - Long-Short Term Memory
KW - Machine Learning
KW - Multi-stage Network Attack
KW - Random Forest
UR - http://www.scopus.com/inward/record.url?scp=85210242472&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-76604-6_16
DO - 10.1007/978-3-031-76604-6_16
M3 - Conference contribution
AN - SCOPUS:85210242472
SN - 9783031766039
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 219
EP - 232
BT - Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications - 27th Iberoamerican Congress, CIARP 2024, Proceedings
A2 - Hernández-García, Ruber
A2 - Barrientos, Ricardo J.
A2 - Velastin, Sergio A.
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 26 November 2024 through 29 November 2024
ER -