Defense Joint Attacks Based on Stochastic Discrete Sequence Anomaly Detection

To evade detection, hackers may use a botnet, a set of compromised machines, to attempt to gain the access of a target and the bot machines report the results to the command and control server after the instructed attack has been performed. As the machines which explore or attempt login to the target might be captured and blocked by the defense mechanism installed in the network, the hacker would use another clean zombie machine to login the target using the access information collected by the botnet. Such attack sequence is called "Scouts-and-Commander" joint attack, where scouts take charge of scanning and exploring the vulnerability of a target and commander launches the precise strike using the correct login information provided by scouts. The detection system would consider the access normal, it is hard to identify such collaborative attack. In order to identify the attack sequence, this study correlates network information and system logs to find the attack sequence and identifies the potential scouts and commanders in the early stage before real damage has been done. In this paper, hidden Markov model often used to describe sequential data is adopted to forecast possible joint attacks and to prevent real damage. The experimental results show that the proposed defense mechanism can identify the joint attacks in the early stage efficiently to prevent further damage in the networks.