Inferring Attack Intent of Malicious Insider Based on Probabilistic Attack Graph Model

Attacks from malicious insiders usually consist of multiple attacking steps and disguise themselves as normal behaviors,which increase the difficulty to detect them and decrease the accuracy of detection results.Although attack graph model can describe the causal relationships among the steps in one attack progress,it cannot accurately infer the attacker's intent,because of the uncertainty of the detection results for each step.This paper introduces a transition probability table to depict this uncertainty,namely the occurrence probability of one attack step obtained from observed events,and propose a probabilistic attack graph model for inferring the intents of inside attacks.Based on the model,we further propose an algorithm to infer the intents under given sequences of observed events,and a method to calculate the attack path with the highest probability for a given attack target.Experimental results show that our work can dramatically reduce the number of alarms for inside attacks,so as to effectively infer intents,and provide good configurability for the network security administrators.